percona · jankowsk · May 30, 2026 · Mar 27, 2026 · Jun 5, 2026
diff --git a/.gitmodules b/.gitmodules
@@ -7,3 +7,6 @@
 [submodule "extra/libkmip"]
 	path = extra/libkmip
 	url = https://github.com/Percona-Lab/libkmip.git
+[submodule "extra/jwt-cpp"]
+	path = extra/jwt-cpp
+	url = https://github.com/Thalhammer/jwt-cpp
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -156,6 +156,8 @@ ENDIF()
 # PAM build Handling
 OPTION(WITH_PAM "Build with Percona PAM plugin" OFF)
 
+OPTION(WITH_AUTH_OPENID_CONNECT "Build with Percona OpenID Connect authentication plugin" ON)
+
 # We choose to provide WITH_DEBUG as alias to standard CMAKE_BUILD_TYPE=Debug
 # which turns out to be not trivial, as this involves synchronization 
 # between CMAKE_BUILD_TYPE and WITH_DEBUG. Besides, we have to deal with cases

diff --git a/client/mysql.cc b/client/mysql.cc
@@ -248,6 +248,7 @@ static const CHARSET_INFO *charset_info = &my_charset_latin1;
 
 static char *opt_oci_config_file = nullptr;
 static char *opt_authentication_oci_client_config_profile = nullptr;
+static char *opt_authentication_openid_connect_client_id_token_file = nullptr;
 static char *opt_register_factor = nullptr;
 
 static bool opt_tel_plugin = false;
@@ -2072,6 +2073,11 @@ static struct my_option my_long_options[] = {
      "is ~/.oci/config and %HOME/.oci/config on Windows.",
      &opt_oci_config_file, &opt_oci_config_file, nullptr, GET_STR, REQUIRED_ARG,
      0, 0, 0, nullptr, 0, nullptr},
+    {"authentication-openid-connect-client-id-token-file", 0,
+     "Specifies the location of the ID token file.",
+     &opt_authentication_openid_connect_client_id_token_file,
+     &opt_authentication_openid_connect_client_id_token_file, nullptr, GET_STR,
+     REQUIRED_ARG, 0, 0, 0, nullptr, 0, nullptr},
     {"telemetry-client", 0, "Load the telemetry_client plugin.",
      &opt_tel_plugin, &opt_tel_plugin, nullptr, GET_BOOL, NO_ARG, 0, 0, 0,
      nullptr, 0, nullptr},
@@ -5182,6 +5188,29 @@ static bool init_connection_options(MYSQL *mysql) {
     }
   }
 
+  /* set authentication_openid_connect_client ID token file option if required
+   */
+  if (opt_authentication_openid_connect_client_id_token_file != nullptr) {
+    struct st_mysql_client_plugin *openid_connect_plugin =
+        mysql_client_find_plugin(mysql, "authentication_openid_connect_client",
+                                 MYSQL_CLIENT_AUTHENTICATION_PLUGIN);
+    if (!openid_connect_plugin) {
+      put_info("Cannot load the authentication_openid_connect_client plugin.",
+               INFO_ERROR);
+      return true;
+    }
+    if (mysql_plugin_options(
+            openid_connect_plugin, "id-token-file",
+            opt_authentication_openid_connect_client_id_token_file)) {
+      put_info(
+          "Failed to set id token file for "
+          "authentication_openid_connect_client "
+          "plugin.",
+          INFO_ERROR);
+      return true;
+    }
+  }
+
   char error[256]{0};
 #if defined(_WIN32)
   if (set_authentication_kerberos_client_mode(mysql, error, 255)) {

diff --git a/extra/jwt-cpp b/extra/jwt-cpp
diff --git a/sql-common/oci/ssl.h → include/base64_encode.h b/sql-common/oci/ssl.h → include/base64_encode.h
diff --git a/sql-common/oci/ssl_ptr.h → include/encode_ptr.h b/sql-common/oci/ssl_ptr.h → include/encode_ptr.h
diff --git a/include/mysql.h.pp b/include/mysql.h.pp
@@ -311,6 +311,7 @@
     MYSQL_VIO_MEMORY
   } protocol;
   int socket;
+  bool is_tls_established;
 };
 enum net_async_status {
   NET_ASYNC_COMPLETE = 0,

diff --git a/include/mysql/client_plugin.h.pp b/include/mysql/client_plugin.h.pp
@@ -12,6 +12,7 @@
     MYSQL_VIO_MEMORY
   } protocol;
   int socket;
+  bool is_tls_established;
 };
 enum net_async_status {
   NET_ASYNC_COMPLETE = 0,

diff --git a/include/mysql/plugin_auth.h.pp b/include/mysql/plugin_auth.h.pp
@@ -150,6 +150,7 @@
     MYSQL_VIO_MEMORY
   } protocol;
   int socket;
+  bool is_tls_established;
 };
 enum net_async_status {
   NET_ASYNC_COMPLETE = 0,

diff --git a/include/mysql/plugin_auth_common.h b/include/mysql/plugin_auth_common.h
@@ -38,6 +38,10 @@
 /** the max allowed length for a user name */
 #define MYSQL_USERNAME_LENGTH 96
 
+#ifndef MYSQL_ABI_CHECK
+#include <stdbool.h>
+#endif
+
 /**
   return values of the plugin authenticate_user() method.
 */
@@ -127,6 +131,7 @@ struct MYSQL_PLUGIN_VIO_INFO {
     MYSQL_VIO_MEMORY
   } protocol;
   int socket; /**< it's set, if the protocol is SOCKET or TCP */
+  bool is_tls_established;
 #if defined(_WIN32) && !defined(MYSQL_ABI_CHECK)
   HANDLE handle; /**< it's set, if the protocol is PIPE or MEMORY */
 #endif

diff --git a/libmysql/CMakeLists.txt b/libmysql/CMakeLists.txt
@@ -304,6 +304,9 @@ ADD_SUBDIRECTORY(authentication_kerberos)
 # authentication IAM client plug-in
 ADD_SUBDIRECTORY(authentication_oci_client)
 
+# authentication OpenID Connect client plug-in
+ADD_SUBDIRECTORY(authentication_openid_connect_client)
+
 # Fido and Webauthn clients
 ADD_SUBDIRECTORY(fido_client)
 

diff --git a/libmysql/authentication_oci_client/authentication_oci_client_plugin.cc b/libmysql/authentication_oci_client/authentication_oci_client_plugin.cc
@@ -41,8 +41,8 @@
 #include <iostream>
 #include <ostream>
 
+#include "include/base64_encode.h"
 #include "sql-common/oci/signing_key.h"
-#include "sql-common/oci/ssl.h"
 #include "sql-common/oci/utilities.h"
 
 static char *s_oci_config_location = nullptr;

diff --git a/libmysql/authentication_openid_connect_client/CMakeLists.txt b/libmysql/authentication_openid_connect_client/CMakeLists.txt
@@ -0,0 +1,64 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License, version 2.0,
+# as published by the Free Software Foundation.
+#
+# This program is designed to work with certain software (including
+# but not limited to OpenSSL) that is licensed under separate terms,
+# as designated in a particular file or component or in included license
+# documentation.  The authors of MySQL hereby grant you an additional
+# permission to link the program and your derivative works with the
+# separately licensed software that they have either included with
+# the program or referenced in the documentation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License, version 2.0, for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+
+#
+# Configuration for building OpenID Connect authentication client Plug-in (client-side)
+#
+
+# The client authentication plug-in is part of the community build.
+
+# Skip it if disabled.
+IF(NOT WITH_AUTHENTICATION_CLIENT_PLUGINS)
+  MESSAGE(STATUS "Skipping the OpenID Connect authentication client plugin.")
+  RETURN()
+ENDIF()
+
+DISABLE_MISSING_PROFILE_WARNING()
+
+MYSQL_ADD_PLUGIN(
+  authentication_openid_connect_client
+
+  # Authentication plugin main
+  authentication_openid_connect_client_plugin.cc
+
+  LINK_LIBRARIES mysys OpenSSL::SSL OpenSSL::Crypto
+
+  CLIENT_ONLY
+  MODULE_ONLY MODULE_OUTPUT_NAME "authentication_openid_connect_client"
+)
+
+IF(LINUX OR SOLARIS)
+  SET(PLUGIN_VERSION_FILE
+    ${CMAKE_CURRENT_SOURCE_DIR}/authentication_openid_connect_client.ver)
+  IF(SOLARIS)
+    TARGET_LINK_OPTIONS(authentication_openid_connect_client PRIVATE
+      LINKER:-z,gnu-version-script-compat)
+  ENDIF()
+  # hide all symbols in mysys, to avoid ODR violations.
+  # There is *one* visible symbol: _mysql_client_plugin_declaration_
+  TARGET_LINK_OPTIONS(authentication_openid_connect_client PRIVATE
+    LINKER:--version-script=${PLUGIN_VERSION_FILE}
+    )
+  SET_TARGET_PROPERTIES(authentication_openid_connect_client
+    PROPERTIES LINK_DEPENDS ${PLUGIN_VERSION_FILE})
+ENDIF()
diff --git a/libmysql/authentication_openid_connect_client/authentication_openid_connect_client.ver b/libmysql/authentication_openid_connect_client/authentication_openid_connect_client.ver
@@ -0,0 +1,28 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License, version 2.0,
+# as published by the Free Software Foundation.
+#
+# This program is designed to work with certain software (including
+# but not limited to OpenSSL) that is licensed under separate terms,
+# as designated in a particular file or component or in included license
+# documentation.  The authors of MySQL hereby grant you an additional
+# permission to link the program and your derivative works with the
+# separately licensed software that they have either included with
+# the program or referenced in the documentation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License, version 2.0, for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+
+authentication_openid_connect_client
+{
+  global: _mysql_client_plugin_declaration_;
+  local: *;
+};