Re: dispchar for oauth_client_secret
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Noah Misch <noah@leadboat.com>, pgsql-hackers@postgresql.org
Date: 2025-04-21T15:18:58Z
Lists: pgsql-hackers
Attachments
- 0001-oauth-Disallow-OAuth-connections-via-postgres_fdw-db.patch (application/octet-stream) patch 0001
- 0002-oauth-Classify-oauth_client_secret-as-a-password.patch (application/octet-stream) patch 0002
On Tue, Apr 15, 2025 at 11:11 PM Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > On Wed, 16 Apr 2025 at 02:03, Jacob Champion > <jacob.champion@enterprisedb.com> wrote: > > Thank you for saying something; I'd hallucinated that srvoptions was > > limited to the server owner, and that's not true. It's pg_user_mapping > > that has the protection. > > FWIW, I have some ideas on being able to store secrets in a server in > a safe way. I'll probably start a thread on that somewhere in the next > few months. Sounds great! Attached is my proposed fix. 0001 disables use of the new oauth_* options in our FDWs. 0002 changes dispchar. Thanks, --Jacob
Commits
-
oauth: Classify oauth_client_secret as a password
- e974f1c2164b 18.0 landed
-
oauth: Disallow OAuth connections via postgres_fdw/dblink
- d2e7d2a09d7d 18.0 landed
-
Add support for OAUTHBEARER SASL mechanism
- b3f0be788afc 18.0 cited