SQL-76 Add pgwire password authentication to OIDC authenticator#34801
Merged
SangJunBak merged 5 commits intoMaterializeInc:mainfrom Feb 18, 2026
Merged
SQL-76 Add pgwire password authentication to OIDC authenticator#34801SangJunBak merged 5 commits intoMaterializeInc:mainfrom
SangJunBak merged 5 commits intoMaterializeInc:mainfrom
Conversation
SangJunBak
force-pushed
the
jun/add-password-auth-to-oidc
branch
7 times, most recently
from
a8d789b to
aed6472
Compare
SangJunBak
changed the title
SangJunBak
force-pushed
the
jun/add-password-auth-to-oidc
branch
from
aed6472 to
1ccd67a
Compare
SangJunBak
force-pushed
the
jun/add-password-auth-to-oidc
branch
from
1ccd67a to
0d5b665
Compare
SangJunBak
force-pushed
the
jun/add-password-auth-to-oidc
branch
from
0d5b665 to
c04b2aa
Compare
SangJunBak
force-pushed
the
jun/add-password-auth-to-oidc
branch
2 times, most recently
from
047394c to
5de9377
Compare
- Add external_metadata_rx() method to OidcAuthSessionHandle trait with default None impl
This allows us to create a helper functions for anything implementing OidcAuthenticator.
- Update Authenticator::Oidc to use named fields: {oidc, password}
SangJunBak
force-pushed
the
jun/add-password-auth-to-oidc
branch
from
5de9377 to
31359cd
Compare
- Add authenticate_with_oidc_token for token-based auth (Frontegg/OIDC JWT) - Add authenticate_with_password for password-based auth
- Enables tests to pass connection-level options like --oidc_auth_enabled - Verifies that when oidc_auth_enabled is not set in the connection options, the OIDC authenticator falls back to password authentication.
Call stacks above the critical recursion can grow as we add code elsewhere in the system
SangJunBak
force-pushed
the
jun/add-password-auth-to-oidc
branch
from
31359cd to
b04753d
Compare
teskje
reviewed
Feb 9, 2026
Contributor
teskje
left a comment
teskje
left a comment
There was a problem hiding this comment.
Looks fine to me.
I'm a bit unhappy with adding password auth as a special case for OIDC auth, ideally we would leave the concerns separated and leave the password auth to the password authenticator. Would it be difficult to move the dispatching on the auth method one level up and just use the password authenticator when OIDC is disabled via the option?
| Oidc(GenericOidcAuthenticator), | ||
| Oidc { | ||
| oidc: GenericOidcAuthenticator, | ||
| password: AdapterClient, |
Contributor
There was a problem hiding this comment.
Maybe call this adapter_client? I think you name it password because it's used for password auth, but I was confused initially thinking this field stores a password instead.
Contributor
Author
There was a problem hiding this comment.
Good call! Implemented it in my latest commit.
| # the query planner and optimizer. | ||
|
|
||
| # 475 UNIONs | ||
| # 418 UNIONs |
SangJunBak
force-pushed
the
jun/add-password-auth-to-oidc
branch
from
c00c9cb to
7d99ff9
Compare
teskje
approved these changes
Feb 17, 2026
| // We can only send the Frontegg, OIDC, and None variants immediately. | ||
| // The Password variant requires an adapter client. | ||
| // We can only send the Frontegg and None variants immediately. | ||
| // The Password and Oidc variants require an adapter client. |
Contributor
There was a problem hiding this comment.
Oidc doesn't require an adapter client anymore, right?
| frontegg: Option<FronteggAuthenticator>, | ||
| oidc: Option<GenericOidcAuthenticator>, | ||
| adapter_client: mz_adapter::Client, | ||
| // If oidc_auth_enabled exists as an option in the connection options, |
Contributor
There was a problem hiding this comment.
Looks like this comment got cut off?
| AuthenticatorKind::Password => Authenticator::Password(adapter_client), | ||
| AuthenticatorKind::Sasl => Authenticator::Sasl(adapter_client), | ||
| AuthenticatorKind::Oidc => { | ||
| let oidc = oidc.expect("OIDC authenticator should exist with AuthenticatorKind::Oidc"); |
Contributor
There was a problem hiding this comment.
Nit: Move this into the if branch, closer to its usage.
By choosing the authenticator on connection, we can keep password authentication tied to AuthenticatorKind::Password. We need to do it on connection because it depends on the oidc_auth_enabled value from 'options' in the connection parameters
SangJunBak
force-pushed
the
jun/add-password-auth-to-oidc
branch
from
7d99ff9 to
531b22e
Compare
patrickwwbutler
pushed a commit
to patrickwwbutler/materialize
that referenced
this pull request
Feb 19, 2026
…rializeInc#34801) <!-- Describe the contents of the PR briefly but completely. If you write detailed commit messages, it is acceptable to copy/paste them here, or write "see commit messages for details." If there is only one commit in the PR, GitHub will have already added its commit message above. --> see commit messages for details, starting from commit "[Add password fallback for OIDC pgwire](MaterializeInc@e3bbf7a)". Commits before are. being reviewed in MaterializeInc#34690. Will do http pgwire password authentication in a followup PR. ### Motivation <!-- Which of the following best describes the motivation behind this PR? * This PR fixes a recognized bug. [Ensure issue is linked somewhere.] * This PR adds a known-desirable feature. [Ensure issue is linked somewhere.] * This PR fixes a previously unreported bug. [Describe the bug in detail, as if you were filing a bug report.] * This PR adds a feature that has not yet been specified. [Write a brief specification for the feature, including justification for its inclusion in Materialize, as if you were writing the original feature specification.] * This PR refactors existing code. [Describe what was wrong with the existing code, if it is not obvious.] --> ### Tips for reviewer <!-- Leave some tips for your reviewer, like: * The diff is much smaller if viewed with whitespace hidden. * [Some function/module/file] deserves extra attention. * [Some function/module/file] is pure code movement and only needs a skim. Delete this section if no tips. --> ### Checklist - [ ] This PR has adequate test coverage / QA involvement has been duly considered. ([trigger-ci for additional test/nightly runs](https://trigger-ci.dev.materialize.com/)) - [ ] This PR has an associated up-to-date [design doc](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/design/README.md), is a design doc ([template](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/design/00000000_template.md)), or is sufficiently small to not require a design. <!-- Reference the design in the description. --> - [ ] If this PR evolves [an existing `$T ⇔ Proto$T` mapping](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/command-and-response-binary-encoding.md) (possibly in a backwards-incompatible way), then it is tagged with a `T-proto` label. - [ ] If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label ([example](MaterializeInc/cloud#5021)). <!-- Ask in #team-cloud on Slack if you need help preparing the cloud PR. --> - [ ] If this PR includes major [user-facing behavior changes](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/guide-changes.md#what-changes-require-a-release-note), I have pinged the relevant PM to schedule a changelog post.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
see commit messages for details, starting from commit "Add password fallback for OIDC pgwire". Commits before are. being reviewed in #34690.
Will do http pgwire password authentication in a followup PR.
Motivation
Tips for reviewer
Checklist
$T ⇔ Proto$Tmapping (possibly in a backwards-incompatible way), then it is tagged with aT-protolabel.