Enable Authenticated Server-Side PostgreSQL Connections in GatewayD #690
Description
Currently, all server-side connections to PostgreSQL in GatewayD are established as unauthenticated TCP connections (i.e., via the available connection pool). This setup allows clients to reuse pooled connections but lacks support for explicit authentication at the server side.
To enable proper authentication handling in plugins, particularly for the upcoming auth plugin, it would be beneficial to allow GatewayD to establish authenticated connections to PostgreSQL and expose those connections to plugins. This would allow the plugin to act as an identity broker and handle client-side authentication securely and efficiently.
Without this support, plugins must manage and re-authenticate server-side connections from the pool manually, which introduces complexity and makes the plugin architecture unsuitable for robust authentication workflows.
Later this will also enable other use cases.
Checklist
- Add support for initiating authenticated connections from GatewayD to PostgreSQL instances
- Make authenticated connection metadata available to plugins during the handshake or
OnNewClientlifecycle hook - Allow plugins to optionally override or verify authentication before finalizing connection reuse