Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vUk3n-006w7m-0t for pgsql-hackers@arkaria.postgresql.org; Sun, 14 Dec 2025 11:14:44 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vUk2l-00Ce7z-2R for pgsql-hackers@arkaria.postgresql.org; Sun, 14 Dec 2025 11:13:40 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vUk2l-00Ce7r-1M for pgsql-hackers@lists.postgresql.org; Sun, 14 Dec 2025 11:13:40 +0000 Received: from mail-wm1-x336.google.com ([2a00:1450:4864:20::336]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vUk2j-000g0B-1M for pgsql-hackers@postgresql.org; Sun, 14 Dec 2025 11:13:39 +0000 Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-477b198f4bcso20099015e9.3 for ; Sun, 14 Dec 2025 03:13:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765710816; x=1766315616; darn=postgresql.org; h=user-agent:mime-version:date:content-transfer-encoding:autocrypt :references:in-reply-to:cc:to:from:subject:message-id:from:to:cc :subject:date:message-id:reply-to; bh=SH7/cQ9dUR3hisxBWclKjBNnDg06aEq8hKlZF0z7d3s=; b=PiAlKbNWHUjwHiEUoAwp6jaaronAx0rf44exAQKujEO+ROKVp7wPjQ2ufjvGDCsPEw ZXp1McfQhQDJHoXPX5FKI4TupXrnMBGvqkRVkakPMZBHTIWZZC7JXpJuoBGH9NxZg1lt NuwRR8R3zvuFhf0skeODo3p/d2V65/ag/JgazZ9wGwZouADhIs1+zPaZsGCO32IXeto9 jOP3RlpAyoSZ7bZKab3AaAicO64iIZKA131bN8vHhpxIyfHyglQyaoPYnx+xuXt2fKAC HZQ+U8im6d35b2YLbAWu7sNfoy3f+iZEyF8cXZdrA3Wrz7V8IBZ0eaRaHI0vqT3lB/I2 qFOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765710816; x=1766315616; h=user-agent:mime-version:date:content-transfer-encoding:autocrypt :references:in-reply-to:cc:to:from:subject:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SH7/cQ9dUR3hisxBWclKjBNnDg06aEq8hKlZF0z7d3s=; b=WoKl6UN4bin2CeUf0mEjeIDrSe+B50IYuD00fMNqlWcWifmB752lJHMpMSHLHMrqpA ZJaSq3HNm+pbvJpTkqTO4owxnigMutI3YhKqT5+KZ40j7/Et81lq8vh68xlrkRZhTAZY uQcz/vp5wq+oAKfmYRHiufGCiub7FE7xJQkTkM8pN5mWDmIzXuxi+KANllUoB32OTBCW dwDcz5V5VvEiiCo68VdPJrKi6Phi6AuBXxN83aDjkXKNVeVOlILB6+6CCcoYYsN5MHwf YvA4lB0mTwm34wS5kyWaYmZFvj7dDZjpoWsvGiLBmaJJ3shfxovMOHOOJESCvbxtFiQa HL+g== X-Forwarded-Encrypted: i=1; AJvYcCWDPe110o8bASeuL+H7hpscGEbgSCJXHE7y0fdR86J4fUWUu6KgdXSfhn9lYph2kvlEyl7nzANCEiHizrme@postgresql.org X-Gm-Message-State: AOJu0YzF1i+4JPuXIjM9LqKw+UxUr2TMkOGyGyoXX6bw1II6Xp8gVrjR 8JIeGe2RR8l2FpFsY2r7tuTtFcG0mhf0c94CA8iEIUrTRAHadGNSbkc= X-Gm-Gg: AY/fxX4o3Hr9f21dc8Qll6CXRbloNHi50wPvi80TsfWTeMmewOiQYyZ5TKtB7j/3s6h 4JzUYn8/xpfNT9UduqcUx/qdNHNbuwFFLh+slncGNCiV2wgP1Qkccjkih/Z8pyNqdrPvhBno4iJ iZVRCkFb+hzwx87XG7B06fti0LPMiDMCxImnPUHqa8E21kqRJbPXNOh9EzAtlq5oc/NHt+ZJSYD G4qrcfZb3PQUBHZBTaYkFtfU8ETHY4NJfeF0J1XtCSy/0jxi8/NSVWXqLD4TovBx+QW2213xkz/ NPSwFRNlaIz/zbCwSHLXG2nSMfkSATotTfCl2LHgdN3tUdldZUUm74amKMyAfXlvPIFX9K9g4jg 2l/nsgqxlCyMnwn044mCK8fgySEgaX8Lp1eJVIL0OnAW3A4/i5V3IUqFB2tikgsDvOG1Lwn4Uq7 6ctULKMp8hScG5slBU2HUY7KF3xwNRiOKyNkUMSfRBLmLj17pPsgYoOZesJZEmDUPWlfEaHJczF bfGOPHHkB+Vigsz X-Google-Smtp-Source: AGHT+IHxNC2f4eHaTITjWOplhDAdlPGxh+05cVxEauotxrFqmLlVI4hICOPh7v2+iQvAESlJ0TsGog== X-Received: by 2002:a05:600c:524b:b0:477:bb0:751b with SMTP id 5b1f17b1804b1-47a8f90d716mr77545025e9.27.1765710816344; Sun, 14 Dec 2025 03:13:36 -0800 (PST) Received: from [192.168.65.40] (ip-217-65-133-21.ptr.icomera.net. [217.65.133.21]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42fb38a977esm15069861f8f.12.2025.12.14.03.13.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 14 Dec 2025 03:13:35 -0800 (PST) Message-ID: <02a9663003597cfd138833b820a503b72c8e2ffa.camel@gmail.com> Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode From: "Jonathan Gonzalez V." To: Jacob Champion Cc: Daniel Gustafsson , PostgreSQL Hackers , Zsolt Parragi In-Reply-To: References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com> <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> <7a0e58c5fdaa3686ea0a157ff937fe38954cda8c.camel@gmail.com> Autocrypt: addr=jonathan.abdiel@gmail.com; prefer-encrypt=mutual; keydata=mQINBF1Rbm8BEADc2lW3toboDjMLry1spo/hxUiMKlA+CDCMwXPZPvyB4TGCQAVYnU+gS NgBJ8H7CF8ghllm9OYeqdRoRvr1unQN5RUShUWTsLhznUu5KV0KfhFbEjQyH7lDeVCzMRNr5r27QT RrmycqAacistMqtjfnsG/j8+HQU9tLrOdnhsxIRUZN/guHBEwx3LVp77lf9HMWabnSgGQVOqhUzA6 P97j8oWRwQNDZjHFVf5k4HMHJRp8OzcvXUOSa+ynH33xBsrLPDza0X6y7pZlfYbmjXdwU/XKSd7oB 4BeChFbrmdilIeSAGKLAHURH9jKeRxDt9pzYMvsIiK9UZlThnEgAVM2IqQzhnzd4jxG13Hi8HZ82O 2Ng4n36kVh5uz0NoIGJ6Guw9R+gqHHxbeSdt8S0P+2VO80UTX+hF7OPbLjE7w8wsTt37Ekp+jRxUs RooShDvnUENiw+TkyPszUZ0k9BZmfwcaC3++WDYyWvGK20wty3ZZMjl69SDdQXQaRu8E59leIpKw6 p8HBBAGZgytVPUN61w52r9dgX9RW0ujBrEztRNWPaDauedKGCXrL678mq7KwYW6Rg+y9orvZJPLUq Z7/m8RJUaeuJdz2LJ2bioUJ2BaPX7YxXdqMm9LZWknzy/pyF8iZHXD5D3H+WNJROlcQ6TQNLqUB11 KRK0koNeqiNbwARAQABtDlKb25hdGhhbiBHb256YWxleiBWLiA8am9uYXRoYW4uZ29uemFsZXpAZW 50ZXJwcmlzZWRiLmNvbT6JAlQEEwEKAD4CGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQQSbD6 5ytnQRUDy/MNDze8Kc6UcxQUCZ6trnAUJDDswrQAKCRBDze8Kc6UcxaPWD/4lqAiJJjJaB1DXblDi 9SKUSCDg9jGAj9rZUjIsI4bhznxtMwGQfaH7AlmjYtnOgUNZJz1cQ8v2Qv2gR2sXu5BCosPCuOuww +v5vUa+88ydXxnUOs1fVwXrqSKciohhEuZA5vYfcSolgHavEjF4v/W+SB8+7CyJm4sEZauk2Q8gHp In0l2zpTDig2pyp/POM+8FFWzq8fDgMc9AjU+ePIfqMXXSCcLUB8mAUaBrYU3Ezwa/29H5fhvKBJ6 fIFgr4V7dPlTaMhMRlG7Kt4aecjp2TMhoH5da1a2r7CUFHDx7RL7UEMaNYJnEa2IhcwH06cdQl7BY lBhfzy2dvfYvNTrhiUGGLRIS4xwsxJtRYBytOKYO6rZLjsEgHcW3B8DHG3YALc1BVpdCFj030jZ/y oaiHxjs9ZPUuUVqnp21hE5MwczKLzutDk2Mm8hYtGpfAxikOetFkiYxKeBVQsN6za4ff/iLKNrZfj qEk7E28NEg0fY4eYoMXZT8WlTRJOancVVuRtjLyQ+D4hET2qBIMhoXQ27YPWowmG6oxyM531j89wt OTsH3yuV4VnWc02MGrgi+lYPeKk0KUk3pcmwHB2GqDxZS6aSyX7k7jNOiHYN/dY1W6QslOrQggmkZ +QaKtn9YeOx2aZ7CWLiiTVYK4W2Kii9pS71XhcJrMAldvJAeurQwSm9uYXRoYW4gR29uemFsZXogV i4gPGpvbmF0aGFuLmFiZGllbEBnbWFpbC5jb20+iQJUBBMBCgA+AhsDAh4BAheABQsJCAcDBRUKCQ gLBRYCAwEAFiEEEmw+ucrZ0EVA8vzDQ83vCnOlHMUFAmera5wFCQw7MK0ACgkQQ83vCnOlHMVWbxA AxQiwerHqAoq1ahb0uaCiw6eLpEXFbDD7a5BcILo5/lNtill8qkRP1wRdL7iPZWhGRyd4nQB6q1fK vggf6PkQGv2I35kq3/30sT+7TDXla6UFPyI012ipaU/7WW14ipZLeU+/rvUbdKMcWpEYTMHU89w2C Z9LSVHkxm1v3SvkOw1DgnUQvA11L4pzZVtTDluER717y2B0tlo43qMYGjlVNNWAuxHnAzJWC4Acj5 j0XgADAW78h+zFQfQ+b5znRC6tv9C4Pf5vRiw0TaMD2Tn6b8BTpflBX7zh0CINPUsrD8SEw0uZcCv JeSmZSHiHeS8uHcHVIxoxj1d5mcT18tyFC3n2JCfR4RkK/zNYXhBBRJbmiWmFqvzesSQEsGOu3G8X kvZGlN8RBFkj5ScZ4gWjsXwxGv2Hrf8FILycCcS2xkD2Sp2JBfZFHSvi2OI1ItHyrcXiBOSXZu6MU fyJoIWFQDkWkQcWPHxO9n7ZA+c+ACaBtW7rfEoCXYSk4pnUUj6eXA1meY1DI71G39O3k6B5T/yzdL k5h7H3R3ITpGvFNhePjuIYcbdF7stAcc7e46PzjFnApwmG27qXBE8agYtCYMwqcYweMzWvyzAtX3x 9BE8BIicy944IZnQmnhsNn5zT4HXl8xCBedEnYv/qdw32bp7qFhkn6/xNemwhgEFjgNC0N0pvbmF0 aGFuIEdvbnphbGV6IFYgPGpvbmF0aGFuLmdvbnphbGV6QDJuZHF1YWRyYW50LmNvbT6JAlQEEwEKA D4CGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQQSbD65ytnQRUDy/MNDze8Kc6UcxQUCZ6trnA UJDDswrQAKCRBDze8Kc6UcxY0OD/9svV6f/BSn6OsZ+nIe5birEIEejiU3rEVORNmDxYalHt0MLay YYFRC7WV6Hds/EsokUO+rkqpjXVh8Ee0IIvTolNWgGzW4ZaguP7G+RqXAGndDpT31wG588Ft0fkeN 0Y6+2odoUHNeXkzgLddNrQN3iXlWnfQLMEWBo/uvEpPMls+fO6zvArnrxsMpeS5i2c/BQoN3A2VBr Pk9mQBKoyU+fCQEsTwUl4THVAma4LoXvgd9PZSI9yWUZ1KK2Wb6XnZKqIEv6QN2qIy+g9KqGiUM+6 H4q0D3SDtDaZFrzi3l8ql9iCflgL5fe6gvvU3lmLfRpBrNROfuWSL+Xm+TKClX9PHJ2nAUzgGu8M7 egSXzGhBVvYxKNMqmgpOy6LRa01T9/bfSfMB4zyrEpJm8GRKBDochFEVX+ZDJSGFtgdV9KXSEpe0+ Ei+dOdmptPjeLEtvY7/JtYO/7/ByIGrkZjSGP3L3urShTo1gs6gbIYaXeuSfRpzJ1cy8WepOjTxP2 j52IiH/CIjiXjmzD2KZ0ETyZn3eQY2E/ROqsGmBonTo/xrg2PuSSRbP9xeW9H8LVn0Vh+YRKlUnVn Cn1qQsrrZGEl6FFXI3P1n04mslSzWrlgCjOHJfhbbxqcvLkY2tnPv3vX/b+vd1HmihKz5UpijmBFQ oQ0KXJ6d0Ud8Vdn/b0A== X-Priority: 1 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Date: Sun, 14 Dec 2025 12:08:32 +0100 MIME-Version: 1.0 User-Agent: Evolution 3.56.2-4 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi! Sorry for the delayed answer! >=20 > Okay, that's good to know. But I'm still missing how the end user (a > human) trusts that magic CA within the browser or device they use to > finish the actual flow? More than the end user "trusting" a "magic" CA, it's about what company will tell you to use a CA, most of the time you don't have option as a developer or even as a sysadmin since these kind of things are coming strictly from InfoSec departments or are just some instruction to accomplish some certification like ISO9001 or ISO27001, which for isolated environments are required to be CA managed internally, and must of the times the users may not see this CA, this will be actually pushed by another external application installed in the company workstation like CrowdStrike does, I'm not saying this will be the case, but it's an example of how companies work now days with the CA's >=20 >=20 > Same question as above, but I'm slowly being convinced that this > thread needs to remain separate from the PGOAUTHDEBUG split > discussion, even if they're related. Totally agree, now I'm thinking the same, it should be a feature because there's more examples that I've been thinking about that may require this to be even a bit more flexible, for example, when working with edge computing, if you want (in the future because now it's not possible, yet) authenticate a device against PostgreSQL it may require to have that CA as a encoded string int he variable, not just as a file, wild thought I know, but it may make sense=20 > This might be a silly-small example, but I've added a stub spec: >=20 > =A0=A0=A0 > https://wiki.postgresql.org/wiki/Proposal:_Promote_PGOAUTHCAFILE_to_featu= re >=20 How can we work on that? because of the above it may be required to add even more possibilities. >=20 >=20 > Who's running the CI, and how do OAuth and Device Authorization > factor > into it? (And why would a human user be okay with feeding their > privileges into an authorization server with a random-looking host > name every time they run it?) >=20 With that I was thinking more in the future than what you can do now, the OAuth flow provides many features that can be implemented in the future and I was just looking ahead with the CI example. > > > The reason I ask is that we'd briefly talked about splitting > > > PGOAUTHDEBUG into more granular settings than just "off" and > > > "UNSAFE". > >=20 > > I was thinking the same for another patch that will require > > discussion > > for sure, but it's something similar to add some levels of debug, > > for > > example, when you want to have the tokens or when you only want to > > see > > the URLs used to negotiate (which are really useful when working > > with > > the OAuth flows) or the deep one when you want to see the tokens. >=20 > I think that's reached critical mass, then. >=20 More than happy to help with this! --=20