pgadmin4 icon indicating copy to clipboard operation
pgadmin4 copied to clipboard
verified publisher icon pgadmin-org

Cannot save DB password when admin is authenticated through OIDC

Open ratermir opened this issue 8 months ago • 3 comments

Please note that security bugs or issues should be reported to [email protected].

Describe the bug

A clear and concise description of what the bug is.

preconditions:

  • well configured OIDC provider (Zitadel in my case)
  • fresh installation of Pgadmin4 with only "Admin" account
  • configured OAUTH2 authentication as described here to create accounts in Pgadmin if it does not exist

To Reproduce

  1. go to Pgadmin4 page, login using OAUTH2 provider (with the button under login dialog) => new user is created (so far OK)
  2. logout from the new user, login as an admin
  3. go to user administration, change user status from "User" to "Administrator"
  4. logout the admin, login as an OIDC user again
  5. now the user created by OAUTH2 has some "admin" privilegen (it can change other userrs for example), but if I create new connection, it can't let Pgadnin to save DB password (as at the "standard" admin can do). The switch is inactive - gray.

I would expect, if I change the user status to "Administrator", it will have really all admin rights.

Also I didn't find a way how to pass the "admin" role in the OIDC claims / token (is therre such option ? Maybe I overlooked something). It would be more straight - forward to be able to pass such role from the outside.

ratermir avatar Apr 29 '25 06:04 ratermir

@ratermir Can you please share you complete pgadmin config from Help > About pgadmin ? Have you set 'MASTER_PASSWORD' to False? (Then you should not get option to save db password irrespective of use rooted in user/administrator ). Can you please try setting it to True.

yogeshmahajan-1903 avatar Apr 29 '25 11:04 yogeshmahajan-1903

Yes, MASTER_PASSWORD was False. Setting it to True really allows to save database password, but in this case Pgadmin requires put master password at every login, which decreases sense of SSO. Thank you.

I've forgotten to write that I use client (browser) / server version of Pgadmin4 9.2 and I appreciate to Ifvsomeone "hacks" the server to be able to steal saved passwords (expecially in Kubernetes), it is so big issue that master password is of little help only.

Is there a way to overcome this in the server / browser setup?

ratermir avatar Apr 29 '25 12:04 ratermir

@ratermir pgadmin requires MASTER_PASSWORD to encrypt the server password before saving. You may want other user 'MASTER_PASSWORD_HOOK' whose value could be a path to some script (on same machine where pgadmin server resides) and which can be used to generate/retrieve MASTER_PASSWORD.

Here you can found the more details. It could be as simple as -

cat ~/.pgadmin_master_password_script.sh

echo "my_master_password"

yogeshmahajan-1903 avatar Apr 29 '25 17:04 yogeshmahajan-1903

Ok, works. Thank you to point me.

ratermir avatar Apr 30 '25 07:04 ratermir