Re: Improve OAuth discovery logging
Zsolt Parragi <zsolt.parragi@percona.com>
From: Zsolt Parragi <zsolt.parragi@percona.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Chao Li <li.evan.chao@gmail.com>, Andrey Borodin <x4mmm@yandex-team.ru>, Daniel Gustafsson <daniel@yesql.se>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Michael Paquier <michael@paquier.xyz>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2026-03-17T21:19:07Z
Lists: pgsql-hackers
> That's not really true, because the caller hardcodes the mechanism > descriptor. I meant that the caller shouldn't depend on the implementation details of the mechanism. The abandoned comment says that '"Abandoned" is a SASL-specific state similar to STATUS_EOF ...', yet later it also depends on an implementation detail of which sasl mechanism actually use it. > (If more things than OAuth need this eventually, maybe it becomes > STATUS_SILENT_ERROR or something, to make it even more generic?) That's a good idea, better than my error level suggestion. The code would actually shorter, because you could remove the programmer error check from CheckSASLAuth. The diff also, because it would work without modifying the calls to it. The patch is also good as-is, all these comments in the last few messages are just very minor details, I probably spent way too much time thinging about how to make this not oauth specific in the generic part of the code.
Commits
-
oauth: Don't log discovery connections by default
- e020a897efea 19 (unreleased) landed
-
sasl: Allow backend mechanisms to "abandon" exchanges
- c4ff16339f07 19 (unreleased) landed
-
Add FATAL_CLIENT_ONLY to ereport/elog
- c2bca7cc9621 19 (unreleased) landed
-
oauth_validator: Avoid races in log_check()
- ab8af1db4303 19 (unreleased) cited