Adding support for a generic authenticated user role, irresepctive of jwt-role-claim #3366
-
|
I am currently using a managed PostgreSQL instance that doesn't allow me to provision additional roles but provides me with a role to use that was setup via their automated provisioning process. I am also using an OIDC provider that does not allow me to customize the claims that are provided in the id_token jwt and currently there is no claim in the token that matches the name of the role provisioned in postgres. Per the documentation if the jwt doesn't have a role claim (or another claim that matches the In this scenario postgrest was able to use the I would like to give users who don't have a role claim but do have a valid unexpired id_token access to postgrest without having to grant access to anonymous users. Right now postgrest treat's users who have a valid unexpired id_token as just as unauthenticated as someone completely anonymous and I would like to treat user's in that category differently. The idea would be to have something like a Is this something that the team would be open to receiving as a pull request or would there be a better way to handle this situation given that I don't control either postgres or the OIDC providers? Ps, if this is something that would be better posted elsewhere please let me know. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
This is better off created as an issue. |
Beta Was this translation helpful? Give feedback.
-
|
See #3367 |
Beta Was this translation helpful? Give feedback.
-
|
@ChrisMagnuson, checkout https://github.com/edgeflare/pgo. It's not yet as robust and reliable (please do give your feedback to make it so) as PostgREST, but enhances postgrest in a few ways:
rest:
listenAddr: ":8080"
pg:
connString: "host=localhost port=5432 user=postgrest password=secret dbname=testdb"
oidc:
issuer: https://iam.example.org
clientID: example-client-id
clientSecret: example-client-secret
roleClaimKey: .policies.pgrole
basicAuth:
admin: adminpw
user1: user1pw
anonRole: anon |
Beta Was this translation helpful? Give feedback.
-
|
Hey @blockchaind, It's cool by us to promote alternatives. But please don't spam across other 6 discussions as it creates more notification burden for us maintainers. |
Beta Was this translation helpful? Give feedback.
-
|
@steve-chavez im extremely sorry. it was indeed stupid. I've never been a maintainer myself, and assumed only tagged people get notification. |
Beta Was this translation helpful? Give feedback.
-
|
That looks amazing, we’ll definitely check it out, thank you for mentioning
it
…On Sun, Mar 9, 2025 at 4:57 AM blockchaind ***@***.***> wrote:
@ChrisMagnuson <https://github.com/ChrisMagnuson>, checkout
https://github.com/edgeflare/pgo. It's not yet as robust and reliable
(please do give your feedback to make it so) as PostgREST, but enhances
postgrest in a few ways:
- fixes #1130 <#1130>
(JWSError JWSInvalidSignature)
- supports basic-auth (along-side OIDC auth and anonymous/public access
rest:
listenAddr: ":8080"
pg:
connString: "host=localhost port=5432 user=postgrest password=secret dbname=testdb"
oidc:
issuer: https://iam.example.org
clientID: example-client-id
clientSecret: example-client-secret
roleClaimKey: .policies.pgrole
basicAuth:
admin: adminpw
user1: user1pw
anonRole: anon
—
Reply to this email directly, view it on GitHub
<#3366 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AARMCRSPNYXAZ5PF6QZLI232TP67HAVCNFSM6AAAAABYUAQB2OVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTENBTHA4DAOA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
See #3367