pgjdbc/pgjdbc GitHub issues and pull requests (mirror)
help / color / mirror / Atom feed[pgjdbc/pgjdbc] issue #3816: Implement OAUTHBEARER to support PostgreSQL 18 OAuth flow
8+ messages / 4 participants
[nested] [flat]
* [pgjdbc/pgjdbc] issue #3816: Implement OAUTHBEARER to support PostgreSQL 18 OAuth flow
@ 2025-09-26 06:53 "vlsi (@vlsi)" <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: vlsi (@vlsi) @ 2025-09-26 06:53 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
See https://github.com/ongres/scram/issues/108
Looks like adding OAUTHBEARER support would be valuable addition to move towards short-lived tokens: https://chatgpt.com/share/68d634d4-3c14-800f-b8e1-a3e4fd5cb6d9
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3816: Implement OAUTHBEARER to support PostgreSQL 18 OAuth flow
@ 2026-05-04 16:31 "artemgavrilov (@artemgavrilov)" <[email protected]>
6 siblings, 0 replies; 8+ messages in thread
From: artemgavrilov (@artemgavrilov) @ 2026-05-04 16:31 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
Hi @vlsi , I would like to work on this and I need some help to plan implementation. I have couple of questions and will appreciate any help:
1. I got response from ongres/scram maintainer that OAUTH support is out of scope for them. So I plan to implement the support completely within this project. Is it fine?
2. OAUTH uses JSON for request/response. Can I add some library to handle serialization? If yes do you have any preference?
3. There are two scenarios:
a) User already has token and just passes it during initialization. In fact it should be lambda func that returns token as app may want to refresh it.
b) User don't have any token, makes empty auth request and PG returns info from obtaining token. Here libpq has injection point where custom logic can be added while by default it just logs this information. Does pgjdbc need injection point as well and what should be the default behavior?
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3816: Implement OAUTHBEARER to support PostgreSQL 18 OAuth flow
@ 2026-05-04 17:08 "davecramer (@davecramer)" <[email protected]>
6 siblings, 0 replies; 8+ messages in thread
From: davecramer (@davecramer) @ 2026-05-04 17:08 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
I would really prefer not to add a dependency if possible. How much JSON are we talking about ?
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3816: Implement OAUTHBEARER to support PostgreSQL 18 OAuth flow
@ 2026-05-04 21:24 "artemgavrilov (@artemgavrilov)" <[email protected]>
6 siblings, 0 replies; 8+ messages in thread
From: artemgavrilov (@artemgavrilov) @ 2026-05-04 21:24 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
Hi @davecramer , not much at all! It seems that it's only for error response, so it's parsing of one json with 3 text fields. Not big deal to handle this, just want to be sure about requirements before touching the code.
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3816: Implement OAUTHBEARER to support PostgreSQL 18 OAuth flow
@ 2026-05-05 09:59 "davecramer (@davecramer)" <[email protected]>
6 siblings, 0 replies; 8+ messages in thread
From: davecramer (@davecramer) @ 2026-05-05 09:59 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
> Hi [@vlsi](https://github.com/vlsi) , I would like to work on this and I need some help to plan implementation. I have couple of questions and will appreciate any help:
>
> 1. I got response from ongres/scram maintainer that OAUTH support is out of scope for them. So I plan to implement the support completely within this project. Is it fine?
> 2. OAUTH uses JSON for request/response. Can I add some library to handle serialization? If yes do you have any preference?
> 3. There are two scenarios:
> a) User already has token and just passes it during initialization. In fact it should be lambda func that returns token as app may want to refresh it.
> b) User don't have any token, makes empty auth request and PG returns info from obtaining token. Here libpq has injection point where custom logic can be added while by default it just logs this information. Does pgjdbc need injection point as well and what should be the default behavior?
I think we want b) which will allow us to call out to functions to get input
Dave
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3816: Implement OAUTHBEARER to support PostgreSQL 18 OAuth flow
@ 2026-05-05 10:20 "artemgavrilov (@artemgavrilov)" <[email protected]>
6 siblings, 0 replies; 8+ messages in thread
From: artemgavrilov (@artemgavrilov) @ 2026-05-05 10:20 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
Great, thank you! In fact it will be a+b then. I just wanted to know if `b` makes sense at all as some drivers do not implement it.
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3816: Implement OAUTHBEARER to support PostgreSQL 18 OAuth flow
@ 2026-05-05 12:54 "sehrope (@sehrope)" <[email protected]>
6 siblings, 0 replies; 8+ messages in thread
From: sehrope (@sehrope) @ 2026-05-05 12:54 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
> User don't have any token, makes empty auth request and PG returns info from obtaining token. Here libpq has injection point where custom logic can be added while by default it just logs this information. Does pgjdbc need injection point as well and what should be the default behavior?
Don't we already have something like this via AuthenticationPlugin?
https://github.com/pgjdbc/pgjdbc/blob/master/pgjdbc/src/main/java/org/postgresql/plugin/Authenticati...
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3816: Implement OAUTHBEARER to support PostgreSQL 18 OAuth flow
@ 2026-05-05 14:09 "artemgavrilov (@artemgavrilov)" <[email protected]>
6 siblings, 0 replies; 8+ messages in thread
From: artemgavrilov (@artemgavrilov) @ 2026-05-05 14:09 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
> Don't we already have something like this via AuthenticationPlugin?
>
> https://github.com/pgjdbc/pgjdbc/blob/master/pgjdbc/src/main/java/org/postgresql/plugin/Authenticati...
Yep, probably this interface can be extended with something like this:
```
// This differs from getPassword in the way were it's invoked. Password can be fetched when authenticator created because
// it hasn't TTL, while token should be fetched right before connection creation. This method will cover case A, when user
// knows how and where to obtain token.
char @Nullable [] getToken(AuthenticationRequestType type) throws PSQLException;
// This is for case B, when PG returns information how to obtain token. If this method is not implemented we may fallback to
// just logging this info.
char @Nullable [] getToken(AuthenticationRequestType type, Scope scope, URL url) throws PSQLException;
```
Please note that it's just a high level thoughts, I'm still digging sources to find a proper solution.
^ permalink raw reply [nested|flat] 8+ messages in thread
end of thread, other threads:[~2026-05-05 14:09 UTC | newest]
Thread overview: 8+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-09-26 06:53 [pgjdbc/pgjdbc] issue #3816: Implement OAUTHBEARER to support PostgreSQL 18 OAuth flow "vlsi (@vlsi)" <[email protected]>
2026-05-04 16:31 ` "artemgavrilov (@artemgavrilov)" <[email protected]>
2026-05-04 17:08 ` "davecramer (@davecramer)" <[email protected]>
2026-05-04 21:24 ` "artemgavrilov (@artemgavrilov)" <[email protected]>
2026-05-05 09:59 ` "davecramer (@davecramer)" <[email protected]>
2026-05-05 10:20 ` "artemgavrilov (@artemgavrilov)" <[email protected]>
2026-05-05 12:54 ` "sehrope (@sehrope)" <[email protected]>
2026-05-05 14:09 ` "artemgavrilov (@artemgavrilov)" <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox