invalid_authorization_specification Ident authentication failed for user “…” — 28000

Symptoms

An Ident-based authentication attempt failed: the OS username (or its mapping) did not match the requested database role. PostgreSQL raises SQLSTATE 28000 (invalid_authorization_specification).

• Ident/peer authentication rejected the user.
• Common with a missing or wrong ident map.
• The OS user doesn’t map to the DB role.

What the server log shows

FATAL:  Ident authentication failed for user "appuser"

Why PostgreSQL raises this — what the manual says

Section 20.8 Ident Authentication:

“The ident authentication method works by obtaining the client’s operating system user name from an ident server and using it as the allowed database user name (with an optional user name mapping).”

Ident/peer auth derives the OS username and (optionally via pg_ident.conf) maps it to a database role. If the OS user or mapping doesn’t permit the requested role, authentication fails with 28000.

Common causes

• The OS user doesn’t match the requested DB role and no map allows it.
• A missing/incorrect entry in pg_ident.conf.
• The HBA line uses ident/peer where another method was intended.

How to fix it

1. Add a mapping in pg_ident.conf and reference it via map= in pg_hba.conf.
2. Connect as the matching OS user, or switch the HBA method (e.g. scram-sha-256).
3. Reload configuration after editing the HBA/ident files.

Related & next steps

• SQLSTATE 28000 — Invalid Authorization Specification (full reference)
• Message: role is not permitted to log in
• Glossary: pg_hba.conf

Reference: PostgreSQL 18 Section 21.9 “Ident Authentication”.