Skip to content

Oidc auth: Improve error messages#34891

Draft
SangJunBak wants to merge 8 commits intoMaterializeInc:mainfrom
SangJunBak:jun/improve-error-messages
Draft

Oidc auth: Improve error messages#34891
SangJunBak wants to merge 8 commits intoMaterializeInc:mainfrom
SangJunBak:jun/improve-error-messages

Conversation

@SangJunBak
Copy link
Contributor

Motivation

Tips for reviewer

Checklist

  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

@SangJunBak SangJunBak force-pushed the jun/improve-error-messages branch from 30aae41 to 6ccc11c Compare February 9, 2026 18:33
- Add external_metadata_rx() method to OidcAuthSessionHandle trait with default None impl
This allows us to create a helper functions for anything implementing OidcAuthenticator.

- Update Authenticator::Oidc to use named fields: {oidc, password}
- Add authenticate_with_oidc_token for token-based auth (Frontegg/OIDC JWT)
- Add authenticate_with_password for password-based auth
- Enables tests to pass connection-level options like --oidc_auth_enabled
- Verifies that when oidc_auth_enabled is not set in the connection options, the OIDC authenticator falls back to password authentication.
Call stacks above the critical recursion can grow as we add code elsewhere in the system
- Remove OIDC CLI args
- Initialize oidc authenticator with adapter client to get access to system variables
- Refactor tests to use system parameter default
- Tests the runtime nature of OIDC configuration
Before we'd assume `issuer` ends with '/', but this is actually incorrect given JWTs return an audience with no trailing '/' and validate_aud would fail later.
The idea is propagate these errors back up to the user such that they can debug more easily. Currently we only surface the "Invalid password" error for pgwire clients.
@SangJunBak SangJunBak force-pushed the jun/improve-error-messages branch from 6ccc11c to 0cda15c Compare February 9, 2026 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant