Re: [EXTERNAL] Re: [PoC] Federated Authn/z with OAUTHBEARER
Jacob Champion <jchampion@timescale.com>
Commits
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
meson: Fix install-quiet after clean
- a9ffb35274fb 18.0 landed
- 4ae03be54734 19 (unreleased) landed
-
oauth: Run Autoconf tests with correct compiler flags
- 3d23f68c5529 18.0 landed
- 990571a08b66 19 (unreleased) landed
-
Link libpq with libdl if the platform needs that.
- 4df477153a6b 19 (unreleased) landed
- 7bd752c1fb8e 18.0 landed
-
Doc: correct spelling of meson switch.
- 3faac9d14063 16.9 landed
- 766d2e673342 17.5 landed
- ac557793d478 18.0 landed
-
oauth: Correct SSL dependency for libpq-oauth.a
- 3db68212a393 18.0 landed
-
oauth: Fix Autoconf build on macOS
- 4ea1254f35b2 18.0 cited
-
oauth: Move the builtin flow into a separate module
- b0635bfda053 18.0 landed
-
Remove a stray "pgrminclude" annotation
- 764d501d24ba 18.0 cited
-
oauth: Simplify copy of PGoauthBearerRequest
- 1cf4c56480f8 18.0 landed
-
oauth: Improve validator docs on interruptibility
- 873c0fd67872 18.0 landed
-
oauth: Disallow synchronous DNS in libcurl
- d7e40845f923 18.0 landed
-
oauth: Fix postcondition for set_timer on macOS
- 434dbf6907ec 18.0 landed
-
oauth: Use IPv4-only issuer in oauth_validator tests
- 8d9d5843b55f 18.0 landed
-
Work around OAuth/EVFILT_TIMER quirk on NetBSD.
- c301a0a74a8a 18.0 landed
-
oauth: Fix incorrect const markers in struct
- 03366b61dfe5 18.0 landed
-
Add missing entry to oauth_validator test .gitignore
- 2c53dec7f440 18.0 landed
-
cirrus: Temporarily fix libcurl link error
- 9d9a71002a1c 18.0 landed
-
Add support for OAUTHBEARER SASL mechanism
- b3f0be788afc 18.0 landed
-
libpq: Handle asynchronous actions during SASL
- a99a32e43ed7 18.0 landed
-
require_auth: prepare for multiple SASL mechanisms
- f8d8581ed882 18.0 landed
-
Move PG_MAX_AUTH_TOKEN_LENGTH to libpq/auth.h
- e21d6f297158 18.0 landed
-
Make SASL max message length configurable
- 6d16f9debae0 18.0 landed
-
jsonapi: fully initialize dummy lexer
- 41b023946dfd 18.0 landed
-
common/jsonapi: support libpq as a client
- 0785d1b8b2fa 18.0 landed
-
Remove fe_memutils from libpgcommon_shlib
- f1976df5eaf2 18.0 landed
-
Revert ECPG's use of pnstrdup()
- f0096ef13be2 13.17 landed
- 3557185538fe 14.14 landed
- 2de129b356bf 15.9 landed
- ee2997c678d8 16.5 landed
- e9e05c655069 17.0 landed
- 5388216f6adc 18.0 landed
-
Explicitly require password for SCRAM exchange
- adcdb2c8dda4 17.0 landed
-
Refactor SASL exchange to return tri-state status
- 24178e235ea5 17.0 landed
On 9/21/22 21:55, Andrey Chudnovsky wrote: > First, My message from corp email wasn't displayed in the thread, I see it on the public archives [1]. Your client is choosing some pretty confusing quoting tactics, though, which you may want to adjust. :D I have what I'll call some "skeptical curiosity" here -- you don't need to defend your use cases to me by any means, but I'd love to understand more about them. > Yes, passing a token as a new auth method won't make much sense in > isolation. However: > 1. Since OAUTHBEARER is supported in the ecosystem, passing a token as > a way to authenticate with OAUTHBEARER is more consistent (IMO), then > passing it as a password. Agreed. It's probably not a very strong argument for the new mechanism, though, especially if you're not using the most expensive code inside it. > 2. Validation on the backend side doesn't depend on whether the token > is obtained by libpq or transparently passed by the upstream client. Sure. > 3. Single OAUTH auth method on the server side for both scenarios, > would allow both enterprise clients with their own Token acquisition > and community clients using libpq flows to connect as the same PG > users/roles. Okay, this is a stronger argument. With that in mind, I want to revisit your examples and maybe provide some counterproposals: >> Libpq passing toked directly from an upstream client is useful in other scenarios: >> 1. Enterprise clients, built with .Net / Java and using provider-specific authentication libraries, like MSAL for AAD. Those can also support more advanced provider-specific token acquisition flows. I can see that providing a token directly would help you work around limitations in libpq's "standard" OAuth flows, whether we use iddawc or not. And it's cheap in terms of implementation. But I have a feeling it would fall apart rapidly with error cases, where the server is giving libpq information via the OAUTHBEARER mechanism, but libpq can only communicate to your wrapper through human-readable error messages on stderr. This seems like clear motivation for client-side SASL plugins (which were also discussed on Samay's proposal thread). That's a lot more expensive to implement in libpq, but if it were hypothetically available, wouldn't you rather your provider-specific code be able to speak OAUTHBEARER directly with the server? >> 2. Resource-tight (like IoT) clients. Those can be compiled without the optional libpq flag not including the iddawc or other dependency. I want to dig into this much more; resource-constrained systems are near and dear to me. I can see two cases here: Case 1: The device is an IoT client that wants to connect on its own behalf. Why would you want to use OAuth in that case? And how would the IoT device get its Bearer token to begin with? I'm much more used to architectures that provision high-entropy secrets for this, whether they're incredibly long passwords per device (in which case, channel-bound SCRAM should be a fairly strong choice?) or client certs (which can be better decentralized, but make for a lot of bookkeeping). If the answer to that is, "we want an IoT client to be able to connect using the same role as a person", then I think that illustrates a clear need for SASL negotiation. That would let the IoT client choose SCRAM-*-PLUS or EXTERNAL, and the person at the keyboard can choose OAUTHBEARER. Then we have incredible flexibility, because you don't have to engineer one mechanism to handle them all. Case 2: The constrained device is being used as a jump point. So there's an actual person at a keyboard, trying to get into a backend server (maybe behind a firewall layer, etc.), and the middlebox is either not web-connected or is incredibly tiny for some reason. That might be a good use case for a copy-pasted Bearer token, but is there actual demand for that use case? What motivation would you (or your end user) have for choosing a fairly heavy, web-centric authentication method in such a constrained environment? Are there other resource-constrained use cases I've missed? Thanks, --Jacob [1] https://www.postgresql.org/message-id/MN0PR21MB31694BAC193ECE1807FD45358F4F9%40MN0PR21MB3169.namprd21.prod.outlook.com