Re: Custom oauth validator options

VASUKI M <vasukianand0119@gmail.com>

From: VASUKI M <vasukianand0119@gmail.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Zsolt Parragi <zsolt.parragi@percona.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, david.g.johnston@gmail.com, Robert Haas <robertmhaas@gmail.com>, myon@debian.org
Date: 2025-12-18T05:14:05Z
Lists: pgsql-hackers
On Thu, Dec 18, 2025 at 12:31 AM Jacob Champion <
jacob.champion@enterprisedb.com> wrote:

> On Wed, Dec 17, 2025 at 1:28 AM Zsolt Parragi <zsolt.parragi@percona.com>
> wrote:
> > Instead we decided to let everyone configure which claim they want to
> > use for user mapping. But because of that, this is a GUC, and they can
> > only configure it once pre server.
>
> We're getting closer; I agree that this needs to be more flexible than
> it is, and I'm on board with a change, but I'm still missing the
> "killer app". What's the case where a user has multiple HBA lines that
> all want to use unrelated claims for authentication to one Postgres
> cluster? Is this multi-tenancy, or...?
>
> Beyond multitenancy,per -HBA OAuth  cases where options are needed for
safe provider migration[blue/green],per-database security policies,mixed
Human/machine authentication[JWT/Introspection] and incident-response
scenarios -all global GUCs are too coarse.

See also the old conversation regarding LDAP hba/ident
> [1]
>
> [1]
> https://postgr.es/m/CAOuzzgpFpuroNRabEvB9kST_TSyS2jFicBNoXvW7G2pZFixyBw%40mail.gmail.com


 Thanks, Will go through it.

Regards,

Vasuki M
CDAC,Chennai.