Sign in Subscribe
Concepts

OpenID Connect Authentication in pgcli for Secure PostgreSQL Access

Andrios Robert

1 min read

A terminal window opens. The cursor blinks, waiting for a command. You type pgcli and hit enter — but instead of an open door, you get a lock. You need OpenID Connect (OIDC) to get in.

OpenID Connect (OIDC) with pgcli is the bridge between modern authentication and the CLI muscle of seasoned database workflows. It brings secure, standards-based identity into the PostgreSQL command-line world. That means federated logins, short-lived credentials, and zero password storage. No more static secrets sitting in local files or .pgpass.

OIDC works by layering identity tokens on top of OAuth 2.0. For pgcli, those tokens can be exchanged for temporary database credentials through an OIDC-compliant provider. This keeps Postgres access tight, rotating, and auditable. Instead of handing out permanent keys, you integrate with identity systems like Okta, Auth0, Azure AD, or a self-hosted identity server.

Once configured, the flow is simple:

  1. You authenticate via your OIDC provider — browser, CLI, or device flow.
  2. The provider issues an ID token and access token.
  3. A broker service exchanges that token for a short-lived Postgres username and password (or a certificate).
  4. pgcli connects with those credentials before they expire.

This architecture reduces attack surface. Credentials age out automatically. Access is tied to real-time identity status. If an account is revoked, their tokens stop working instantly. Security shifts from manual key management to integrated policy enforcement.

To set up OIDC with pgcli:

  • Choose an OIDC provider that can issue database access tokens.
  • Deploy a token-to-Postgres credential broker, or use a managed one.
  • Configure pgcli to call the broker and retrieve fresh credentials at runtime.
  • Test the login flow to confirm automatic expiration and reauth.

With OIDC, the auth layer is no longer separate from the CLI. It’s one system. It responds to role changes, MFA, conditional access, and audit needs without touching database internals. This is the future: flexible, identity-aware tools linking dev, ops, and security.

See this in action now. Try OIDC-authenticated Postgres via pgcli running on hoop.dev — live in minutes, no static creds, no waiting.