Authentication

LakebaseClient supports standard username/password auth as well as several browser-based and federated flows for LakeBase clusters that require them.

Supported flows

Flow	Parameters
Username / password	`user`, `password`
OIDC Device Flow (Okta / Auth0)	`browser_auth=true`, `oidc_client_id`, `oidc_issuer_url`, `oidc_iam_role`
Azure AD OAuth2	`browser_auth=true`, `azure_oauth_tenant_id`, `azure_oauth_client_id`, `azure_oauth_client_secret`
Azure Entra ID SAML	`browser_auth=true`, `azure_tenant_id`, `azure_entity_id`
Built-in login form	`browser_auth=true` (default when no IdP params are set)
External redirect	`browser_auth=true`, `auth_redirect_url`

Examples

OIDC Device Flow

client = LakebaseClient().connect(
    host="<cluster-host>",
    port=5432,
    dbname="mydb",
    browser_auth="true",
    oidc_client_id="0oaXXXXX",
    oidc_issuer_url="https://myorg.okta.com",
    oidc_iam_role="arn:aws:iam::123456789012:role/LakeBaseRole",
)

Azure AD OAuth2

client = LakebaseClient().connect(
    host="<cluster-host>",
    port=5432,
    dbname="mydb",
    browser_auth="true",
    azure_oauth_tenant_id="your-tenant-id",
    azure_oauth_client_id="your-client-id",
    azure_oauth_client_secret="your-client-secret",
)

DSN string form

You can also pass a single PostgreSQL connection string in place of keyword arguments:

client = LakebaseClient().connect(
    "postgresql://<cluster-host>:5432/mydb"
    "?browser_auth=true"
    "&oidc_client_id=0oaXXXX"
    "&oidc_issuer_url=https://myorg.okta.com"
    "&oidc_iam_role=arn:aws:iam::123456789012:role/LakeBaseRole"
)

Supported flows​

Examples​

OIDC Device Flow​

Azure AD OAuth2​

DSN string form​

Supported flows

Examples

OIDC Device Flow

Azure AD OAuth2

DSN string form