Re: dispchar for oauth_client_secret
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Noah Misch <noah@leadboat.com>
Cc: pgsql-hackers@postgresql.org
Date: 2025-04-15T20:16:12Z
Lists: pgsql-hackers
On Tue, Apr 15, 2025 at 12:14 PM Noah Misch <noah@leadboat.com> wrote: > I suspect this should use .dispchar="*" to encourage UIs to display > oauth_client_secret like a password field. Thoughts? Hmm, from a UI perspective I agree. (The builtin flow targets "public clients", where secrets are discouraged and/or understood to be not-really-secret, but there's no reason to assume that all flows used by the application are public.) From a proxy perspective, this would mess with FDW handling. By making the dispchar '*', oauth_client_secret will be made into a user mapping option rather than a server option. (Neither is very useful to postgres_fdw anyway, because the builtin flow needs an end user to interact with the provider.) But I'm not sure if we'll need to handle compatibility in the future if we implement a proxy-friendly flow. Is it okay to move options back and forth during a major version bump? I assume it would present a problem for pg_upgrade? Thanks! --Jacob
Commits
-
oauth: Classify oauth_client_secret as a password
- e974f1c2164b 18.0 landed
-
oauth: Disallow OAuth connections via postgres_fdw/dblink
- d2e7d2a09d7d 18.0 landed
-
Add support for OAUTHBEARER SASL mechanism
- b3f0be788afc 18.0 cited