Azure PostgreSQL Passwordless Authentication with Java

Two complete implementations for connecting to Azure PostgreSQL with Azure AD Passwordless authentication.

🎯 Choose Your Approach

🔌 Azure Plugin Approach Recommended for most use cases compile 'com.azure:azure-identity-extensions:1.1.14' ✅ Automatic token management ✅ Built-in retry logic ✅ Minimal code required ✅ Production optimized Location: azure-plugin-approach/

🔧 Manual Token Approach For custom scenarios and learning compile 'com.azure:azure-identity:1.12.0' ✅ Full control over authentication ✅ Custom credential configuration ✅ Detailed visibility ✅ Flexible error handling Location: manual-token-approach/

🚀 Quick Start

Test Individual Approaches

# Test Azure Plugin approach (recommended)
cd azure-plugin-approach && gradle run --quiet

# Test Manual Token approach
cd manual-token-approach && gradle run --quiet

Interactive Test Suite

# Linux/WSL/macOS
./test-auth.sh

# Windows
test-auth.bat

🧪 Interactive Test Suite Features

The test scripts provide a comprehensive testing experience:

Menu Options:

1. Test Azure Plugin Approach (Recommended)
2. Test Manual Token Approach
3. Test Both Approaches ← Compare side-by-side!
4. Run Prerequisites Check Only
5. Exit

Features:

• ✅ Prerequisites validation (Java, Gradle, Azure CLI)
• ✅ Azure authentication check with auto-login prompt
• ✅ Side-by-side comparison when testing both approaches
• ✅ Detailed identity methods detection
• ✅ Connection summaries with client IP and destination info
• ✅ Interactive menu navigation

📁 Project Structure

pg-test/
├── azure-plugin-approach/          # Plugin-based implementation
│   ├── src/main/java/com/example/PostgresTest.java
│   ├── build.gradle                # + azure-identity-extensions
│   └── settings.gradle
├── manual-token-approach/          # Manual token implementation
│   ├── src/main/java/com/example/PostgresTest.java
│   ├── build.gradle                # Standard azure-identity
│   └── settings.gradle
├── test-auth.sh                    # Interactive test (Linux/WSL/macOS)
├── test-auth.bat                   # Interactive test (Windows)
└── README.md                       # This file

📊 Detailed Comparison

Feature	Azure Plugin	Manual Token
Complexity	Simple	More Complex
Token Management	Automatic	Manual
Control Level	Standard	Full
Dependencies	azure-identity-extensions	azure-identity
Code Lines	~30 lines	~60 lines
Token Refresh	Automatic	Manual handling
Error Handling	Built-in retry	Custom implementation
Debugging	Limited visibility	Full visibility
Best For	Production apps	Custom scenarios

🔑 Authentication Methods Supported

Both approaches support all Azure environments automatically:

• 🖥️ Local Development: Azure CLI (az login)
• ☁️ Azure VM/App Service: Managed Identity
• 🚢 Azure Kubernetes (AKS): Workload Identity
• 🔄 CI/CD Pipelines: Service Principal

🔧 Implementation Details

Azure Plugin Approach

Key Dependency:

dependencies {
    compile 'org.postgresql:postgresql:42.7.3'
    compile 'com.azure:azure-identity-extensions:1.1.14'  // ← THE KEY DEPENDENCY
    compile 'com.azure:azure-identity:1.11.4'
}

How it works:

// Plugin handles everything automatically
String jdbcUrl = "jdbc:postgresql://server:5432/db?sslmode=require" +
    "&authenticationPluginClassName=com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin";

Properties props = new Properties();
props.setProperty("user", "user@tenant.onmicrosoft.com");
// No password needed - plugin handles tokens automatically

Connection conn = DriverManager.getConnection(jdbcUrl, props);

Benefits:

• ✅ No manual token management required
• ✅ Automatic token refresh handled by plugin
• ✅ Built-in retry and error handling
• ✅ Simpler code compared to manual approach

Manual Token Approach

Dependencies:

dependencies {
    compile 'org.postgresql:postgresql:42.7.3'
    compile 'com.azure:azure-identity:1.12.0'
}

How it works:

// Manual token acquisition and management
TokenCredential credential = new DefaultAzureCredentialBuilder().build();

TokenRequestContext context = new TokenRequestContext()
    .addScopes("https://ossrdbms-aad.database.windows.net/.default");
AccessToken token = credential.getToken(context);

String jdbcUrl = "jdbc:postgresql://server:5432/db?sslmode=require";
Connection conn = DriverManager.getConnection(jdbcUrl, username, token.getToken());

Benefits:

• ✅ Full control over token acquisition and lifecycle
• ✅ Custom credential configuration possible
• ✅ Direct access to token metadata and expiration
• ✅ Custom error handling and retry logic

🌍 Environment Configuration

Local Development

az login  # Both approaches use Azure CLI automatically

Azure VM/App Service

# Enable managed identity on the resource
# Both approaches detect and use managed identity automatically

Azure Kubernetes (AKS)

# Configure workload identity
# Both approaches detect and use workload identity automatically

CI/CD Pipeline

# Set environment variables for service principal
export AZURE_CLIENT_ID="service-principal-id"
export AZURE_CLIENT_SECRET="service-principal-secret"  
export AZURE_TENANT_ID="tenant-id"
# Both approaches use EnvironmentCredential automatically

🔍 What the Tests Show

When you run the test suite, you'll see detailed output including:

Identity Detection

• Available credential methods (1-7 in order)
• Which method is actually being used
• Environment variable status
• Azure CLI authentication status

Connection Summary

• Client IP: Your outbound IP address
• Destination: Server FQDN and resolved IP
• Authentication Method: Azure AD Token-based Authentication
• Mechanism: Plugin vs Manual token management
• Account: Authenticated Azure AD account
• Protocol: PostgreSQL over SSL details

Example Output

📍 Client IP: xx.xxx.xx.xxx
📍 Destination: server.postgres.database.azure.com:5432 (xx.x.x.x)
🔐 Authentication: Azure AD Token-based Authentication
🔧 Mechanism: AzurePostgresqlAuthenticationPlugin (DefaultAzureCredential)
👤 Account: admin@tenant.onmicrosoft.com
🔒 Protocol: PostgreSQL over SSL (sslmode=require)
⚡ Token Management: Automatic refresh by plugin

🎯 Decision Guide

Choose Azure Plugin Approach If:

• ✅ Building production applications
• ✅ Want minimal complexity
• ✅ DefaultAzureCredential is sufficient
• ✅ Standard authentication scenarios
• ✅ Automatic token refresh is acceptable

Choose Manual Token Approach If:

• ✅ Need custom credential logic
• ✅ Require specific error handling
• ✅ Want to understand authentication internals
• ✅ Building educational/learning projects
• ✅ Need non-standard credential configurations

🏁 Getting Started

1. Prerequisites Check:

   # Ensure you have Java 17+, Gradle, and Azure CLI
   java -version
   gradle --version
   az --version

2. Azure Authentication:

   az login

3. ⚠️ Configure Connection Details (REQUIRED):

   Before running tests, you MUST update the connection details in both approaches:

   Edit Azure Plugin Approach:

   # Edit: azure-plugin-approach/src/main/java/com/example/PostgresTest.java
   # Update these lines (around line 155):
   String host = "your-server.postgres.database.azure.com";
   String database = "your-database-name";  
   String user = "your-user@yourdomain.onmicrosoft.com";

   Edit Manual Token Approach:

   # Edit: manual-token-approach/src/main/java/com/example/PostgresTest.java
   # Update these lines (around line 180):
   String host = "your-server.postgres.database.azure.com";
   String database = "your-database-name";
   String user = "your-user@yourdomain.onmicrosoft.com";

   Example Configuration:

   String host = "myserver.postgres.database.azure.com";
   String database = "testdb";
   String user = "admin@mycompany.onmicrosoft.com";

4. Test Everything:

   ./test-auth.sh    # Linux/WSL/macOS
   test-auth.bat     # Windows

5. Choose and Implement:

   • Start with Azure Plugin Approach for most use cases
   • Switch to Manual Token Approach if you need custom logic

⚠️ Critical Notes

1. Azure Plugin Dependency: The plugin is in azure-identity-extensions, NOT in the main azure-identity library.

2. Gradle Version: This project uses Gradle 4.4.1 syntax (compile instead of implementation).

3. Token Scope: Both approaches use the scope https://ossrdbms-aad.database.windows.net/.default for PostgreSQL.

4. SSL Requirement: Both approaches enforce SSL with sslmode=require.

🎉 Summary

Both approaches achieve the same result - secure Azure AD authentication to PostgreSQL. The difference is in implementation complexity and control level:

• Azure Plugin Approach = Production-ready simplicity
• Manual Token Approach = Educational flexibility and full control

Choose based on your specific needs and complexity requirements!