Re: [PoC] Federated Authn/z with OAUTHBEARER

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: mahendrakar s <mahendrakarforpg(at)gmail(dot)com>
Cc: Andrey Chudnovsky <achudnovskij(at)gmail(dot)com>, Jacob Champion <jchampion(at)timescale(dot)com>, hlinnaka(at)iki(dot)fi, Michael Paquier <michael(at)paquier(dot)xyz>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org>, smilingsamay(at)gmail(dot)com
Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
Date: 2023-02-20 22:35:36
Message-ID: Y/P1uITaEcLGGB0Z@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers


Greetings,

* mahendrakar s (mahendrakarforpg(at)gmail(dot)com) wrote:
> The "issuer" field has been removed to align with the RFC
> implementation - https://www.rfc-editor.org/rfc/rfc7628.
> This patch "v6" is a single patch to support the OAUTH BEARER token
> through psql connection string.
> Below flow is supported. Added the documentation in the commit messages.
>
> +----------------------+ +----------+
> | +-------+ | Postgres |
> | PQconnect ->| | | |
> | | | | +-----------+
> | | | ---------- Empty Token---------> | > | |
> | | libpq | <-- Error(Discovery + Scope ) -- | < | Pre-Auth |
> | +------+ | | | Hook |
> | +- < | Hook | | | +-----------+
> | | +------+ | | |
> | v | | | |
> | [get token]| | | |
> | | | | | |
> | + | | | +-----------+
> | PQconnect > | | --------- Access Token --------> | > | Validator |
> | | | <---------- Auth Result -------- | < | Hook |
> | | | | +-----------+
> | +-------+ | |
> +----------------------+ +----------+
>
> Please note that we are working on modifying/adding new tests (from
> Jacob's Patch) with the latest changes. Will add a patch with tests
> soon.

Having skimmed back through this thread again, I still feel that the
direction that was originally being taken (actually support something in
libpq and the backend, be it with libiddawc or something else or even
our own code, and not just throw hooks in various places) makes a lot
more sense and is a lot closer to how Kerberos and client-side certs and
even LDAP auth work today. That also seems like a much better answer
for our users when it comes to new authentication methods than having
extensions and making libpq developers have to write their own custom
code, not to mention that we'd still need to implement something in psql
to provide such a hook if we are to have psql actually usefully exercise
this, no?

In the Kerberos test suite we have today, we actually bring up a proper
Kerberos server, set things up, and then test end-to-end installing a
keytab for the server, getting a TGT, getting a service ticket, testing
authentication and encryption, etc. Looking around, it seems like the
equivilant would perhaps be to use Glewlwyd and libiddawc or libcurl and
our own code to really be able to test this and show that it works and
that we're doing it correctly, and to let us know if we break something.

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2023-02-20 22:37:06 Re: Proposal: Support custom authentication methods using hooks
Previous Message Tom Lane 2023-02-20 22:30:56 Re: Silent overflow of interval type