| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> |
| Cc: | Noah Misch <noah(at)leadboat(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: dispchar for oauth_client_secret |
| Date: | 2025-04-21 15:18:58 |
| Message-ID: | CAOYmi+kGgZEHdkH=w6mTa1Z9vSz3stX4qt6ws-tEDem7DT2k1w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Apr 15, 2025 at 11:11 PM Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> wrote:
> On Wed, 16 Apr 2025 at 02:03, Jacob Champion
> <jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> > Thank you for saying something; I'd hallucinated that srvoptions was
> > limited to the server owner, and that's not true. It's pg_user_mapping
> > that has the protection.
>
> FWIW, I have some ideas on being able to store secrets in a server in
> a safe way. I'll probably start a thread on that somewhere in the next
> few months.
Sounds great!
Attached is my proposed fix. 0001 disables use of the new oauth_*
options in our FDWs. 0002 changes dispchar.
Thanks,
--Jacob
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-oauth-Disallow-OAuth-connections-via-postgres_fdw-db.patch | application/octet-stream | 7.1 KB |
| 0002-oauth-Classify-oauth_client_secret-as-a-password.patch | application/octet-stream | 2.0 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jacob Champion | 2025-04-21 15:33:28 | Re: jsonapi: scary new warnings with LTO enabled |
| Previous Message | Thomas Munro | 2025-04-21 14:16:31 | Re: Changing shared_buffers without restart |