Make PGOAUTHCAFILE in libpq-oauth work out of debug mode

Jonathan Gonzalez V. <jonathan.abdiel@gmail.com>

From: "Jonathan Gonzalez V." <jonathan.abdiel@gmail.com>
To: pgsql-hackers@postgresql.org
Date: 2025-10-29T19:19:49Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. libpq: Split PGOAUTHDEBUG=UNSAFE into multiple options

  2. libpq: Add oauth_ca_file option to change CAs without debugging

Attachments

Hi,

While working on a validator for keycloak[1] with libpq-oauth I find
out that to allow a self-signed certificated I had to set the CA on the
client but for this was required to also set the PGOAUTHDEBUG=UNSAFE
which generated a lot of information on the client side that I didn't
need for my testing and work.

This patch basically remove the need of setting the PGOAUTHDEBUG=UNSAFE
to be able to use PGOAUTHCAFILE.

I'm not sure if where I put the documentation is the right place, I
would like to have some opinions on that matter too.


[1] https://github.com/cloudnative-pg/postgres-keycloak-oauth-validator

-- 
Jonathan Gonzalez V. <jonathan.abdiel@gmail.com>