Re: [PoC] Federated Authn/z with OAUTHBEARER

On Mon, Feb 17, 2025 at 10:15 AM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> It's been a little bit since I've re-run my
> fuzzers, and a new Valgrind run would be a good idea, so I will just
> keep throwing tests at it

Fuzzers are happy so far.

Valgrind did find something! A mistake I made during parameter
discovery: setup_oauth_parameters() ensures that conn->oauth_issuer_id
is always set using the "issuer" connection option, but during the
second connection, I reassigned the pointer for it (and
conn->oauth_discovery_uri) and leaked the previous allocations.

v52-0002 fixes that. I've taken the opportunity to document that those
two parameters are designed to be unchangeable for the connection once
they've been assigned.

--

Reviews for the commit message:

> postgres cannot ship with one built-in.

s/postgres/Postgres/. Maybe a softening to "does not" ship with one?

> Each pg_hba entry can
> specify one, or more, validators or be left blank for the validator
> installed as default.

Each pg_hba entry can specify only one of the DBA-blessed validators, not more.

> This adds a requirement on libucurl

s/libucurl/libcurl/

And as discussed offlist, we should note that the builtin device flow
is not currently supported on Windows.

Thanks!
--Jacob