Re: [oauth] Stabilize the libpq-oauth ABI (and allow alternative implementations?)
Zsolt Parragi <zsolt.parragi@percona.com>
From: Zsolt Parragi <zsolt.parragi@percona.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Chao Li <li.evan.chao@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2026-01-26T12:06:36Z
Lists: pgsql-hackers
> If I've misunderstood what you mean, please tell me what function call > in particular you think can be removed. I meant that it calls issuer_from_well_known_uri, and does multiple validation steps in that. Wouldn't it be simpler to do all that validation at the server side, and for libpq to simply compare that what the user specified for the connection and what the server sent are the same? The protection would still be there, as the client still compares the URLs, but the validation moves to the server, where we can detect incorrect URLs earlier. > So if you control both sides, you can do whatever you want. Yes, but I can't start postgres with a custom LDAP backend or client library, or at least not in an easy built in way. > I'm very much on board with pluggable auth [2], but OAUTHBEARER is not > the layer for arbitrary non-OAuth authentication systems, any more > than LDAP is. (SASL is the correct layer for that, IMHO.) That part is understandable - I mistakenly thought that there's a generalized OAUTHBEARER mechanism in SASL, but there isn't. And from your original email, > I just don't know that this envvar approach is any good. > ... > At which point we'll have essentially designed a generic libpq plugin system. My question should have been: shouldn't the plugin api work at the SASL level instead of a specific OAuth level? Or even if the first iteration of the internal API would only allow it to modify the OAuth flow, shouldn't the public facing configuration (env var / connection string / anything) be something more generic? The connection string approach would definitely be better, but not naming the environment variable OAUTHSOMETHING would already make this a more future-proof feature. If you think generic extensibility should work with SASL, I see that as one more reason why the variable should be named SASLsomething instead. In my previous email I didn't reply to the plugin/configuration part of your message because I wanted to think more about the question. How, and when would I use this (oauth limited, differently configured) plugin API instead of the authdata hook? And I can't think of any good use cases outside the command line tools included with postgres. But if it's the beginning of a generic API that gets extended in later major versions, that's different.
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
libpq: Allow developers to reimplement libpq-oauth
- 09532b4040ed 19 (unreleased) landed
-
libpq: Poison the v2 part of a v1 Bearer request
- 0af4d402cb90 19 (unreleased) landed
-
libpq-oauth: Never link against libpq's encoding functions
- dba35604485f 19 (unreleased) landed
-
libpq-oauth: Use the PGoauthBearerRequestV2 API
- 6225403f2783 19 (unreleased) landed
-
libpq: Introduce PQAUTHDATA_OAUTH_BEARER_TOKEN_V2
- e982331b5208 19 (unreleased) landed
-
libpq: Add PQgetThreadLock() to mirror PQregisterThreadLock()
- b8d76858353e 19 (unreleased) landed
-
oauth: Report cleanup errors as warnings on stderr
- f8c0b91a6063 19 (unreleased) landed
-
oauth_validator: Avoid races in log_check()
- c3df85756ceb 18.2 landed
- ab8af1db4303 19 (unreleased) landed
-
libpq-oauth: use correct c_args in meson.build
- 023a3c786b81 18.2 landed
- 781ca72139d6 19 (unreleased) landed
-
libpq-fe.h: Don't claim SOCKTYPE in the global namespace
- cc824482a3c0 18.2 landed
- 8b217c96ea2d 19 (unreleased) landed