Re: [PoC] Federated Authn/z with OAUTHBEARER

Bruce Momjian <bruce(at)momjian(dot)us> writes:
> On Thu, Mar 20, 2025 at 01:33:26PM -0700, Jacob Champion wrote:
>> So one question for the collective is -- putting Curl itself aside --
>> is having a basic-but-usable OAuth flow, out of the box, worth the
>> costs of a generic HTTP client?

> One observation is that security scanning tools are going to see the
> curl dependency and look at any CSVs related to them and ask us, whether
> they are using OAUTH or not.

Yes. Also, none of this has addressed my complaint about the extent
of the build and install dependencies. Yes, simply not selecting
--with-libcurl removes the problem ... but most packagers are under
very heavy pressure to enable all features of a package.

From what's been said here, only a small minority of users are likely
to have any interest in this feature. So my answer to "is it worth
the cost" is no, and would be no even if I had a lower estimate of
the costs.

I don't have any problem with making a solution available to those
users who want it --- but I really do NOT want this to be part of
stock libpq nor done as part of the core Postgres build. I do not
think that the costs of that have been fully accounted for, especially
not the fact that almost all of those costs fall on people other than
us.

I'd like to see this moved out to some separate package that has to be
explicitly linked in and then hooks into libpq's custom-provider API.

regards, tom lane