Re: [PoC] Federated Authn/z with OAUTHBEARER

From: Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Shlok Kyal <shlok(dot)kyal(dot)oss(at)gmail(dot)com>, mahendrakar s <mahendrakarforpg(at)gmail(dot)com>, Andrey Chudnovsky <achudnovskij(at)gmail(dot)com>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "smilingsamay(at)gmail(dot)com" <smilingsamay(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Andrew Dunstan <andrew(at)dunslane(dot)net>
Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
Date: 2024-03-11 22:51:24
Message-ID: CAOYmi+kKNZCL7uz-LHyBggM+fEcf4285pFWwm7spkUb8irY7mQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Fri, Mar 1, 2024 at 9:46 AM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> v19 gets us a bit closer by adding a missed import for Windows. I've
> also removed iddawc support, so the client patch is lighter.

v20 fixes a bunch more TODOs:
1) the client initial response is validated more closely
2) the server's invalid_token parameters are properly escaped into the
containing JSON (though, eventually, we probably want to just reject
invalid HBA settings instead of passing them through to the client)
3) Windows-specific responses have been recorded in the test suite

While poking at item 2, I was reminded that there's an alternative way
to get OAuth parameters from the server, and it's subtly incompatible
with the OpenID spec because OpenID didn't follow the rules for
.well-known URI construction [1]. :( Some sort of knob will be
required to switch the behaviors.

I renamed the API for the validator module from res->authenticated to
res->authorized. Authentication is optional, but a validator *must*
check that the client it's talking to was authorized by the user to
access the server, whether or not the user is authenticated. (It may
additionally verify that the user is authorized to access the
database, or it may simply authenticate the user and defer to the
usermap.) Documenting that particular subtlety is going to be
interesting...

The tests now exercise different issuers for different users, which
will also be a good way to signal the server to respond in different
ways during the validator tests. It does raise the question: if a
third party provides an issuer-specific module, how do we switch
between that and some other module for a different user?

Andrew asked over at [2] if we could perhaps get 0001 in as well. I
think the main thing to figure out there is, is requiring linkage
against libpq (see 0008) going to be okay for the frontend binaries
that need JSON support? Or do we need to do something like moving
PQExpBuffer into src/common to simplify the dependency tree?

--Jacob

[1] https://www.rfc-editor.org/rfc/rfc8414.html#section-5
[2] https://www.postgresql.org/message-id/682c8fff-355c-a04f-57ac-81055c4ccda8%40dunslane.net

Attachment Content-Type Size
since-v19.diff.txt text/plain 35.3 KB
v20-0003-Explicitly-require-password-for-SCRAM-exchange.patch application/octet-stream 3.2 KB
v20-0002-Refactor-SASL-exchange-to-return-tri-state-statu.patch application/octet-stream 9.9 KB
v20-0005-backend-add-OAUTHBEARER-SASL-mechanism.patch application/octet-stream 41.7 KB
v20-0001-common-jsonapi-support-FRONTEND-clients.patch application/octet-stream 20.4 KB
v20-0004-libpq-add-OAUTHBEARER-SASL-mechanism.patch application/octet-stream 106.3 KB
v20-0006-Introduce-OAuth-validator-libraries.patch application/octet-stream 34.0 KB
v20-0007-Add-pytest-suite-for-OAuth.patch application/octet-stream 176.9 KB
v20-0009-WIP-Python-OAuth-provider-implementation.patch application/octet-stream 10.8 KB
v20-0008-XXX-temporary-patches-to-build-and-test.patch application/octet-stream 3.8 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Paquier 2024-03-11 23:20:24 Re: Infinite loop in XLogPageRead() on standby
Previous Message Heikki Linnakangas 2024-03-11 22:38:45 Re: Combine Prune and Freeze records emitted by vacuum