Re: [PoC] Federated Authn/z with OAUTHBEARER
Jacob Champion <jchampion@timescale.com>
Commits
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
meson: Fix install-quiet after clean
- a9ffb35274fb 18.0 landed
- 4ae03be54734 19 (unreleased) landed
-
oauth: Run Autoconf tests with correct compiler flags
- 3d23f68c5529 18.0 landed
- 990571a08b66 19 (unreleased) landed
-
Link libpq with libdl if the platform needs that.
- 4df477153a6b 19 (unreleased) landed
- 7bd752c1fb8e 18.0 landed
-
Doc: correct spelling of meson switch.
- 3faac9d14063 16.9 landed
- 766d2e673342 17.5 landed
- ac557793d478 18.0 landed
-
oauth: Correct SSL dependency for libpq-oauth.a
- 3db68212a393 18.0 landed
-
oauth: Fix Autoconf build on macOS
- 4ea1254f35b2 18.0 cited
-
oauth: Move the builtin flow into a separate module
- b0635bfda053 18.0 landed
-
Remove a stray "pgrminclude" annotation
- 764d501d24ba 18.0 cited
-
oauth: Simplify copy of PGoauthBearerRequest
- 1cf4c56480f8 18.0 landed
-
oauth: Improve validator docs on interruptibility
- 873c0fd67872 18.0 landed
-
oauth: Disallow synchronous DNS in libcurl
- d7e40845f923 18.0 landed
-
oauth: Fix postcondition for set_timer on macOS
- 434dbf6907ec 18.0 landed
-
oauth: Use IPv4-only issuer in oauth_validator tests
- 8d9d5843b55f 18.0 landed
-
Work around OAuth/EVFILT_TIMER quirk on NetBSD.
- c301a0a74a8a 18.0 landed
-
oauth: Fix incorrect const markers in struct
- 03366b61dfe5 18.0 landed
-
Add missing entry to oauth_validator test .gitignore
- 2c53dec7f440 18.0 landed
-
cirrus: Temporarily fix libcurl link error
- 9d9a71002a1c 18.0 landed
-
Add support for OAUTHBEARER SASL mechanism
- b3f0be788afc 18.0 landed
-
libpq: Handle asynchronous actions during SASL
- a99a32e43ed7 18.0 landed
-
require_auth: prepare for multiple SASL mechanisms
- f8d8581ed882 18.0 landed
-
Move PG_MAX_AUTH_TOKEN_LENGTH to libpq/auth.h
- e21d6f297158 18.0 landed
-
Make SASL max message length configurable
- 6d16f9debae0 18.0 landed
-
jsonapi: fully initialize dummy lexer
- 41b023946dfd 18.0 landed
-
common/jsonapi: support libpq as a client
- 0785d1b8b2fa 18.0 landed
-
Remove fe_memutils from libpgcommon_shlib
- f1976df5eaf2 18.0 landed
-
Revert ECPG's use of pnstrdup()
- f0096ef13be2 13.17 landed
- 3557185538fe 14.14 landed
- 2de129b356bf 15.9 landed
- ee2997c678d8 16.5 landed
- e9e05c655069 17.0 landed
- 5388216f6adc 18.0 landed
-
Explicitly require password for SCRAM exchange
- adcdb2c8dda4 17.0 landed
-
Refactor SASL exchange to return tri-state status
- 24178e235ea5 17.0 landed
On Fri, Sep 30, 2022 at 7:47 AM Andrey Chudnovsky <achudnovskij@gmail.com> wrote: > > How should we communicate those pieces to a custom client when it's > > passing a token directly? The easiest way I can see is for the custom > > client to speak the OAUTHBEARER protocol directly (e.g. SASL plugin). > > If you had to parse the libpq error message, I don't think that'd be > > particularly maintainable. > > I agree that parsing the message is not a sustainable way. > Could you provide more details on the SASL plugin approach you propose? > > Specifically, is this basically a set of extension hooks for the client side? > With the need for the client to be compiled with the plugins based on > the set of providers it needs. That's a good question. I can see two broad approaches, with maybe some ability to combine them into a hybrid: 1. If there turns out to be serious interest in having libpq itself handle OAuth natively (with all of the web-facing code that implies, and all of the questions still left to answer), then we might be able to provide a "token hook" in the same way that we currently provide a passphrase hook for OpenSSL keys. By default, libpq would use its internal machinery to take the provider details, navigate its builtin flow, and return the Bearer token. If you wanted to override that behavior as a client, you could replace the builtin flow with your own, by registering a set of callbacks. 2. Alternatively, OAuth support could be provided via a mechanism plugin for some third-party SASL library (GNU libgsasl, Cyrus libsasl2). We could provide an OAuth plugin in contrib that handles the default flow. Other providers could publish their alternative plugins to completely replace the OAUTHBEARER mechanism handling. Approach (2) would make for some duplicated effort since every provider has to write code to speak the OAUTHBEARER protocol. It might simplify provider-specific distribution, since (at least for Cyrus) I think you could build a single plugin that supports both the client and server side. But it would be a lot easier to unknowingly (or knowingly) break the spec, since you'd control both the client and server sides. There would be less incentive to interoperate. Finally, we could potentially take pieces from both, by having an official OAuth mechanism plugin that provides a client-side hook to override the flow. I have no idea if the benefits would offset the costs of a plugin-for-a-plugin style architecture. And providers would still be free to ignore it and just provide a full mechanism plugin anyway. > > Well... I don't quite understand why we'd go to the trouble of > > providing a provider-agnostic communication solution only to have > > everyone write their own provider-specific client support. Unless > > you're saying Microsoft would provide an officially blessed plugin for > > the *server* side only, and Google would provide one of their own, and > > so on. > > Yes, via extensions. Identity providers can open source extensions to > use their auth services outside of first party PaaS offerings. > For 3rd party Postgres PaaS or on premise deployments. Sounds reasonable. > > The server side authorization is the only place where I think it makes > > sense to specialize by default. libpq should remain agnostic, with the > > understanding that we'll need to make hard decisions when a major > > provider decides not to follow a spec. > > Completely agree with agnostic libpq. Though needs validation with > several major providers to know if this is possible. Agreed. > > Specifically it delivers that message to an end user. If you want a > > generic machine client to be able to use that, then we'll need to talk > > about how. > > Yes, that's what needs to be decided. > In both Device code and Authorization code scenarios, libpq and the > client would need to exchange a couple of pieces of metadata. > Plus, after success, the client should be able to access a refresh token for further use. > > Can we implement a generic protocol like for this between libpq and the clients? I think we can probably prototype a callback hook for approach (1) pretty quickly. (2) is a lot more work and investigation, but it's work that I'm interested in doing (when I get the time). I think there are other very good reasons to consider a third-party SASL library, and some good lessons to be learned, even if the community decides not to go down that road. Thanks, --Jacob