Re: [PoC] Federated Authn/z with OAUTHBEARER

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Jacob Champion <jacob.champion@enterprisedb.com>, Christoph Berg <myon@debian.org>, Andres Freund <andres@anarazel.de>, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Daniel Gustafsson <daniel@yesql.se>, Thomas Munro <thomas.munro@gmail.com>, Nazir Bilal Yavuz <byavuz81@gmail.com>, Antonin Houska <ah@cybertec.at>, Wolfgang Walther <walther@technowledgy.de>, Jelte Fennema-Nio <postgres@jeltef.nl>
Date: 2025-04-15T12:31:50Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. meson: Fix install-quiet after clean

  2. oauth: Run Autoconf tests with correct compiler flags

  3. Link libpq with libdl if the platform needs that.

  4. Doc: correct spelling of meson switch.

  5. oauth: Correct SSL dependency for libpq-oauth.a

  6. oauth: Fix Autoconf build on macOS

  7. oauth: Move the builtin flow into a separate module

  8. Remove a stray "pgrminclude" annotation

  9. oauth: Simplify copy of PGoauthBearerRequest

  10. oauth: Improve validator docs on interruptibility

  11. oauth: Disallow synchronous DNS in libcurl

  12. oauth: Fix postcondition for set_timer on macOS

  13. oauth: Use IPv4-only issuer in oauth_validator tests

  14. Work around OAuth/EVFILT_TIMER quirk on NetBSD.

  15. oauth: Fix incorrect const markers in struct

  16. Add missing entry to oauth_validator test .gitignore

  17. cirrus: Temporarily fix libcurl link error

  18. Add support for OAUTHBEARER SASL mechanism

  19. libpq: Handle asynchronous actions during SASL

  20. require_auth: prepare for multiple SASL mechanisms

  21. Move PG_MAX_AUTH_TOKEN_LENGTH to libpq/auth.h

  22. Make SASL max message length configurable

  23. jsonapi: fully initialize dummy lexer

  24. common/jsonapi: support libpq as a client

  25. Remove fe_memutils from libpgcommon_shlib

  26. Revert ECPG's use of pnstrdup()

  27. Explicitly require password for SCRAM exchange

  28. Refactor SASL exchange to return tri-state status

On 10.04.25 01:08, Jacob Champion wrote:
> Christoph noted that this was also confusing from the packaging side,
> earlier, and Daniel proposed -Doauth-client/--with-oauth-client as the
> feature switch name instead. Any objections? Unfortunately it would
> mean a buildfarm email is in order, so we should get it locked in.

We had that discussion early in the development, and I still think it's 
not the right choice.

The general idea, at least on the Autoconf side, is that --with-FOO 
means enable all the features that require library FOO.  For example, 
--with-ldap enables all the LDAP-related features, including 
authentication support in libpq, authentication support in the server, 
and service lookup in libpq.  --with-[open]ssl enables all the features 
that use OpenSSL, including SSL support in the client and server but 
also encryption support in pgcrypto.

The naming system you propose has problems:

First, what if we add another kind of "oauth-client" that doesn't use 
libcurl, how would you extend the set of options?

Second, what if we add some kind of oauth plugin for the server that 
uses libcurl, how would you extend the set of options?

If you used that system for options in the ldap or openssl cases, you'd 
end up with maybe six options (and packagers would forget to turn on 
half of them).  But worse, what you are hiding is the information what 
dependencies you are pulling in, which is the actual reason for the 
options.  (If there was no external dependency, there would be no option 
at all.)

This seems unnecessarily complicated and inconsistent.  Once you have 
made the choice of taking the libcurl dependency, why not build 
everything that requires it?

(Nitpick: If you go with this kind of option, it should be --enable-XXX 
on the Autoconf side.)