Enhancing PostgreSQL OIDC with pg_oidc_validator

With PostgreSQL 18 introducing built-in OAuth 2.0 and OpenID Connect (OIDC) authentication, tools like pg_oidc_validator have become an essential part of the ecosystem by enabling server-side verification of OIDC tokens directly inside PostgreSQL. If you’re new to the topic, make sure to read our earlier posts explaining the underlying concepts and the need for external validators:

• Why PostgreSQL needs external token validators
• Security aspects of OIDC validation in PostgreSQL
• Deploying pg_oidc_validator v0.1 - a DBA’s perspective

This release builds on the initial version announced in October and continues our mission to make OIDC adoption in PostgreSQL reliable, fast, and accessible for all users.

What’s New in This Release

This new iteration of pg_oidc_validator (v0.2) introduces two major improvements: i

• initial caching support, and
• Debian/Ubuntu and RPM packages to simplify installation.

Most importantly, these improvements come directly from community feedback, ****whether during conversations at PGConf.EU in Riga, KubeCon US in Atlanta, or through GitHub and forums. Thank you for helping us shape this project!

Caching Support in pg_oidc_validator

OIDC token verification requires fetching issuer metadata and JWKS keysets from an external identity provider (IdP). Without caching, every PostgreSQL backend performing validation must re-fetch this data, increasing latency and putting unnecessary load on the IdP.

pg_oidc_validator v0.2 introduces a lightweight caching layer. This allows the validator to:

• cache OIDC discovery documents and JWKS responses when permitted by the IdP,
• use cached responses across PostgreSQL backends,
• reduce outbound HTTP calls,
• validate tokens at in-memory speeds, and
• integrate cleanly with IdP key rotation.

This results in improved performance, reduced IdP load, and better scalability for deployments using Keycloak, Okta, Microsoft Entra ID, Ping Identity, or other OIDC providers.

A Note on Testing

The caching layer currently lacks full automated test coverage. This is because Keycloak does not allow caching for issuer or JWKS endpoints (Keycloak issue #15216), preventing us from validating caching behavior.

To address this, we plan to extend the test setup by placing an nginx proxy between PostgreSQL and Keycloak to simulate IdP responses that include cache-friendly headers.

Pre-Built Packages Now Available

Installing pg_oidc_validator is now easier than ever. We provide builds at the latest release page, where nightly builds are available for:

• Debian / Ubuntu - tested on Ubuntu 24.04
• RHEL / Oracle Linux / Rocky Linux - tested on OL8 and OL9

If you prefer building from source, instructions are available directly in the project’s README.

Try it, test it, tell us all about it!

As an open source project, pg_oidc_validator grows with your feedback. We want to hear about:

• your deployment use cases,
• performance characteristics,
• integration challenges,
• and features you’d like to see next.

You can reach us here:

• Percona Community Forums:

  https://forums.percona.com/c/postgresql/25

• GitHub:

  • Issues: https://github.com/Percona-Lab/pg_oidc_validator/issues
  • Discussions: https://github.com/Percona-Lab/pg_oidc_validator/discussions

And of course, if you see Percona at an event, come talk to us at the booth! ∎