pgAdmin
What is pgAdmin
pgAdmin is a management tool for PostgreSQL and derivative relational databases such as EnterpriseDB's EDB Advanced Server. It may be run either as a web or desktop application.
This is based on authentik 2024.12.2 and pgAdmin4 8.14
Preparation
The following placeholders are used in this guide:
pgadmin.companyis the FQDN of pgAdmin.authentik.companyis the FQDN of authentik.
authentik configuration
- From the Admin interface, navigate to Applications -> Applications.
- Use the wizard to create a new application and provider. During this process:
- Note the Client ID, Client Secret, and slug values because they will be required later.
- Set a
Strictredirect URI tohttps://pgadmin.company/oauth2/authorize. - Select any available signing key.
pgAdmin OAuth Configuration
To configure OAuth in pgAdmin, you can either use the config_local.py file or set environment variables if you are deploying pgAdmin in a containerized setup.
Using config_local.py
-
Locate or create the
config_local.pyfile in the/pgadmin4/directory.- If the file does not exist, create it manually.
-
Add the following configuration settings to
config_local.py:AUTHENTICATION_SOURCES = ['oauth2', 'internal']
OAUTH2_AUTO_CREATE_USER = True
OAUTH2_CONFIG = [{
'OAUTH2_NAME': 'authentik',
'OAUTH2_DISPLAY_NAME': 'authentik',
'OAUTH2_CLIENT_ID': '<Client ID from authentik>',
'OAUTH2_CLIENT_SECRET': '<Client secret from authentik>',
'OAUTH2_TOKEN_URL': 'https://authentik.company/application/o/token/',
'OAUTH2_AUTHORIZATION_URL': 'https://authentik.company/application/o/authorize/',
'OAUTH2_API_BASE_URL': 'https://authentik.company/',
'OAUTH2_USERINFO_ENDPOINT': 'https://authentik.company/application/o/userinfo/',
'OAUTH2_SERVER_METADATA_URL': 'https://authentik.company/application/o/<App Slug>/.well-known/openid-configuration',
'OAUTH2_SCOPE': 'openid email profile',
'OAUTH2_ICON': '<Fontawesome icon key (e.g., fa-key)>',
'OAUTH2_BUTTON_COLOR': '<Hexadecimal color code for the login button>'
}] -
Save the file and restart pgAdmin for the changes to take effect.
noteYou must restart pgAdmin every time you make changes to
config_local.py.
Using Environment Variables for Containerized Deployments
For deployments using Docker or Kubernetes, you can configure OAuth using the following environment variables:
- Set these environment variables in your container:
PGADMIN_CONFIG_AUTHENTICATION_SOURCES="['oauth2', 'internal']"
PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER=True
PGADMIN_CONFIG_OAUTH2_CONFIG="[{'OAUTH2_NAME':'authentik','OAUTH2_DISPLAY_NAME':'Login with authentik','OAUTH2_CLIENT_ID':'<Client ID from authentik>','OAUTH2_CLIENT_SECRET':'<Client secret from authentik>','OAUTH2_TOKEN_URL':'https://authentik.company/application/o/token/','OAUTH2_AUTHORIZATION_URL':'https://authentik.company/application/o/authorize/','OAUTH2_API_BASE_URL':'https://authentik.company/','OAUTH2_USERINFO_ENDPOINT':'https://authentik.company/application/o/userinfo/','OAUTH2_SERVER_METADATA_URL':'https://authentik.company/application/o/<App Slug>/.well-known/openid-configuration','OAUTH2_SCOPE':'openid email profile','OAUTH2_ICON':'<Fontawesome icon key (e.g., fa-key)>','OAUTH2_BUTTON_COLOR':'<Hexadecimal color code for the login button>'}]"
General Notes
-
To only allow OAuth2 login, set:
AUTHENTICATION_SOURCES = ['oauth2']Ensure that you promote at least one user to an admin before disabling the internal authentication.
-
To disable automatic user creation, set:
OAUTH2_AUTO_CREATE_USER = FalseSetting this value to
Falsedisables automatic user creation. This ensures that only the first signed-in user is registered.
Configuration verification
To confirm that authentik is properly configured with pgAdmin, log out and log back in via authentik. A new button should have appeared on the login page.