Re: dispchar for oauth_client_secret

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Noah Misch <noah@leadboat.com>, pgsql-hackers@postgresql.org
Date: 2025-04-21T15:18:58Z
Lists: pgsql-hackers

Attachments

On Tue, Apr 15, 2025 at 11:11 PM Jelte Fennema-Nio <postgres@jeltef.nl> wrote:
> On Wed, 16 Apr 2025 at 02:03, Jacob Champion
> <jacob.champion@enterprisedb.com> wrote:
> > Thank you for saying something; I'd hallucinated that srvoptions was
> > limited to the server owner, and that's not true. It's pg_user_mapping
> > that has the protection.
>
> FWIW, I have some ideas on being able to store secrets in a server in
> a safe way. I'll probably start a thread on that somewhere in the next
> few months.

Sounds great!

Attached is my proposed fix. 0001 disables use of the new oauth_*
options in our FDWs. 0002 changes dispchar.

Thanks,
--Jacob

Commits

  1. oauth: Classify oauth_client_secret as a password

  2. oauth: Disallow OAuth connections via postgres_fdw/dblink

  3. Add support for OAUTHBEARER SASL mechanism