Issue

PGSync can't authenticate itself to OpenSearch using OIDC. Therefore, "Basic Auth" needs to be enabled in OpenSearch even when an IAM solution like Keycloak is used for all other services connecting to OpenSearch.

Goal

Being able to authenticate to OpenSearch over OIDC's client credential flow.

Requirements

PGSync can be given:

• The root certificate
• The token URL
• The client id
• The client secret

Then, PGSync fetches a JWT from the url using the client id and secret, validates the response using the certificate and uses this JWT to authenticate to OpenSearch. Before the JWT expires, it is refreshed.

Misc

I see that there are some parts in the code concerning bearer tokens. However, it seems to be incomplete and the documentation on pgsync.com never references these parts.

We would appreciate if you could add OIDC support to PGSync.

Thank you