Re: Custom oauth validator options

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Zsolt Parragi <zsolt.parragi@percona.com>
Cc: VASUKI M <vasukianand0119@gmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, david.g.johnston@gmail.com, Robert Haas <robertmhaas@gmail.com>, myon@debian.org
Date: 2026-01-27T17:40:32Z
Lists: pgsql-hackers
On Mon, Jan 26, 2026 at 1:51 AM Zsolt Parragi <zsolt.parragi@percona.com> wrote:
> The choosing authentication method part would already
> be useful with OAuth, and now Joel also started a thread about fido2,
> which also brings the question of MFA.

Or just the ability to offer a choice between two authentication
methods for a single user, yeah.

> pg_hba has the same issue, even if it has custom key=value data
> already. What I meant is similarly how we could turn currently hard
> coded pg_hba settings into GUC variables, the same is doable with
> pg_hosts, either at a separate level or integrating it into the HBA
> context. And later either both should get a new line style and
> deprecate the old one, or maybe these settings should be configured
> completely differently.

Sure; at this point I think we're violently agreeing. If we suspect
the configuration UX needs to be refactored, that's not going to be a
decision made unilaterally in this thread, which is why I said I was
worried about the scope creep.

--Jacob



Commits

  1. oauth: Allow validators to register custom HBA options

  2. Make LOAD of an already-loaded library into a no-op, instead of attempting