Re: Proposal: Role Sandboxing for Secure Impersonation
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Wolfgang Walther <walther@technowledgy.de>
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>,
Robert Haas <robertmhaas@gmail.com>, Joe Conway <mail@joeconway.com>, Eric Hanson <eric@aquameta.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Matheus Alcantara <matheusssilv97@gmail.com>
Date: 2024-12-05T16:27:23Z
Lists: pgsql-hackers
On Thu, Dec 5, 2024 at 12:47 AM Wolfgang Walther <walther@technowledgy.de> wrote: > > If we want something like this, we'd want to allow > > users to re-trigger SCRAM authentication. Which clearly requires a > > protocol change. > > Yes. This. Re-authenticating without re-connecting. The ability to reauthenticate would be useful for the OAUTHBEARER mechanism as well. (Specifically, the ability to perform a new SASL exchange on the connection after the first one has failed.) And it would probably have overlap with the recent discussion around pass-through SCRAM [1]. --Jacob [1] https://postgr.es/m/27b29a35-9b96-46a9-bc1a-914140869dac%40gmail.com