PGWire OIDC integration

glasstiger · glasstiger · commit 8d3c6dc68aa4 · 2025-10-28T15:32:02.000Z
diff --git a/documentation/configuration-utils/_oidc.config.json b/documentation/configuration-utils/_oidc.config.json
@@ -90,5 +90,9 @@
   "acl.oidc.cache.ttl": {
     "default": 30000,
     "description": "User info cache entry TTL (time to live) in milliseconds, default value is 30 seconds. For improved performance QuestDB caches user info responses for each valid access token, this settings drives how often the access token should be validated and the user info updated."
+  },
+  "acl.oidc.pg.token.as.password.enabled": {
+    "default": "false",
+    "description": "When enabled, the PGWire endpoint supports OIDC authentication. The OAuth2 token should be sent in the password field, while the username field should contain the string `_sso`, or left empty if that is an option."
   }
 }
diff --git a/documentation/operations/openid-connect-oidc-integration.mdx b/documentation/operations/openid-connect-oidc-integration.mdx
@@ -576,6 +576,30 @@ with Sender.from_conf(conf) as sender:
     sender.dataframe(df, table_name="foo", at="ts")
 ```
 
+## OIDC for the PGWire endpoint
+
+If ROPC is not an option, we can still authenticate via OIDC on the PGWire endpoint.
+However, in this case the client's responsibility to source the token required for authentication.
+This method works wherever a Postgres client library is available, including jupyter notebooks.
+
+Token authentication for the PGWire endpoint should be enabled by adding the `acl.oidc.pg.token.as.password.enabled=true` setting to the server configuration.
+
+The token should be sent in the password field, while the username field should contain the string `_sso`, or left empty if that is an option:
+
+```python
+import psycopg as pg
+
+token = "token_requested_from_the_oauth2_provider"
+
+conn_str = f"user=_sso password={token} host=localhost port=8812 dbname=qdb"
+with pg.connect(conn_str, autocommit=True) as connection:
+    with connection.cursor() as cur:
+        cur.execute('select current_user()')
+        records = cur.fetchall()
+        for row in records:
+            print(row)
+```
+
 ## User permissions
 
 QuestDB requires additional user information to be able to construct the user's

Original file line number	Diff line number	Diff line change
`@@ -90,5 +90,9 @@`
`90`	`90`	`"acl.oidc.cache.ttl": {`
`91`	`91`	`"default": 30000,`
`92`	`92`	`"description": "User info cache entry TTL (time to live) in milliseconds, default value is 30 seconds. For improved performance QuestDB caches user info responses for each valid access token, this settings drives how often the access token should be validated and the user info updated."`
	`93`	`+ },`
	`94`	`+ "acl.oidc.pg.token.as.password.enabled": {`
	`95`	`+ "default": "false",`
	`96`	+ "description": "When enabled, the PGWire endpoint supports OIDC authentication. The OAuth2 token should be sent in the password field, while the username field should contain the string `_sso`, or left empty if that is an option."
`93`	`97`	`}`
`94`	`98`	`}`