Feature Request: Support for Pre-Obtained JWT Token Validation #27
Description
Add support for validating pre-obtained JWT access tokens from external OAuth flows, in addition to the current OAuth 2.0 Device Authorization Grant flow.
Use Case
We have a JupyterHub environment where users authenticate via Keycloak (which federates to ORCID as an identity provider). JupyterHub obtains valid JWT access tokens through the standard authorization code flow and makes these tokens available to user notebooks.
We want to use PostgreSQL's OAuth authentication to:
- Validate these pre-obtained JWT tokens
- Map authenticated identities to PostgreSQL users
- Apply row-level security policies based on the token claims
Current Limitation
The pg_oidc_validator extension currently only supports the OAuth 2.0 Device Authorization Grant flow via libpq. This is incompatible with workflows where valid JWT tokens are already obtained through other OAuth flows (authorization code, implicit, etc.).
Proposed Solution
New connection parameter
Add a connection parameter or configuration option to enable "token validation mode" or
Automatic detection
If password parameter contains a JWT (starts with eyJ), automatically validate it instead of initiating device flow.