Re: [PoC] Federated Authn/z with OAUTHBEARER

From: Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>
To: Antonin Houska <ah(at)cybertec(dot)at>
Cc: Daniel Gustafsson <daniel(at)yesql(dot)se>, Peter Eisentraut <peter(at)eisentraut(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
Date: 2024-10-29 20:34:00
Message-ID: CAOYmi+mbiD+efRiS+hH1mdTB4J6pjbr053+jo+BsXKrQjopCSg@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Fri, Oct 25, 2024 at 11:22 AM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> Next up is, hopefully, url-encoding. I hadn't realized what an
> absolute mess that would be [1].

Here is v35, which attempts to perform URL encoding by almost entirely
deferring to Curl, in the naive hope that provider incompatibilities
with libcurl will be taken more seriously than incompatibilities with
a brand-new Postgres feature. I'm not thrilled that the IETF chose to
defer this part of the spec to WHATWG.

Additionally,
- the rest of the feedback patch has been incorporated, with
modifications to the bzero portion (which now focuses on clearing
`token` rather than `authn_id`)
- documentation for the validate_cb callback has been updated to
match, plus additional expansion
- markPQExpBufferBroken() has been promoted to the pqexpbuffer.h API,
because it happens to be useful for the encoding patch
- some duplication of the Authorization code has been refactored away
- "empty" (which is to say, default) scopes are now explicitly tested

Next up will be Antonin's suggested change to the Bearer handling, as
well as previously-discussed changes to the --with-oauth build option.

Thanks,
--Jacob

Attachment Content-Type Size
since-v34.diff.txt text/plain 30.9 KB
v35-0001-Add-OAUTHBEARER-SASL-mechanism.patch application/octet-stream 219.1 KB
v35-0002-DO-NOT-MERGE-Add-pytest-suite-for-OAuth.patch application/octet-stream 187.0 KB

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Jacob Champion 2024-10-29 20:39:36 Re: [PoC] Federated Authn/z with OAUTHBEARER
Previous Message Masahiko Sawada 2024-10-29 20:29:52 Re: Skip collecting decoded changes of already-aborted transactions