Kong Gateway supports connecting to PostgreSQL 18 using OAuth2 authentication via the SASL OAUTHBEARER mechanism and a server-side validator. This is a more secure alternative to password-based authentication that enables single sign-on (SSO) and centralized access management through any OIDC-compliant identity provider such as Okta, Azure AD, Google, or Keycloak.
Kong Gateway PostgreSQL OAuth2 authentication
Uses:
Kong Gateway
Related Documentation
Minimum Version
Kong Gateway - 3.14
Incompatible with
konnect
Tags
Architecture
The following diagram shows how Kong Gateway authenticates to PostgreSQL using OAUTHBEARER:
- Kong Gateway obtains an OAuth access token from the IdP (using client_credentials or password grant).
- Kong Gateway connects to PostgreSQL using OAUTHBEARER SASL mechanism, sending the token.
- PostgreSQL’s OAuth validator plugin contacts the IdP to validate the token.
- The validator verifies the token’s authenticity (issuer, signature, expiration) and extracts the user’s identity, typically the
subclaim, which is mapped to an existing PostgreSQL role. - If the role exists and the token is valid, the connection succeeds.
sequenceDiagram
participant Kong as Kong Gateway
participant IdP
participant PG as PostgreSQL 18 (oauth validator)
Kong->>IdP: 1. Request token
IdP-->>Kong: 2. Return token
Kong->>PG: 3. Connect with OAUTHBEARER (send access token)
PG->>IdP: 4. Validate token
The token-to-role mapping in step 4 is critical: a PostgreSQL role must exist that matches the identity the validator extracts from the token. Which claim is used and how it maps to a role is determined entirely by the validator library or cloud provider.
Version requirements
|
Component |
Minimum Version |
Notes |
|---|---|---|
| Kong Gateway | 3.14+ | First version to support OAUTHBEARER SASL |
| PostgreSQL | 18+ | First version to support OAUTHBEARER authentication |
| OAuth Validator | - | Required for self-managed PostgreSQL; cloud-managed services may have built-in support |
| IdP | - | Any OIDC-compliant identity provider |
SSL requirements
Because OAUTHBEARER transmits tokens in plaintext, SSL is required. When pg_oauth_auth is set to on, Kong Gateway automatically enforces pg_ssl=on and pg_ssl_required=on. PostgreSQL must also have SSL enabled or the connection will fail.
PostgreSQL setup
1. Install an OAuth validator plugin
PostgreSQL 18 introduced OAuth support but delegates token validation entirely to third-party libraries, it does not implement token verification itself. Self-managed deployments therefore require a validator library configured via the oauth_validator_libraries parameter. Kong supports pg_oidc_validator from Percona. Install and configure it according to its documentation.
2. Configure postgresql.conf
ssl = on
ssl_cert_file = '<path_to_server_certificate>'
ssl_key_file = '<path_to_server_private_key>'
oauth_validator_libraries = 'pg_oidc_validator'
Copied!
3. Configure pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD OPTIONS
local all all trust
host all postgres all trust
host all all all oauth issuer=https://<idp-host>/realms/<realm> scope=openid
Copied!
Rules are evaluated top-down, first match wins:
|
Rule |
Meaning |
|---|---|
local all all trust
|
Local Unix socket connections are trusted (no authentication) |
host all postgres all trust
|
The postgres superuser can connect via TCP without authentication
|
host all all all oauth ...
|
All other TCP connections must authenticate via OAUTHBEARER, with the specified issuer and scope
|
4. Create a database role matching the token identity
The validator determines how to map a token to a PostgreSQL role. For client credentials flow, the sub claim is typically set to the client_id by the IdP, so the role name usually matches the client ID. Refer to your validator library or cloud provider’s documentation to confirm the expected format.
CREATE ROLE "<matched_identity>" WITH LOGIN;
Copied!
Kong configuration
Token endpoint vs Discovery endpoint
Kong Gateway needs to know where to request tokens. There are two mutually exclusive ways to configure this:
|
Parameter |
Description |
|---|---|
pg_oauth_token_endpoint
|
The IdP’s token endpoint URL directly. Use this when you know the exact URL. |
pg_oauth_discovery_endpoint
|
The IdP’s OIDC discovery URL (.well-known/openid-configuration). Kong will fetch this document and extract the token_endpoint automatically.
|
One of the two is required. If both are set, token_endpoint takes precedence. Discovery mode is useful when you prefer not to hardcode the token endpoint, or when the IdP may change its endpoint URL.
Token endpoint auth method
pg_oauth_token_endpoint_auth_method controls how Kong Gateway sends client credentials to the IdP’s token endpoint:
|
Value |
Behavior |
|---|---|
client_secret_post (default)
|
Sends client_id and client_secret in the request body
|
client_secret_basic
|
Sends credentials via HTTP Basic Authentication header |
Choose the method your IdP supports. Most IdPs support both; some (e.g., certain enterprise IdPs) may only accept one.
Client credentials grant (with token endpoint)
This is the most common pattern for service-to-service authentication, where Kong Gateway uses client_id and client_secret to obtain a token.
Client credentials grant (with discovery endpoint)
Use this variant when you prefer not to hardcode the token endpoint URL, Kong Gateway resolves it automatically from the OIDC discovery document.
Password grant
Use this grant type when the IdP requires resource owner credentials.
Password grant with ADFS
ADFS (Active Directory Federation Services) typically uses password grant with a resource parameter to identify the target application, and may use a public client (no client_secret).
pg_oauth_resource is only sent with the password grant type. pg_oauth_client_secret can be omitted for ADFS public clients.
Configuration parameters
|
Parameter |
Default |
Values |
Description |
|---|---|---|---|
pg_oauth_auth
|
off
|
on / off
|
Enable OAUTHBEARER authentication. Automatically enables pg_ssl and pg_ssl_required.
|
pg_oauth_client_id
|
- | string | OAuth client ID. Required. |
pg_oauth_client_secret
|
- | string |
OAuth client secret. Required for client_credentials grant.
|
pg_oauth_token_endpoint
|
- | URL |
IdP token endpoint URL. One of token_endpoint or discovery_endpoint is required.
|
pg_oauth_discovery_endpoint
|
- | URL |
OIDC discovery URL (.well-known/openid-configuration). Alternative to token_endpoint.
|
pg_oauth_scope
|
- | string |
OAuth scope to request (e.g., openid).
|
pg_oauth_audience
|
- | string | OAuth audience parameter. |
pg_oauth_grant_type
|
client_credentials
|
client_credentials / password
|
OAuth grant type. |
pg_oauth_token_endpoint_auth_method
|
client_secret_post
|
client_secret_post / client_secret_basic
|
How to send client credentials to the IdP. |
pg_oauth_username
|
- | string |
Username. Required when grant_type is password.
|
pg_oauth_password
|
- | string |
Password. Required when grant_type is password.
|
pg_oauth_resource
|
- | string | OAuth resource parameter. |
All parameters also have
pg_ro_oauth_*variants for read-only replica connections.
FAQs
What must match between pg_hba.conf and the Kong Gateway configuration?
The scope value in pg_hba.conf must match the pg_oauth_scope Kong Gateway configuration parameter (environment variable KONG_PG_OAUTH_SCOPE). If they don’t match, PostgreSQL will reject the token even if it is otherwise valid.
Why does my connection fail even though the token is valid?
The pg_user Kong Gateway configuration parameter (environment variable KONG_PG_USER) must be set to the PostgreSQL role name that the validator maps from the token. If they don’t match, the connection will fail.