Skip to main content

pgAdmin

What is pgAdmin

From https://www.pgadmin.org/

note

pgAdmin is a management tool for PostgreSQL and derivative relational databases such as EnterpriseDB's EDB Advanced Server. It may be run either as a web or desktop application.

note

This is based on authentik 2022.3.3 and pgAdmin4 v6.7

Preparation

The following placeholders will be used:

  • pgadmin.company is the FQDN of pgAdmin.
  • authentik.company is the FQDN of authentik.

Step 1: Create authentik Provider

In authentik, under Providers, create an OAuth2/OpenID Provider with these settings:

Provider Settings

  • Name: pgAdmin
  • Client type: Confidential
  • Client ID: Copy and Save this for Later
  • Client Secret: Copy and Save this for later
  • Redirect URIs/Origins: http://pgadmin.company/oauth2/authorize

Step 2: Create authentik Application

In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.

Step 3: Configure pgAdmin

All settings for OAuth in pgAdmin are configured in the config_local.py file. This file can usually be found in the path /pgadmin4/config_local.py

note

More information on that file can be found in the official pgAdmin documentation

Copy the following code into the config_local.py file and replace all placeholders and FQDN placeholders

note

If the config_local.py file does not exist, it needs to be created in the /pgadmin4/ directory.

AUTHENTICATION_SOURCES = ['oauth2', 'internal']
OAUTH2_AUTO_CREATE_USER = True
OAUTH2_CONFIG = [{
    'OAUTH2_NAME' : 'authentik',
    'OAUTH2_DISPLAY_NAME' : '<display-name>',
    'OAUTH2_CLIENT_ID' : '<client-id>',
    'OAUTH2_CLIENT_SECRET' : '<client-secret>',
    'OAUTH2_TOKEN_URL' : 'https://authentik.company/application/o/token/',
    'OAUTH2_AUTHORIZATION_URL' : 'https://authentik.company/application/o/authorize/',
    'OAUTH2_API_BASE_URL' : 'https://authentik.company/',
    'OAUTH2_USERINFO_ENDPOINT' : 'https://authentik.company/application/o/userinfo/',
    'OAUTH2_SCOPE' : 'openid email profile',
    'OAUTH2_ICON' : '<fontawesome-icon>',
    'OAUTH2_BUTTON_COLOR' : '<button-color>'
}]

In the code above the following placeholders have been used:

  • <display-name>: The name that is displayed on the Login Button
  • <client-id>: The Client ID from step 1
  • <client-secret>: The Client Secret from step 1
  • <fontawesome-icon>: An icon name from fontawesome. Only brand icons seem to be supported. This icon is displayed in front of the <display-name>. E.g.: fa-github.
  • <button-color>: Sets the color of the Login Button. Should be in Hex format, E.g.: #fd4b2d
note

To only allow authentication via authentik set AUTHENTICATION_SOURCES to ['oauth2']. This should only be done once at least one user registered via authentik has been made an admin in pgAdmin.

note

To disable user creation on pgAdmin, set OAUTH2_AUTO_CREATE_USER to False

Finally, restart pgAdmin to apply the changes.

note

pgAdmin needs to be restarted every time changes to config_local.py are made