Re: Improve OAuth discovery logging

Zsolt Parragi <zsolt.parragi@percona.com>

From: Zsolt Parragi <zsolt.parragi@percona.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Andrey Borodin <x4mmm@yandex-team.ru>, Chao Li <li.evan.chao@gmail.com>, Daniel Gustafsson <daniel@yesql.se>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Michael Paquier <michael@paquier.xyz>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2026-03-05T20:11:23Z
Lists: pgsql-hackers

Attachments

Attached v6 with the problematic log expectation removed.

> Easier said than done, I think. I've wanted to teach the server how to
> bracket logs of interest for testing purposes for a while now; I don't
> mind using this as a catalyst. But I don't think it should be done as
> part of this thread.

Yes, I want to look at how to make connect_ok/connect_fails more
reliable for oidc scenarios, but let's not make this dependent on
that, my first idea to do it wasn't 100% reliable based on some
targeted testing.

Commits

  1. oauth: Don't log discovery connections by default

  2. sasl: Allow backend mechanisms to "abandon" exchanges

  3. Add FATAL_CLIENT_ONLY to ereport/elog

  4. oauth_validator: Avoid races in log_check()