Re: [PoC] Federated Authn/z with OAUTHBEARER

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Thomas Munro <thomas.munro@gmail.com>
Cc: Daniel Gustafsson <daniel@yesql.se>, Jacob Champion <jacob.champion@enterprisedb.com>, Nazir Bilal Yavuz <byavuz81@gmail.com>, Andres Freund <andres@anarazel.de>, Peter Eisentraut <peter@eisentraut.org>, Antonin Houska <ah@cybertec.at>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-03-19T22:19:23Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. meson: Fix install-quiet after clean

  2. oauth: Run Autoconf tests with correct compiler flags

  3. Link libpq with libdl if the platform needs that.

  4. Doc: correct spelling of meson switch.

  5. oauth: Correct SSL dependency for libpq-oauth.a

  6. oauth: Fix Autoconf build on macOS

  7. oauth: Move the builtin flow into a separate module

  8. Remove a stray "pgrminclude" annotation

  9. oauth: Simplify copy of PGoauthBearerRequest

  10. oauth: Improve validator docs on interruptibility

  11. oauth: Disallow synchronous DNS in libcurl

  12. oauth: Fix postcondition for set_timer on macOS

  13. oauth: Use IPv4-only issuer in oauth_validator tests

  14. Work around OAuth/EVFILT_TIMER quirk on NetBSD.

  15. oauth: Fix incorrect const markers in struct

  16. Add missing entry to oauth_validator test .gitignore

  17. cirrus: Temporarily fix libcurl link error

  18. Add support for OAUTHBEARER SASL mechanism

  19. libpq: Handle asynchronous actions during SASL

  20. require_auth: prepare for multiple SASL mechanisms

  21. Move PG_MAX_AUTH_TOKEN_LENGTH to libpq/auth.h

  22. Make SASL max message length configurable

  23. jsonapi: fully initialize dummy lexer

  24. common/jsonapi: support libpq as a client

  25. Remove fe_memutils from libpgcommon_shlib

  26. Revert ECPG's use of pnstrdup()

  27. Explicitly require password for SCRAM exchange

  28. Refactor SASL exchange to return tri-state status

Thomas Munro <thomas.munro@gmail.com> writes:
> It would increase the build dependencies, assuming a package
> maintainer wants to enable as many features as possible, but it would
> *not* increase the 'package requires' footprint, merely the 'package
> suggests' footprint (as Debian calls it), and it's up to the user
> whether they install suggested extra packages, no?

Maybe I'm confused, but what I saw was a hard dependency on libcurl,
as well as several of its dependencies:

$ ./configure --with-libcurl
...
$ make
...
$ ldd src/interfaces/libpq/libpq.so.5.18 
        linux-vdso.so.1 (0x00007ffc145fe000)
        libcurl.so.4 => /lib64/libcurl.so.4 (0x00007f2c2fa36000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f2c2f95b000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f2c2f600000)
        libnghttp2.so.14 => /lib64/libnghttp2.so.14 (0x00007f2c2f931000)
        libidn2.so.0 => /lib64/libidn2.so.0 (0x00007f2c2f910000)
        libssh.so.4 => /lib64/libssh.so.4 (0x00007f2c2f89b000)
        libpsl.so.5 => /lib64/libpsl.so.5 (0x00007f2c2f885000)
        libssl.so.3 => /lib64/libssl.so.3 (0x00007f2c2f51a000)
        libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f2c2f000000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f2c2f82f000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f2c2ef26000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f2c2f816000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f2c2f80d000)
        libldap.so.2 => /lib64/libldap.so.2 (0x00007f2c2eebf000)
        liblber.so.2 => /lib64/liblber.so.2 (0x00007f2c2eead000)
        libbrotlidec.so.1 => /lib64/libbrotlidec.so.1 (0x00007f2c2ee9f000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f2c2ee85000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f2c2fb43000)
        libunistring.so.2 => /lib64/libunistring.so.2 (0x00007f2c2ed00000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f2c2ecef000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f2c2ece8000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f2c2ecd4000)
        libevent-2.1.so.7 => /lib64/libevent-2.1.so.7 (0x00007f2c2ec7b000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f2c2ec5b000)
        libbrotlicommon.so.1 => /lib64/libbrotlicommon.so.1 (0x00007f2c2ec38000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f2c2ec0b000)
        libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f2c2ebd1000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f2c2eb35000)

I don't think that will be satisfied by 'package suggests'.
Even if it somehow manages to load, the result of trying to
use OAuth would be a segfault rather than any useful message.

			regards, tom lane