PostgreSQL Authentication Options

</para> </listitem> </varlistentry> <varlistentry> <term><literal>peer</literal></term> <listitem> <para> Obtain the client's operating system user name from the operating system and check if it matches the requested database user name. This is only available for local connections. See <xref linkend="auth-peer"/> for details. </para> </listitem> </varlistentry> <varlistentry> <term><literal>ldap</literal></term> <listitem> <para> Authenticate using an <acronym>LDAP</acronym> server. See <xref linkend="auth-ldap"/> for details. </para> </listitem> </varlistentry> <varlistentry> <term><literal>radius</literal></term> <listitem> <para> Authenticate using a RADIUS server. See <xref linkend="auth-radius"/> for details. </para> </listitem> </varlistentry> <varlistentry> <term><literal>cert</literal></term> <listitem> <para> Authenticate using SSL client certificates. See <xref linkend="auth-cert"/> for details. </para> </listitem> </varlistentry> <varlistentry> <term><literal>pam</literal></term> <listitem> <para> Authenticate using the Pluggable Authentication Modules (PAM) service provided by the operating system. See <xref linkend="auth-pam"/> for details. </para> </listitem> </varlistentry> <varlistentry> <term><literal>bsd</literal></term> <listitem> <para> Authenticate using the BSD Authentication service provided by the operating system. See <xref linkend="auth-bsd"/> for details. </para> </listitem> </varlistentry> <varlistentry> <term><literal>oauth</literal></term> <listitem> <para> Authorize and optionally authenticate using a third-party OAuth 2.0 identity provider. See <xref linkend="auth-oauth"/> for details. </para> </listitem> </varlistentry> </variablelist> </para> </listitem> </varlistentry> <varlistentry> <term><replaceable>auth-options</replaceable></term> <listitem> <para> After the <replaceable>auth-method</replaceable> field, there can be field(s) of the form <replaceable>name</replaceable><literal>=</literal><replaceable>value</replaceable> that specify options for the authentication method. Details about which options are available for which authentication methods appear below. </para> <para> In addition to the method-specific options listed below, there is a method-independent authentication option <literal>clientcert</literal>, which can be specified in any <literal>hostssl</literal> record. This option can be set to <literal>verify-ca</literal> or <literal>verify-full</literal>. Both options require the client to present a valid (trusted) SSL certificate, while <literal>verify-full</literal> additionally enforces that the <literal>cn</literal> (Common Name) in the certificate matches the username or an applicable mapping. This behavior is similar to the <literal>cert</literal> authentication method (see <xref linkend="auth-cert"/>) but enables pairing the verification of client certificates with any authentication method that supports <literal>hostssl</literal> entries. </para> <para> On any record using client certificate authentication (i.e. one using the <literal>cert</literal> authentication method or one using the <literal>clientcert</literal> option), you can specify which part of the client certificate credentials

PostgreSQL supports various authentication methods, including peer, LDAP, RADIUS, cert, PAM, BSD, and OAuth. Additionally, authentication options such as clientcert can be specified to require clients to present valid SSL certificates, with options to verify the certificate authority or the common name. These options can be used with different authentication methods to provide flexible and secure authentication mechanisms.