Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tzdrY-004eJV-FE for pgsql-hackers@arkaria.postgresql.org; Tue, 01 Apr 2025 15:49:16 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tzdrW-003wFn-Fj for pgsql-hackers@arkaria.postgresql.org; Tue, 01 Apr 2025 15:49:14 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tzdrW-003wFe-5N for pgsql-hackers@lists.postgresql.org; Tue, 01 Apr 2025 15:49:14 +0000 Received: from mail-qv1-xf2c.google.com ([2607:f8b0:4864:20::f2c]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1tzdrS-002mQa-1G for pgsql-hackers@lists.postgresql.org; Tue, 01 Apr 2025 15:49:12 +0000 Received: by mail-qv1-xf2c.google.com with SMTP id 6a1803df08f44-6eaf1b6ce9aso59048576d6.2 for ; Tue, 01 Apr 2025 08:49:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1743522548; x=1744127348; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=p0QSPGAdXgOauaPH1jvJO+PppEQLS4GiZLi32RXK/fg=; b=mngmd/ijqu8qwp6y4JX5dIeQkMRgC5/F8TqYJs9E9W4/AM9OJLnJNko8ccIiIYsCSJ bn7HDKP656jG4aom9Gk1SwmPeS0e/p+uAlVMAHhW8QtBh7+vLrNKgT6t0VHZCERCuikl U0eFMJjEasUGzyak1VuekUgIYO6UoeLUrbJ1gU3tN3vj+QPKpadAcqnr1bIv3JF4CYU8 65MuHmQa6Fnpx00BstDa7yY9vydz7rZNZRQ9Ik+H3TyPPHZmvY53mN3tK6bwxZ6+lz7T shSzOnAoZPYbIaKlbex1mteEOjYJsJ+do88eIAqbvy0tx9gsqQnroZkYHdzD6qq58PmL wyDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743522548; x=1744127348; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p0QSPGAdXgOauaPH1jvJO+PppEQLS4GiZLi32RXK/fg=; b=ohF2Ij6oQZ+aIyr8+JBcWXoHVz4N/PrFsYg8qdUBHCjK3uzJldNf08x2gjD4MV6Fjy wKGlzeID3lu0g52De5NvuFZIq43+Js9+hFbUx9i5PchEqcIjOM3x2rUlz2u8Rv5f2smg Whqc8ixqost2BcRXKQrgZivsZRlcReLjLcnsFmCAwXahpW8wmt7L52v98dI+mtKGB+eP iEUjr0Pu4IskRVvjKK9JdDyhqiysvO07inbWjJ5mT7Yr1Cm3NiR5LpS0TH4bnx9zN0Kw PmBFJ5a0LVr5J+fCsXxrRTv+2aBvNWJGy1+60UnZnZMaDfMHcLSnC+9ELOb/xO0pu2XR PglQ== X-Forwarded-Encrypted: i=1; AJvYcCX9nF2SAZxMG6e4hUw9oGhdWN0ViR79AyRMMMI7V4CT64W3LPP7gTjUWGfd6Pitno7+jxyulfD3zvyd2DN5@lists.postgresql.org X-Gm-Message-State: AOJu0Yw872dH4FAQ/fsZmRuecWA8wW9nDsx4aDE70JJLx3nVKRW0h1v3 h2zdgniYgUmmzAEWMkz8gT+p4633B/jZyItIddePR9+iFROaVH+gWucuQZncaIYnL2MmERXqf3r /ijohGJ9Xt+5bSVFd96EMiZ0HEHPNQGe8BicP X-Gm-Gg: ASbGnctWefxqgXlixDcH7hl+/dwUVBoiO2MniL0DPr1IcHyKScSS0x2Ju3Kbd8xgLXu GS9hWHAe28zUdQz9N8gZP+Hqm6ldIVfO7BQdJ1beQaAkj93GHPBlpW5Ilp+Cf6ucEQ3ZNUOxbfq yYqk8aOpxaHftSQt7DjLzLJk2i X-Google-Smtp-Source: AGHT+IEatc73XK4oTKi24GMVDrKrfkuIN1zzkyNfTCAZTsXtCsJ4S7mki7BKTAenJAqcubtrmdj7H4CE1quxD+7A6+c= X-Received: by 2002:a05:6214:494:b0:6d8:f0ba:ea92 with SMTP id 6a1803df08f44-6eed606db24mr216614206d6.21.1743522547994; Tue, 01 Apr 2025 08:49:07 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jacob Champion Date: Tue, 1 Apr 2025 08:48:52 -0700 X-Gm-Features: AQ5f1Jry4iV6CiruEV-a7W35IqEkYumy7XSLOFtbYwDnDOcKf_oiJc7hxcxGh1o Message-ID: Subject: Re: pgsql: Add support for OAUTHBEARER SASL mechanism To: Daniel Gustafsson , Peter Eisentraut Cc: Christoph Berg , Thomas Munro , pgsql-hackers@lists.postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Apr 1, 2025 at 6:12=E2=80=AFAM Daniel Gustafsson = wrote: > > > On 1 Apr 2025, at 15:03, Christoph Berg wrote: > > > With the libpq-oauth split, this makes even more sense because > > building a library that always throws an error isn't very useful. > > (Don't build that file at all if the feature doesn't work.) > > After the split, configure/meson should fail if the libcurl dependency is= n't > satisfied or if the platform isn't supported. Yeah, after sleeping on it I agree. If I want a "canary" buildfarm animal to opt into compilation on unsupported platforms, I can instead look into a manual #define or something; it doesn't have to be a supported configure-time thing. > > Since oauth/curl have some security implications, would it make more > > sense to call the switch --enable-oauth (-Doauth) so users could > > control better what features their libpq is going to have? Perhaps > > some other feature (pg_service as URL?) is going to need libcurl as > > well, but it should be configurable separately. > > Perhaps --with-oauth-client for the opt-in libpq-oauth? It started as -Doauth way back when, but was changed as part of the discussion at [1]. Peter, do you have any objections to switching back to an OAuth-related name? --Jacob [1] https://postgr.es/m/6bde5f56-9e7a-4148-b81c-eb6532cb3651%40eisentraut.o= rg