Re: Improve OAuth discovery logging
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Zsolt Parragi <zsolt.parragi@percona.com>
Cc: Andrey Borodin <x4mmm@yandex-team.ru>, Chao Li <li.evan.chao@gmail.com>, Daniel Gustafsson <daniel@yesql.se>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Michael Paquier <michael@paquier.xyz>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2026-03-17T00:24:58Z
Lists: pgsql-hackers
Attachments
- v8-0001-Add-FATAL_CLIENT_ONLY-to-ereport-elog.patch (application/octet-stream) patch v8-0001
- v8-0003-oauth-Don-t-log-discovery-connections-by-default.patch (application/octet-stream) patch v8-0003
- v8-0002-sasl-Allow-backend-mechanisms-to-abandon-exchange.patch (application/octet-stream) patch v8-0002
On Mon, Mar 16, 2026 at 12:45 PM Zsolt Parragi <zsolt.parragi@percona.com> wrote: > I tried to figure out if this is fine or not, but isn't it the same as > the existing ereport(ERROR, ...) calls everywhere in the sasl/scram > code? Those are *also* not good, IMHO; they're what I had in mind when I said "it's unusual/invisible". (ERROR is upgraded to FATAL here, so they're also misleading.) OAuth inherited a few of those from SCRAM to avoid divergent behavior for protocol violations, but I don't really want to lock that usage into the SASL architecture by myself, especially not for normal operation. CheckSASLAuth should ideally have control over the logic flow. (It might be nice to make it possible to throw ERRORs from inside authentication code without bypassing the top level. Then maybe we could square that with our treatment of logdetail et al. But we'd have to decide how we want protocol errors to interact with the hook.) On Mon, Mar 16, 2026 at 11:14 AM Jacob Champion <jacob.champion@enterprisedb.com> wrote: > I'm working on a three-patch set to add FATAL_CLIENT_ONLY, the new > abandoned state, and the log fix making use of both. Attached as v8. --Jacob
Commits
-
oauth: Don't log discovery connections by default
- e020a897efea 19 (unreleased) landed
-
sasl: Allow backend mechanisms to "abandon" exchanges
- c4ff16339f07 19 (unreleased) landed
-
Add FATAL_CLIENT_ONLY to ereport/elog
- c2bca7cc9621 19 (unreleased) landed
-
oauth_validator: Avoid races in log_check()
- ab8af1db4303 19 (unreleased) cited