SQL-76 Add pgwire password authentication to OIDC authenticator

src/environmentd/src/http.rs

@@ -1037,6 +1037,8 @@ async fn auth(
                 include_www_authenticate_header,
             });
         }
+        // TODO (Oidc): Implement password auth flow
+        // for this authenticator variant.
         Authenticator::Oidc(oidc) => match creds {
             Some(Credentials::Token { token }) => {
                 // Validate JWT token

src/environmentd/src/lib.rs

@@ -104,9 +104,9 @@ pub struct Config {
     pub tls_reload_certs: ReloadTrigger,
     /// Password of the mz_system user.
     pub external_login_password_mz_system: Option<Password>,
-    /// Frontegg JWT authentication configuration.
+    /// Frontegg JWT authenticator.
     pub frontegg: Option<FronteggAuthenticator>,
-    /// OIDC JWT authentication configuration.
+    /// OIDC authenticator.
     pub oidc: Option<GenericOidcAuthenticator>,
     /// Origins for which cross-origin resource sharing (CORS) for HTTP requests
     /// is permitted.
@@ -277,24 +277,15 @@ impl Listener<SqlListenerConfig> {
                 TlsMode::Allow
             },
         });
-        let authenticator = match self.config.authenticator_kind {
-            AuthenticatorKind::Frontegg => Authenticator::Frontegg(
-                frontegg.expect("Frontegg args are required with AuthenticatorKind::Frontegg"),
-            ),
-            AuthenticatorKind::Password => Authenticator::Password(adapter_client.clone()),
-            AuthenticatorKind::Sasl => Authenticator::Sasl(adapter_client.clone()),
-            AuthenticatorKind::Oidc => Authenticator::Oidc(
-                oidc.expect("OIDC config is required with AuthenticatorKind::Oidc"),
-            ),
-            AuthenticatorKind::None => Authenticator::None,
-        };
 
         task::spawn(|| format!("{}_sql_server", label), {
             let sql_server = mz_pgwire::Server::new(mz_pgwire::Config {
                 label,
                 tls,
                 adapter_client,
-                authenticator,
+                authenticator_kind: self.config.authenticator_kind,
+                frontegg,
+                oidc,
                 metrics,
                 active_connection_counter,
                 helm_chart_version,
@@ -391,18 +382,13 @@ impl Listeners {
         let (authenticator_none_tx, authenticator_none_rx) = oneshot::channel();
         let authenticator_none_rx = authenticator_none_rx.shared();
 
-        // We can only send the Frontegg, OIDC, and None variants immediately.
+        // We can only send the Frontegg and None variants immediately.
         // The Password variant requires an adapter client.
         if let Some(frontegg) = &config.frontegg {
             authenticator_frontegg_tx
                 .send(Arc::new(Authenticator::Frontegg(frontegg.clone())))
                 .expect("rx known to be live");
         }
-        if let Some(oidc) = &config.oidc {
-            authenticator_oidc_tx
-                .send(Arc::new(Authenticator::Oidc(oidc.clone())))
-                .expect("rx known to be live");
-        }
         authenticator_none_tx
             .send(Arc::new(Authenticator::None))
             .expect("rx known to be live");
@@ -824,6 +810,11 @@ impl Listeners {
         authenticator_password_tx
             .send(Arc::new(Authenticator::Password(adapter_client.clone())))
             .expect("rx known to be live");
+        if let Some(oidc) = &config.oidc {
+            authenticator_oidc_tx
+                .send(Arc::new(Authenticator::Oidc(oidc.clone())))
+                .expect("rx known to be live");
+        }
         adapter_client_tx
             .send(adapter_client.clone())
             .expect("internal HTTP server should not drop first");