![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 42%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Azure Database for PostgreSQL
An Azure managed PostgreSQL database service for app development and deployment.
1,427 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 49%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Hi Lai, Tim
Greetings!
As we understand that, you are running into an issue with Azure AD authentication when trying to connect to PostgreSQL with a non-admin user. The error message "Azure AD user token for role does not match auth_oid" typically indicates that there’s a mismatch between the token generated for the user and the expected user identity for that specific database role.
Here are a few steps you can take to troubleshoot and resolve this issue:
- Verify User Role in PostgreSQL: Make sure that the non-admin user has been granted the proper permissions for the PostgreSQL database. You can do this by connecting as an admin user and checking the roles assigned to the non-admin user.\d
- When you run az login in Cloud Shell, the token acquired is tied to the currently signed-in user. If you’re switching between AD admin and non-admin users, make sure you’re logged in as the correct user before running the Java code. You can verify the signed-in user with:
If needed, log out and log in as the non-admin user:az account showaz logout az login --username <non-admin-user> - Cloud Shell may cache credentials. Try restarting the Cloud Shell session or explicitly refreshing the token before running your Java app.
- Ensure the token your Java app is using was acquired for the correct resource (
https://ossrdbms-aad.database.windows.net). If you're usingAzureIdentityorDefaultAzureCredential, confirm it's picking up the right identity. - Even if the user is in Azure AD, it must also exist in the PostgreSQL database. From
psql, run: SELECT * FROM pg_roles WHERE rolname = '<non-admin-user>'; If it doesn’t exist, create it:CREATE ROLE "<non-admin-user>" WITH LOGIN; GRANT CONNECT ON DATABASE <your-db> TO "<non-admin-user>"; - Ensure the username in the JDBC URL matches the Azure AD user exactly, including domain. For example:
jdbc:postgresql://<host>:5432/<db>?sslmode=require&user=******@yourtenant.onmicrosoft.com - Check Azure AD Group Membership: If your non-admin user is part of an Azure AD group that’s set up to have access to the PostgreSQL, ensure that the group permissions are correctly configured in PostgreSQL.
- Azure AD Authentication Settings: Confirm that the Azure Database for PostgreSQL instance has Azure AD authentication enabled and that the non-admin user is properly configured in Azure AD with access to the database.
- Token Scope: Ensure that the token being requested has the correct scope for accessing the Azure Database for PostgreSQL as a non-admin user. When executing the Java application, validate that the token is generated and includes the proper scope.
- Review Connection Code: Double-check the Java connection code to ensure that it is correctly requesting the Azure AD token for the non-admin user. You can refer to the documentation for guidance on acquiring tokens properly: Quickstart: Use Java and JDBC with Azure Database for PostgreSQL flexible server
- Cloud Shell Environment: Since you are executing this from Cloud Shell, ensure that the environment has access to the necessary Azure libraries and that you’re correctly authenticated as the non-admin user when attempting to connect.
I hope, This response will address your query and helped you to overcome on your challenges.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. If you still have questions, please let us know what is needed in the comments so the question can be answered.
Thank you for helping to improve Microsoft Q&A!