Re: [PoC] Federated Authn/z with OAUTHBEARER

On Fri, Oct 25, 2024 at 11:22 AM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> Next up is, hopefully, url-encoding. I hadn't realized what an
> absolute mess that would be [1].

Here is v35, which attempts to perform URL encoding by almost entirely
deferring to Curl, in the naive hope that provider incompatibilities
with libcurl will be taken more seriously than incompatibilities with
a brand-new Postgres feature. I'm not thrilled that the IETF chose to
defer this part of the spec to WHATWG.

Additionally,
- the rest of the feedback patch has been incorporated, with
modifications to the bzero portion (which now focuses on clearing
`token` rather than `authn_id`)
- documentation for the validate_cb callback has been updated to
match, plus additional expansion
- markPQExpBufferBroken() has been promoted to the pqexpbuffer.h API,
because it happens to be useful for the encoding patch
- some duplication of the Authorization code has been refactored away
- "empty" (which is to say, default) scopes are now explicitly tested

Next up will be Antonin's suggested change to the Bearer handling, as
well as previously-discussed changes to the --with-oauth build option.

Thanks,
--Jacob