F.32. oauth_validator — OAuth 2.0 Basic Token Validator for Tantor SE#
F.32. oauth_validator — OAuth 2.0 Basic Token Validator for Tantor SE #
F.32.1. Overview #
This module implements a simple OAuth 2.0 token validator for built-in support of the Device Authorization Flow. The validator performs minimal validation by:
Extracting the
sub(subject) andscopefields from the JWT payload.Comparing the token's scopes with those required by the
pg_hba.confentry.Mapping the authentication identity
subto a database role usingpg_ident.conf.Allowing or denying access based on matching of
suband scope.
F.32.2. Requirements #
Tantor SE version 18 or higher configured with
--with-libcurlflag.
F.32.3. Installation #
Add the validator in
postgresql.confusing the settingoauth_validator_libraries:oauth_validator_libraries='oauth_validator'Configure the file
pg_ident.conf. For example:# MAPNAME SYSTEM-USERNAME PG-USERNAME oauthmap "7cf5b11f-adb2-4e67-83b7-5c75f7f1e6ee" "mydbuser"Configure the file
pg_hba.conf. For example:local all all oauth issuer="https://<address>/.well-known/openid-configuration" scope="openid postgres" map="oauthmap"
F.32.4. Configuration #
postgresql.confmust contain the validator module in theoauth_validator_librariesentry.pg_hba.confmust specifyoauthas the authentication method and defineoauth_scope.pg_ident.confmust contain mappings between JWTsubvalues and Tantor SE roles.
F.32.4.1. Example of pg_ident.conf Entry #
# MAPNAME SYSTEM-USERNAME PG-USERNAME
oauthmap "7cf5b11f-adb2-4e67-83b7-5c75f7f1e6ee" "mydbuser"
If the token contains sub value “7cf5b11f-adb2-4e67-83b7-5c75f7f1e6ee”, and validation passes, Tantor SE will map it to the
mydbuser role using the oauthmap entry.
F.32.4.2. Example of pg_hba.conf Entry #
local all all oauth issuer="https://<address>/.well-known/openid-configuration" scope="openid postgres" map="oauthmap"
F.32.5. Token Validation Logic #
The core validation logic is implemented through the validate_token function. It performs the following steps:
Parsing the token payload: The raw token string is parsed to extract its payload. If the token is malformed or the payload cannot be extracted, validation fails.
Extracting JWT claims: The payload must contain both:
sub: Subject (used to identify the user)scope: Space-separated list of scopes granted by the token
If either field is missing, validation fails.
Comparing scopes: The scopes from the entry
oauth_scopeinpg_hba.confare compared with the scopes granted by the token. If some are missing in the token, validation fails.In the above configuration example, validation is successful if the token contains both
openidandpostgresscopes.Setting authorization result: The
res->authorizedflag is set totrueif scopes match; otherwise, it is set tofalse.Assigning authentication identity: The
subvalue is assigned tores->authn_id, which Tantor SE uses to identify the authenticated user.Mapping authentication identity: This
subvalue is then matched outside of this module against entries inpg_ident.confto determine the actual database role the user is allowed to assume.If matching fails, validation fails.
Otherwise, validation is successful and the client is authorized and successfully connected to the database.
F.32.6. Extensibility #
This basic implementation can be extended with additional checks or custom logic, such as:
Validating token signatures
Validating token expiration (
exp)Validating audience (
aud) or issuer (iss)Fetching user roles dynamically