Authentication
XTDB provides authentication to control database access and secure connections. Authentication rules determine which users can connect and what credentials they must provide.
Authentication Providers
Section titled “Authentication Providers”XTDB supports two authentication providers:
- User Table (
!UserTable
): Uses an internal user table with password-based authentication - OpenID Connect (
!OpenIdConnect
): Integrates with external identity providers like Keycloak, Auth0, AWS Cognito or Azure Entra.
User Table
Section titled “User Table”The ! UserTable
authentication method uses an internal user table with password-based authentication.
Configuration
Section titled “Configuration”authn: !UserTable rules: # admin always requires a password - user: admin method: PASSWORD # We trust local connections - remoteAddress: 127.0.0.1 method: TRUST # Everything else requires a password - method: PASSWORD
User Management
Section titled “User Management”- Default User
- The
pg_user
table contains a default user “xtdb” with password “xtdb”. - Creating Users
CREATE USER alan WITH PASSWORD 'TURING'
- Modifying Users
ALTER USER ada WITH PASSWORD 'LOVELACE'
- Password Validation
- When
PASSWORD
method is specified, credentials are validated against thepg_user
table entries.
OpenID Connect (OIDC)
Section titled “OpenID Connect (OIDC)”The ! OpenIdConnect
authentication method integrates with external identity providers like Keycloak, Auth0, AWS Cognito or Azure Entra.
Basic Configuration
Section titled “Basic Configuration”authn: !OpenIdConnect issuerUrl: https://your-keycloak.example.com/realms/master clientId: xtdb-client clientSecret: !Env OIDC_CLIENT_SECRET rules: - user: oidc-client method: CLIENT_CREDENTIALS - method: PASSWORD
For complete OIDC configuration, setup guides, and troubleshooting, see OpenID Connect Authentication.
Rule Configuration
Section titled “Rule Configuration”XTDB controls database access through authentication rules that match users and IP addresses to determine the required authentication method.
Authentication Rules
Section titled “Authentication Rules”Authentication rules are evaluated in order until the first match. If no rules match, the connection is rejected.
- Rule Parameters
-
-
user
(optional): Match specific usernameremoteAddress
(optional): Match IP address or CIDR block (IPv4 or IPv6)method
(required): Authentication method to use
-
- Available Methods
-
-
TRUST
: No authentication requiredPASSWORD
: Require username/password validationCLIENT_CREDENTIALS
: OAuth client credentials flow (OIDC only)DEVICE_AUTH
: OAuth device authorization flow (OIDC only)
-
- Example Rule
- user: admin remoteAddress: 127.0.0.1 method: PASSWORD
This rule requires the admin
user to provide a password when connecting from localhost
.