Re: [PoC] Federated Authn/z with OAUTHBEARER
Jacob Champion <jacob.champion@enterprisedb.com>
Commits
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
meson: Fix install-quiet after clean
- a9ffb35274fb 18.0 landed
- 4ae03be54734 19 (unreleased) landed
-
oauth: Run Autoconf tests with correct compiler flags
- 3d23f68c5529 18.0 landed
- 990571a08b66 19 (unreleased) landed
-
Link libpq with libdl if the platform needs that.
- 4df477153a6b 19 (unreleased) landed
- 7bd752c1fb8e 18.0 landed
-
Doc: correct spelling of meson switch.
- 3faac9d14063 16.9 landed
- 766d2e673342 17.5 landed
- ac557793d478 18.0 landed
-
oauth: Correct SSL dependency for libpq-oauth.a
- 3db68212a393 18.0 landed
-
oauth: Fix Autoconf build on macOS
- 4ea1254f35b2 18.0 cited
-
oauth: Move the builtin flow into a separate module
- b0635bfda053 18.0 landed
-
Remove a stray "pgrminclude" annotation
- 764d501d24ba 18.0 cited
-
oauth: Simplify copy of PGoauthBearerRequest
- 1cf4c56480f8 18.0 landed
-
oauth: Improve validator docs on interruptibility
- 873c0fd67872 18.0 landed
-
oauth: Disallow synchronous DNS in libcurl
- d7e40845f923 18.0 landed
-
oauth: Fix postcondition for set_timer on macOS
- 434dbf6907ec 18.0 landed
-
oauth: Use IPv4-only issuer in oauth_validator tests
- 8d9d5843b55f 18.0 landed
-
Work around OAuth/EVFILT_TIMER quirk on NetBSD.
- c301a0a74a8a 18.0 landed
-
oauth: Fix incorrect const markers in struct
- 03366b61dfe5 18.0 landed
-
Add missing entry to oauth_validator test .gitignore
- 2c53dec7f440 18.0 landed
-
cirrus: Temporarily fix libcurl link error
- 9d9a71002a1c 18.0 landed
-
Add support for OAUTHBEARER SASL mechanism
- b3f0be788afc 18.0 landed
-
libpq: Handle asynchronous actions during SASL
- a99a32e43ed7 18.0 landed
-
require_auth: prepare for multiple SASL mechanisms
- f8d8581ed882 18.0 landed
-
Move PG_MAX_AUTH_TOKEN_LENGTH to libpq/auth.h
- e21d6f297158 18.0 landed
-
Make SASL max message length configurable
- 6d16f9debae0 18.0 landed
-
jsonapi: fully initialize dummy lexer
- 41b023946dfd 18.0 landed
-
common/jsonapi: support libpq as a client
- 0785d1b8b2fa 18.0 landed
-
Remove fe_memutils from libpgcommon_shlib
- f1976df5eaf2 18.0 landed
-
Revert ECPG's use of pnstrdup()
- f0096ef13be2 13.17 landed
- 3557185538fe 14.14 landed
- 2de129b356bf 15.9 landed
- ee2997c678d8 16.5 landed
- e9e05c655069 17.0 landed
- 5388216f6adc 18.0 landed
-
Explicitly require password for SCRAM exchange
- adcdb2c8dda4 17.0 landed
-
Refactor SASL exchange to return tri-state status
- 24178e235ea5 17.0 landed
On Fri, Sep 27, 2024 at 10:58 AM Antonin Houska <ah@cybertec.at> wrote: > Have you considered sending the token for validation to the server, like this > > curl -X GET "https://www.googleapis.com/oauth2/v3/userinfo" -H "Authorization: Bearer $TOKEN" In short, no, but I'm glad you asked. I think it's going to be a common request, and I need to get better at explaining why it's not safe, so we can document it clearly. Or else someone can point out that I'm misunderstanding, which honestly would make all this much easier and less complicated. I would love to be able to do it that way. We cannot, for the same reason libpq must send the server an access token instead of an ID token. The /userinfo endpoint tells you who the end user is, but it doesn't tell you whether the Bearer is actually allowed to access the database. That difference is critical: it's entirely possible for an end user to be authorized to access the database, *and yet* the Bearer token may not actually carry that authorization on their behalf. (In fact, the user may have actively refused to give the Bearer that permission.) That's why people are so pedantic about saying that OAuth is an authorization framework and not an authentication framework. To illustrate, think about all the third-party web services out there that ask you to Sign In with Google. They ask Google for permission to access your personal ID, and Google asks you if you're okay with that, and you either allow or deny it. Now imagine that I ran one of those services, and I decided to become evil. I could take my legitimately acquired Bearer token -- which should only give me permission to query your Google ID -- and send it to a Postgres database you're authorized to access. The server is supposed to introspect it, say, "hey, this token doesn't give the bearer access to the database at all," and shut everything down. For extra credit, the server could notice that the client ID tied to the access token isn't even one that it recognizes! But if all the server does is ask Google, "what's the email address associated with this token's end user?", then it's about to make some very bad decisions. The email address it gets back doesn't belong to Jacob the Evil Bearer; it belongs to you. Now, the token introspection endpoint I mentioned upthread should give us the required information (scopes, etc.). But Google doesn't implement that one. In fact they don't seem to have implemented custom scopes at all in the years since I started work on this feature, which makes me think that people are probably not going to be able to safely log into Postgres using Google tokens. Hopefully there's some feature buried somewhere that I haven't seen. Let me know if that makes sense. (And again: I'd love to be proven wrong. It would improve the reach of the feature considerably if I am.) Thanks, --Jacob