Re: Improve OAuth discovery logging

Zsolt Parragi <zsolt.parragi@percona.com>

From: Zsolt Parragi <zsolt.parragi@percona.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Andrey Borodin <x4mmm@yandex-team.ru>, Chao Li <li.evan.chao@gmail.com>, Daniel Gustafsson <daniel@yesql.se>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Michael Paquier <michael@paquier.xyz>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2026-03-16T06:24:13Z
Lists: pgsql-hackers

Attachments

> I'm experimenting with an ereport(FATAL_CLIENT_ONLY) option, in the
> same vein as WARNING_CLIENT_ONLY, to try to cover this.

I attached v7 that uses that and removes the abandoned handling as it
is no longer needed with it.

> P.S. I would eventually like to record our undocumented SASL profile
> in a test suite (he said, staring at pg-pytest)...

That would be definitely useful, with the todo comment and this not
being documented I thought that this is a proper way to handle the
issue. Even a proper documentation about it would be a good starting
point.

Commits

  1. oauth: Don't log discovery connections by default

  2. sasl: Allow backend mechanisms to "abandon" exchanges

  3. Add FATAL_CLIENT_ONLY to ereport/elog

  4. oauth_validator: Avoid races in log_check()