Skip to content

Oidc auth: Improve error messages#34891

Draft
SangJunBak wants to merge 8 commits intoMaterializeInc:mainfrom
SangJunBak:jun/improve-error-messages
Draft

Oidc auth: Improve error messages#34891
SangJunBak wants to merge 8 commits intoMaterializeInc:mainfrom
SangJunBak:jun/improve-error-messages

Conversation

@SangJunBak
Copy link
Contributor

@SangJunBak SangJunBak commented Feb 3, 2026

Motivation

Tips for reviewer

Checklist

  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

@SangJunBak SangJunBak force-pushed the jun/improve-error-messages branch from 30aae41 to 6ccc11c Compare February 9, 2026 18:33
@SangJunBak
adapter: Extend OIDC traits and enum for password fallback
bd6b0b2 
- Add external_metadata_rx() method to OidcAuthSessionHandle trait with default None impl
This allows us to create a helper functions for anything implementing OidcAuthenticator.

- Update Authenticator::Oidc to use named fields: {oidc, password}
@SangJunBak
Add password fallback for OIDC pgwire
80fee77 
- Add authenticate_with_oidc_token for token-based auth (Frontegg/OIDC JWT)
- Add authenticate_with_password for password-based auth
@SangJunBak
Add test_auth_oidc_password_fallback test
de28fd8 
- Enables tests to pass connection-level options like --oidc_auth_enabled
- Verifies that when oidc_auth_enabled is not set in the connection options, the OIDC authenticator falls back to password authentication.
@SangJunBak
Decrease unions in recursion limit test
31359cd 
Call stacks above the critical recursion can grow as we add code elsewhere in the system
@SangJunBak
Update OIDC tests to use system parameter defaults as config
efc5a34 
- Remove OIDC CLI args
- Initialize oidc authenticator with adapter client to get access to system variables
- Refactor tests to use system parameter default
@SangJunBak
Add an OIDC test where OIDC config can change
c06caf6 
- Tests the runtime nature of OIDC configuration
@SangJunBak
adapter: Remove trailing '/' expectation of issuer
8f7d6ab 
Before we'd assume `issuer` ends with '/', but this is actually incorrect given JWTs return an audience with no trailing '/' and validate_aud would fail later.
@SangJunBak
adapter: Improve error messages in OIDC authenticator
0cda15c 
The idea is propagate these errors back up to the user such that they can debug more easily. Currently we only surface the "Invalid password" error for pgwire clients.
@SangJunBak SangJunBak force-pushed the jun/improve-error-messages branch from 6ccc11c to 0cda15c Compare February 9, 2026 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggevay ggevay Awaiting requested review from ggevay ggevay will be requested when the pull request is marked ready for review ggevay is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SangJunBak