Home Explore Blog CI



postgresql
36th chunk of `doc/src/sgml/client-auth.sgml`
1e6ff4c422e3876e808878e174175193d5e81c06515079050000000100000be2
 linkend="auth-oauth-issuer">issuer identifier</link> of the
        authorization server, as defined by its discovery document, or a
        well-known URI that points directly to that discovery document. This
        parameter is required.
       </para>
       <para>
        When an OAuth client connects to the server, a URL for the discovery
        document will be constructed using the issuer identifier. By default,
        this URL uses the conventions of OpenID Connect Discovery: the path
        <literal>/.well-known/openid-configuration</literal> will be appended
        to the end of the issuer identifier. Alternatively, if the
        <literal>issuer</literal> contains a <literal>/.well-known/</literal>
        path segment, that URL will be provided to the client as-is.
       </para>
       <warning>
        <para>
         The OAuth client in libpq requires the server's issuer setting to
         exactly match the issuer identifier which is provided in the discovery
         document, which must in turn match the client's
         <xref linkend="libpq-connect-oauth-issuer"/> setting. No variations in
         case or formatting are permitted.
        </para>
       </warning>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><literal>scope</literal></term>
      <listitem>
       <para>
        A space-separated list of the OAuth scopes needed for the server to
        both authorize the client and authenticate the user.  Appropriate values
        are determined by the authorization server and the OAuth validation
        module used (see <xref linkend="oauth-validators" /> for more
        information on validators).  This parameter is required.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><literal>validator</literal></term>
      <listitem>
       <para>
        The library to use for validating bearer tokens. If given, the name must
        exactly match one of the libraries listed in
        <xref linkend="guc-oauth-validator-libraries" />.  This parameter is
        optional unless <literal>oauth_validator_libraries</literal> contains
        more than one library, in which case it is required.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><literal>map</literal></term>
      <listitem>
       <para>
        Allows for mapping between OAuth identity provider and database user
        names.  See <xref linkend="auth-username-maps"/> for details.  If a
        map is not specified, the user name associated with the token (as
        determined by the OAuth validator) must exactly match the role name
        being requested.  This parameter is optional.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term id="auth-oauth-delegate-ident-mapping" xreflabel="delegate_ident_mapping">
       <literal>delegate_ident_mapping</literal>
      </term>
      <listitem>
       <para>
        An advanced option which is not intended for common use.
Title: OAuth Configuration Parameters in PostgreSQL
Summary
This section describes the configuration parameters for OAuth in PostgreSQL, including issuer, scope, validator, map, and delegate_ident_mapping, which are used to authenticate and authorize clients, validate bearer tokens, and map OAuth identities to database user names.