Skip to main content


What is pgAdmin



pgAdmin is a management tool for PostgreSQL and derivative relational databases such as EnterpriseDB's EDB Advanced Server. It may be run either as a web or desktop application.


This is based on authentik 2022.3.3 and pgAdmin4 v6.7


The following placeholders will be used:

  • is the FQDN of pgAdmin.
  • is the FQDN of authentik.

Step 1: Create authentik Provider

In authentik, under Providers, create an OAuth2/OpenID Provider with these settings:

Provider Settings

  • Name: pgAdmin
  • Client type: Confidential
  • Client ID: Copy and Save this for Later
  • Client Secret: Copy and Save this for later
  • Redirect URIs/Origins:

Step 2: Create authentik Application

In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.

Step 3: Configure pgAdmin

All settings for OAuth in pgAdmin are configured in the file. This file can usually be found in the path /pgadmin4/


More information on that file can be found in the official pgAdmin documentation

Copy the following code into the file and replace all placeholders and FQDN placeholders


If the file does not exist, it needs to be created in the /pgadmin4/ directory.

AUTHENTICATION_SOURCES = ['oauth2', 'internal']
'OAUTH2_NAME' : 'authentik',
'OAUTH2_DISPLAY_NAME' : '<display-name>',
'OAUTH2_CLIENT_ID' : '<client-id>',
'OAUTH2_CLIENT_SECRET' : '<client-secret>',
'OAUTH2_SCOPE' : 'openid email profile',
'OAUTH2_ICON' : '<fontawesome-icon>',
'OAUTH2_BUTTON_COLOR' : '<button-color>'

In the code above the following placeholders have been used:

  • <display-name>: The name that is displayed on the Login Button
  • <client-id>: The Client ID from step 1
  • <client-secret>: The Client Secret from step 1
  • <fontawesome-icon>: An icon name from fontawesome. Only brand icons seem to be supported. This icon is displayed in front of the <display-name>. E.g.: fa-github.
  • <button-color>: Sets the color of the Login Button. Should be in Hex format, E.g.: #fd4b2d

To only allow authentication via authentik set AUTHENTICATION_SOURCES to ['oauth2']. This should only be done once at least one user registered via authentik has been made an admin in pgAdmin.


To disable user creation on pgAdmin, set OAUTH2_AUTO_CREATE_USER to False

Finally, restart pgAdmin to apply the changes.


pgAdmin needs to be restarted every time changes to are made