Re: Custom oauth validator options
Zsolt Parragi <zsolt.parragi@percona.com>
From: Zsolt Parragi <zsolt.parragi@percona.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: VASUKI M <vasukianand0119@gmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>,
david.g.johnston@gmail.com, Robert Haas <robertmhaas@gmail.com>, myon@debian.org
Date: 2026-01-26T09:51:02Z
Lists: pgsql-hackers
> Hmm... we may want to discuss my (e) option derailment more seriously, > if we're planning to go in that direction (and if other people like > that direction). I know you wrote that you are only half serious about it, and I definitely do not want to go in the "lets completely refactor pg_hba in this patch" direction, but keeping that idea in mind seems like a good idea to me. The choosing authentication method part would already be useful with OAuth, and now Joel also started a thread about fido2, which also brings the question of MFA. Pluggable generic authentication would also require generic GUC variables at this level. Scoping validators to a specific prefix fixes the collision issue, but it also goes in a different direction. Because of this I like the other alternative idea (DefineCustomValidatorStringVariable) better, if we want to go with a smaller change for this, but I still have to implement that and see how it behaves in practice. > "Fixable" in what sense? pg_hosts.conf is currently similar to > pg_ident.conf in that it has no place for key=value pairs, and if you > add them after as an optional "column" for compatibility, you still > have to write something for all of those columns that you were trying > to replace with the GUC settings. pg_hba has the same issue, even if it has custom key=value data already. What I meant is similarly how we could turn currently hard coded pg_hba settings into GUC variables, the same is doable with pg_hosts, either at a separate level or integrating it into the HBA context. And later either both should get a new line style and deprecate the old one, or maybe these settings should be configured completely differently.
Commits
-
oauth: Allow validators to register custom HBA options
- b977bd308a09 19 (unreleased) landed
-
Make LOAD of an already-loaded library into a no-op, instead of attempting
- 602a9ef5a7c6 9.0.0 cited