Re: [PoC] Federated Authn/z with OAUTHBEARER

From: Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Shlok Kyal <shlok(dot)kyal(dot)oss(at)gmail(dot)com>, mahendrakar s <mahendrakarforpg(at)gmail(dot)com>, Andrey Chudnovsky <achudnovskij(at)gmail(dot)com>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "smilingsamay(at)gmail(dot)com" <smilingsamay(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Andrew Dunstan <andrew(at)dunslane(dot)net>
Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
Date: 2024-03-01 17:46:27
Message-ID: CAOYmi+mSSY4SvOtVN7zLyUCQ4-RDkxkzmTuPEN+t-PsB7GHnZA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thu, Feb 29, 2024 at 5:08 PM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> We are now very, very close to green.

v19 gets us a bit closer by adding a missed import for Windows. I've
also removed iddawc support, so the client patch is lighter.

> The new oauth_validator tests can't work on Windows, since the client
> doesn't support OAuth there. The python/server tests can handle this
> case, since they emulate the client behavior; do we want to try
> something similar in Perl?

In addition to this question, I'm starting to notice intermittent
failures of the form

error: ... failed to fetch OpenID discovery document: failed to
queue HTTP request

This corresponds to a TODO in the libcurl implementation -- if the
initial call to curl_multi_socket_action() reports that no handles are
running, I treated that as an error. But it looks like it's possible
for libcurl to finish a request synchronously if the remote responds
quickly enough, so that needs to change.

--Jacob

Attachment Content-Type Size
since-v18.diff.txt text/plain 26.5 KB
v19-0002-Refactor-SASL-exchange-to-return-tri-state-statu.patch application/octet-stream 9.9 KB
v19-0004-libpq-add-OAUTHBEARER-SASL-mechanism.patch application/octet-stream 106.3 KB
v19-0001-common-jsonapi-support-FRONTEND-clients.patch application/octet-stream 20.4 KB
v19-0003-Explicitly-require-password-for-SCRAM-exchange.patch application/octet-stream 3.2 KB
v19-0005-backend-add-OAUTHBEARER-SASL-mechanism.patch application/octet-stream 39.9 KB
v19-0007-Add-pytest-suite-for-OAuth.patch application/octet-stream 171.8 KB
v19-0008-XXX-temporary-patches-to-build-and-test.patch application/octet-stream 3.8 KB
v19-0006-Introduce-OAuth-validator-libraries.patch application/octet-stream 32.0 KB
v19-0009-WIP-Python-OAuth-provider-implementation.patch application/octet-stream 9.7 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Geoghegan 2024-03-01 17:47:32 Re: index prefetching
Previous Message Stephen Frost 2024-03-01 17:16:51 Re: Statistics Import and Export