Olav Grønås Gjerde

profile image
Full stack system architect with passion for Unix, Java, Python and databases.
Twitter @olavgg
9 months ago

How to Configure pgAdmin 4 with OAuth2 and Keycloak

I have earlier mentioned how to install pgAdmin on Linux and FreeBSD. Now we will enable OAuth2 authentication for Single Sign on support. Keycloak is a fantastic open source product for managing users. It is open source and there is plenty of great documentation and youtube videos about it.

This is not a tutorial about KeyCloak

Anyway we need to configure Keycloak. I assume you have already created a realm with users. If not read and do that first.

I am not going to cover the GUI, as GUI's change and layouts change. It only adds more confusing as this tutorial ages. We will use the REST Api instead.

First login with your keycloak admin user

bin/kcadm.sh config credentials --server http://mykeycloak:8080 --realm master --user admin --password secret

Generate a client secret

export CLIENT_SECRET=`tr -dc A-Za-z0-9 </dev/urandom | head -c 24 ; echo ''`

Create the client

bin/kcadm.sh create clients -r my-realm-name  -f - << EOF
        {
          "clientId": "pgadmin",
          "baseUrl": "/",
          "surrogateAuthRequired": false,
          "enabled": true,
          "alwaysDisplayInConsole": false,
          "clientAuthenticatorType": "client-secret",
          "secret": "${CLIENT_SECRET}",
          "redirectUris": [
            "https://my_pgadmin_server/oauth2/authorize"
          ],
          "webOrigins": ["+"],
          "bearerOnly": false,
          "consentRequired": false,
          "standardFlowEnabled": true,
          "implicitFlowEnabled": false,
          "directAccessGrantsEnabled": false,
          "serviceAccountsEnabled": true,
          "publicClient": false,
          "frontchannelLogout": false,
          "protocol": "openid-connect",
          "defaultClientScopes": ["web-origins","role_list","roles","profile","email"],
          "optionalClientScopes": ["address","phone","offline_access","microprofile-jwt"],
          "name" : "pgAdmin Client"
        }
      EOF

That's basically all you need todo with Keycloak.

Next step is configuring pgAdmin, edit following file /var/lib/pgadmin/.local/lib/python3.9/site-packages/pgadmin4/config_local.py Note: your install location of pgadmin may vary

SERVER_MODE = True
MASTER_PASSWORD_REQUIRED = True
AUTHENTICATION_SOURCES = ['oauth2', 'internal']
OAUTH2_AUTO_CREATE_USER = True
OAUTH2_CONFIG = [{
    'OAUTH2_NAME': 'MyKeyCloak',
    'OAUTH2_DISPLAY_NAME': 'MyKeyCloak',
    'OAUTH2_CLIENT_ID': 'pgadmin',
    'OAUTH2_CLIENT_SECRET': 'your-client-secret-here',
    'OAUTH2_TOKEN_URL': 'https://mykeycloak/realms/datahub/protocol/openid-connect/token',
    'OAUTH2_AUTHORIZATION_URL': 'https://mykeycloak/realms/datahub/protocol/openid-connect/auth',
    'OAUTH2_API_BASE_URL': 'https://mykeycloak/realms/datahub/',
    'OAUTH2_USERINFO_ENDPOINT': 'https://mykeycloak/realms/datahub/protocol/openid-connect/userinfo',
    'OAUTH2_SCOPE': 'openid email profile',
    'OAUTH2_BUTTON_COLOR': '#51c65b;',
    'OAUTH2_SERVER_METADATA_URL': 'https://mykeycloak/realms/datahub/.well-known/openid-configuration'
}]

Restart pgAdmin and test your login.