Re: Custom oauth validator options
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: VASUKI M <vasukianand0119@gmail.com>
Cc: Zsolt Parragi <zsolt.parragi@percona.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>,
david.g.johnston@gmail.com, Robert Haas <robertmhaas@gmail.com>, myon@debian.org
Date: 2025-12-17T18:27:44Z
Lists: pgsql-hackers
On Tue, Dec 16, 2025 at 10:30 PM VASUKI M <vasukianand0119@gmail.com> wrote:
> Overall, +1 that this limitation is real and worth discussing.I’ll plan to send a patch shortly exploring option (b).
Thanks!
> Reg very long HBA lines: totally agree this is a real readability issue,but allowing per-line includes or external file feels like a seperate(and much bigger)topic,probably best tackled independently.
I forgot to mention in my reply to Zsolt, but we've supported inline
inclusions in HBA for a few releases now. (I just frequently forget
they exist.)
pg_hba.conf:
hostssl all all 0.0.0.0/0 oauth @oauth-settings.conf
oauth-settings.conf:
issuer=https://oauth.example.org/v2
scope="openid email let-me-into-pg"
validator=example_org
map=examplemap
And for smaller annoyances, you can wrap lines with backslash continuation.
I haven't used these new features much, since I forget they exist, so
if there are usability problems in practice please say something so we
can fix it.
--Jacob