| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
| Cc: | Daniel Gustafsson <daniel(at)yesql(dot)se>, Antonin Houska <ah(at)cybertec(dot)at>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PoC] Federated Authn/z with OAUTHBEARER |
| Date: | 2025-01-08 17:13:38 |
| Message-ID: | CAOYmi+m+-yUHXVVV8OCcg5QbeNG-9JJA590=wbPcOGYqAZF8Ng@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Jan 7, 2025 at 2:24 PM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> Along those lines, though, Michael Paquier suggested that maybe I
> could pull the require_auth prefactoring up to the front of the
> patchset. That might look a bit odd until OAuth support lands, since
> it won't be adding any new useful value, but I will give it a shot.
While I take a look at the async patch from upthread, here is my
attempt at pulling the require_auth change out.
Note that there's a dead branch that cannot be exercised until OAuth
lands. We're not going to process the SASL mechanism name at all if no
mechanisms are allowed to begin with, and right now SASL is synonymous
with SCRAM. I can change that by always allowing AuthenticationSASL
messages -- even if none of the allowed authentication types use SASL
-- but that approach didn't seem to generate excitement on- or
off-list the last time I proposed it [1].
Thanks,
--Jacob
[1] https://postgr.es/m/CAAWbhmg%2BGzNMK5Li182BKSbzoFVaKk_dDJ628NnuV80GqYgFFg%40mail.gmail.com
| Attachment | Content-Type | Size |
|---|---|---|
| require_auth_portion.diff.txt | text/plain | 10.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sami Imseih | 2025-01-08 17:36:51 | Re: improve DEBUG1 logging of parallel workers for CREATE INDEX? |
| Previous Message | Andrew Dunstan | 2025-01-08 16:45:02 | Re: jsonb_strip_nulls with arrays? |