Re: [PoC] Federated Authn/z with OAUTHBEARER

On Thu, Mar 20, 2025 at 01:33:26PM -0700, Jacob Champion wrote:
> That's more than I'd like, to be perfectly honest. I'm least happy
> about libssh, because we're not using SFTP but we have to pay for it.
> And the Deb-alikes add librtmp, which I'm not thrilled about either.
>
> The rest are, IMO, natural dependencies of a mature HTTP client: the
> HTTP/1 and HTTP/2 engines, Punycode, the Public Suffix List, UTF
> handling, and common response compression types. Those are kind of
> part and parcel of communicating on the web. (If we find an HTTP
> client that does all those things itself, awesome, but then we have to
> ask how well they did it.)
>
> So one question for the collective is -- putting Curl itself aside --
> is having a basic-but-usable OAuth flow, out of the box, worth the
> costs of a generic HTTP client? A non-trivial footprint *will* be
> there, whether it's one library or several, whether we delay-load it
> or not, whether we have the unused SFTP/RTMP dependencies or not. But
> we could still find ways to reduce that cost for people who aren't
> using it, if necessary.

One observation is that security scanning tools are going to see the
curl dependency and look at any CSVs related to them and ask us, whether
they are using OAUTH or not.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

Do not let urgent matters crowd out time for investment in the future.