| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Peter Eisentraut <peter(at)eisentraut(dot)org>, Antonin Houska <ah(at)cybertec(dot)at>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PoC] Federated Authn/z with OAUTHBEARER |
| Date: | 2025-01-09 22:35:06 |
| Message-ID: | CAOYmi+naWOzXAzbRDfW_bY36S9iNYi0iscdmViKEOgXrfXMpQw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Jan 9, 2025 at 12:40 PM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> + * Find the start of the .well-known prefix. IETF rules state this must be
> + * at the beginning of the path component, but OIDC defined it at the end
> + * instead, so we have to search for it anywhere.
> I was looking for a reference for OIDC defining the WK prefix placement but I
> could only find it deferring to RFC5785 like how RFC8414 does. Can you inject
> a document reference for this?
I'll add a note in the comment. It's in Section 4 of OIDC Discovery
1.0: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
(This references RFC 5785, but only to obliquely point out that it's
not actually compliant with RFC 5785, if the issuer ID has a path
component. Section 4.1 gives an example.)
> + if (strcmp(conn->oauth_issuer_id, discovery_issuer) != 0)
> Shouldn't the scheme component really be compared case-insensitive, or has it
> been normalized at this point? Not sure how much it matters in practice but if
> not perhaps we should add a TODO marker there?
I don't think we should. While I've read some fights about the meaning
of "identical" in OIDCD Sec 4.3, IETF seems to be pushing hard for
exact equality of issuer IDs. RFC 9207 says [1]
This [issuer] comparison MUST use simple string comparison as
defined in Section 6.2.1 of [RFC3986].
(Simple string comparison being byte/character-wise rather than
performing a normalization step.) While RFC 9207 doesn't govern the
Device Authorization flow yet (maybe not ever?), the current OAuth 2.1
draft refers to its rules as a MUST [2], and I think we should just be
strict for the safety of future flow implementations.
I'm sure someone's going to complain at some point, but IMNSHO, the
fix for them is just to use the same formatting and capitalization as
the discovery document, and move on.
--
I'll address the other comments in the upcoming v41.
Thanks!
--Jacob
[1] https://www.rfc-editor.org/rfc/rfc9207#section-2.4
[2] https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#section-7.13.1
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniel Gustafsson | 2025-01-09 22:44:34 | Re: [PoC] Federated Authn/z with OAUTHBEARER |
| Previous Message | Melanie Plageman | 2025-01-09 22:18:49 | Re: Adjusting hash join memory limit to handle batch explosion |