Re: Improve OAuth discovery logging

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Chao Li <li.evan.chao@gmail.com>, Zsolt Parragi <zsolt.parragi@percona.com>
Cc: Daniel Gustafsson <daniel@yesql.se>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Michael Paquier <michael@paquier.xyz>
Date: 2026-02-24T23:24:23Z
Lists: pgsql-hackers
> On Feb 13, 2026, at 21:13, Zsolt Parragi <zsolt.parragi@percona.com> wrote:
> > Maybe something like PG_SASL_EXCHANGE_ABANDONED?
>
> This is the only one I wasn't sure of, I used RESTART because I was
> focusing more on the intention of the server ("please restart
> authentication with this additional information"), and a bit also on
> the idea that later restart could stay even within the same
> connection, both in this case and if we add support for
> reauthentication on token expiration.

I think "abandoned" would still work as a descriptor if we eventually
supported multiple SASL exchanges per connection.

On Mon, Feb 23, 2026 at 7:01 PM Chao Li <li.evan.chao@gmail.com> wrote:
> Looks like you forgot to update the commit message to change PG_SASL_EXCHANGE_RESTART to PG_SASL_EXCHANGE_ABANDONED.

Yes -- though keep in mind that committers will often rewrite commit
messages from scratch. So while keeping it accurate and well-written
should be the goal, perfection isn't required to move something into
RfC.

Speaking of which: Zsolt, would you mind adding this to the Commitfest?

> "ctx->state = OAUTH_STATE_FINISHED;" is duplicated in the “if” and after the “if”, so it can be pull up to before the “if”.

+1

--Jacob



Commits

  1. oauth: Don't log discovery connections by default

  2. sasl: Allow backend mechanisms to "abandon" exchanges

  3. Add FATAL_CLIENT_ONLY to ereport/elog

  4. oauth_validator: Avoid races in log_check()