Re: [oauth] Stabilize the libpq-oauth ABI (and allow alternative implementations?)

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Zsolt Parragi <zsolt.parragi@percona.com>
Cc: PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Chao Li <li.evan.chao@gmail.com>
Date: 2026-03-06T00:57:13Z
Lists: pgsql-hackers

Attachments

On Tue, Mar 3, 2026 at 2:08 PM Jacob Champion
<jacob.champion@enterprisedb.com> wrote:
> I don't plan to block the other patches on -0006, since -0004 is
> blocking PGOAUTHCAFILE.

v5-0001 and -0002 are now committed. Attached is a v6 rebase with some
minor self-review fixups and the removal of ASan from the poisoning
experiment.

v6-0001 through -0003 are targeted for commit next. I'll leave -0004
for later; I plan to ask for some committer review, since it's pretty
unusual code for libpq, but it needs a real commit message and some
better docs first.

As for -0005: I think I'll cherry-pick only the ability for the
libpq_oauth_init entry to be optional, marking any flows that don't
provide it as user-defined, to make it possible for v19 developers to
help us iterate on v20 if they want.

Thanks,
--Jacob

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. libpq: Allow developers to reimplement libpq-oauth

  2. libpq: Poison the v2 part of a v1 Bearer request

  3. libpq-oauth: Never link against libpq's encoding functions

  4. libpq-oauth: Use the PGoauthBearerRequestV2 API

  5. libpq: Introduce PQAUTHDATA_OAUTH_BEARER_TOKEN_V2

  6. libpq: Add PQgetThreadLock() to mirror PQregisterThreadLock()

  7. oauth: Report cleanup errors as warnings on stderr

  8. oauth_validator: Avoid races in log_check()

  9. libpq-oauth: use correct c_args in meson.build

  10. libpq-fe.h: Don't claim SOCKTYPE in the global namespace