| From: | Jacob Champion <jchampion(at)timescale(dot)com> |
|---|---|
| To: | mahendrakar s <mahendrakarforpg(at)gmail(dot)com>, Andrey Chudnovsky <achudnovskij(at)gmail(dot)com> |
| Cc: | "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "smilingsamay(at)gmail(dot)com" <smilingsamay(at)gmail(dot)com> |
| Subject: | Re: [PoC] Federated Authn/z with OAUTHBEARER |
| Date: | 2022-11-29 21:19:59 |
| Message-ID: | a19dc65a-ccea-fd1b-5e0c-71b7aa8502f1@timescale.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 11/24/22 00:20, mahendrakar s wrote:
> I had validated Github by skipping the discovery mechanism and letting
> the provider extension pass on the endpoints. This is just for
> validation purposes.
> If it needs to be supported, then need a way to send the discovery
> document from extension.
Yeah. I had originally bounced around the idea that we could send a
data:// URL, but I think that opens up problems.
You're supposed to be able to link the issuer URI with the URI you got
the configuration from, and if they're different, you bail out. If a
server makes up its own OpenID configuration, we'd have to bypass that
safety check, and decide what the risks and mitigations are... Not sure
it's worth it.
Especially if you could just lobby GitHub to, say, provide an OpenID
config. (Maybe there's a security-related reason they don't.)
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michail Nikolaev | 2022-11-29 21:22:25 | Re: Slow standby snapshot |
| Previous Message | Jacob Champion | 2022-11-29 21:12:21 | Re: [PoC] Federated Authn/z with OAUTHBEARER |