Re: Improve OAuth discovery logging

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Andrey Borodin <x4mmm@yandex-team.ru>
Cc: Zsolt Parragi <zsolt.parragi@percona.com>, Chao Li <li.evan.chao@gmail.com>, Daniel Gustafsson <daniel@yesql.se>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Michael Paquier <michael@paquier.xyz>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2026-03-16T18:14:08Z
Lists: pgsql-hackers
On Mon, Mar 16, 2026 at 1:30 AM Andrey Borodin <x4mmm@yandex-team.ru> wrote:
> I have no more comments about the patch, feel free to flip it to RfC.

Thanks all, v7 looks very similar to one of my local patches. I don't
want to escape the authentication flow from inside a SASL mech, though
(it's unusual/invisible to other maintainers, plus it bypasses the
ClientAuthentication_hook).

I'm working on a three-patch set to add FATAL_CLIENT_ONLY, the new
abandoned state, and the log fix making use of both. Should have
something posted today if things go my way.

--Jacob



Commits

  1. oauth: Don't log discovery connections by default

  2. sasl: Allow backend mechanisms to "abandon" exchanges

  3. Add FATAL_CLIENT_ONLY to ereport/elog

  4. oauth_validator: Avoid races in log_check()