Post

Enabling OAUTH2 on pgAdmin4 with Authelia

Posted
By Pawel Grzes 1 min read

Recently I have deployed PostgreSQL database for paperless-ngx project I found useful to reduce paper at home. Since I like nice management GUIs a natural choice was to go for pgAdmin4 (in web, obviously). To add extra security layer to yet another publicly facing tool I decided to enable and configure Authelia OIDC.

You’ll need following YML to add to Authelia configuration.yml:

1
2
3
4
5
6
7
8
9
10
11

- id: <APPID>
secret: <SUPERSECRET>
public: false
authorization_policy: two_factor
scopes:
  - openid
  - profile
  - email
redirect_uris:
  - http(s)://<pgAdmin Server URL>/oauth2/authorize
userinfo_signing_algorithm: none

Then on the pgAdmin4 side:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

OAUTH2_CONFIG = [
    {
        # The name of the of the oauth provider,ex: github, google
        'OAUTH2_NAME': 'Authelia',
        # The display name, ex: Google
        'OAUTH2_DISPLAY_NAME': 'Authelia',
        # Oauth client id
        'OAUTH2_CLIENT_ID': 'APPID',
        # Oauth secret
        'OAUTH2_CLIENT_SECRET': 'SUPERSECRET',
        # URL to generate a token,
        'OAUTH2_TOKEN_URL': 'https://autheliadomain.com/api/oidc/token',
        # URL is used for authentication,
        'OAUTH2_AUTHORIZATION_URL': 'https:/authelia.domain.com/api/oidcauthorization',
        # Oauth base url, ex: https://api.githubcom/
        'OAUTH2_API_BASE_URL': 'https://autheliadomain.com/',
        # Name of the Endpoint, ex: user
        'OAUTH2_USERINFO_ENDPOINT': 'https:/authelia.domain.com/api/oidc/userinfo',
        # Oauth scope, ex: 'openid email profile'
        'OAUTH2_SCOPE': 'openid email profile',
        # Font-awesome icon, ex: fa-github
        'OAUTH2_ICON': 'fa-whateveryouwant',
        # UI button colour, ex: #0000ff
        'OAUTH2_BUTTON_COLOR': None,
    }
]
OAUTH2_AUTO_CREATE_USER = True

I have decided to use config_local.py mounted to /pgadmin4/config_local.py, since I had troubles setting compose environmentals in way that pgAdmin would not complain.

Replace:

  • authelia.domain.com with whatever address your Authelia instance has
  • fa-whateveryouwant with any FontAwesome icon you wish
  • APPID and SUPERSECRET (see Authelia docs for details about these two)

Moreover I have disabled local logon to pgAdmin4 as no longer needed.

Selfhosted, Guide
selfhosted code snippet
This post is licensed under CC BY 4.0 by the author.