Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vjeyM-0025sX-1z
	for pgsql-hackers@arkaria.postgresql.org;
	Sat, 24 Jan 2026 14:50:47 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vjeyJ-002oo7-0i
	for pgsql-hackers@arkaria.postgresql.org;
	Sat, 24 Jan 2026 14:50:43 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <alvherre@kurilemu.de>)
	id 1vjeyI-002onj-0j
	for pgsql-hackers@lists.postgresql.org;
	Sat, 24 Jan 2026 14:50:43 +0000
Received: from fout-b8-smtp.messagingengine.com ([202.12.124.151])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <alvherre@kurilemu.de>)
	id 1vjeyA-0025O3-1o
	for pgsql-hackers@lists.postgresql.org;
	Sat, 24 Jan 2026 14:50:36 +0000
Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45])
	by mailfout.stl.internal (Postfix) with ESMTP id 7FBC01D00187;
	Sat, 24 Jan 2026 09:50:33 -0500 (EST)
Received: from phl-frontend-04 ([10.202.2.163])
  by phl-compute-05.internal (MEProxy); Sat, 24 Jan 2026 09:50:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kurilemu.de; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:message-id:mime-version:reply-to
	:subject:subject:to:to; s=fm1; t=1769266233; x=1769352633; bh=se
	9+oUIQ2GgveZ4/89rA6eEG+ADUiZfwKGEgwKZbsPs=; b=NAKGeTavj4E/kRwVXp
	CkxDQj8SVgX7wOxs/FgEzfxoZE+4cSCxd/uYWfuEEdoSJYwe1p8NwoJ3fxTMqwYY
	Q8lYvgm/Cg/JTE07OYQc/sh59SmciSCXAbb2OeW6r9QJHwlmQM3G019qHE5u2WnI
	PQz3ujuCBc+PdriokxooKCOVhwJPQKUemEYMrCcbweR1Z7B4FF+zHgqgFuO8lqA+
	2Bw3zS0eOFJt9uV0L8jbsA7oEEfTbqnZz8FgyU95FsDi4WNs9wnj1HkPdZZx1oTp
	dHjOeupGVngxu0RAjrEMp9u4rJXrktPdGBwC1953vEF4ssaDmuazVqbL/kUqu5x0
	B3Fg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:message-id:mime-version:reply-to:subject
	:subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm2; t=1769266233; x=1769352633; bh=se9+oUIQ2GgveZ4/89rA6eEG+ADU
	iZfwKGEgwKZbsPs=; b=uq1SgtjCg5lZscNMMRcnHbICJ8e+tnJZWXcQXfbCW+fM
	6r98SfmO7YE13FxS06az7GLM8u+ArOkXutVnAvzuXY00EVPwoVTmblbn5+ZZ075q
	e8GcBhT9ZvOI+6pwc/tfoX49GUwmd9H4P+H9XW6rqqr9893W/vLyjbWcsWYDBFKF
	f0v9GkbxjXp2ogRqehx8TmJ3GqVhK/7scnzdLBABXMxYrX3FC407oS5OFGXwAhRJ
	OMbks7QbLAp7Ig5/7POjTiHoiAX4JBhC9J1T6WNMpabyIyrPZ7hGzzf/bCiXqlbj
	kjcgeq6bTumJ1QzYba3DpDbdCxxnRP1Vbzg/2fXGdg==
X-ME-Sender: <xms:ONx0ac7VMvOWZWEAVpDCLEkECcDRhv7cIxNPBY__JvKlD9zO9TkV9w>
    <xme:ONx0aT68N88g5LfHb_ZrDfh9197jCPOfmTH5AvP9ydw_xT59MwPO4Bv1efAjz2Ypt
    A7Uhkr1HZzxm2xRKlGv3p8AOF1hQ96DJGE410-26HvRq02d1i_0qA>
X-ME-Received: <xmr:ONx0aZHQS8_heajGO2kQFTMXAcNb0EbajUgepSSKL7ndwV8KpTJxvQvN6jTLs9CEJTWoYWjjF1JGMVyTV5G5Z6nEhUDyGshkRS4sgBTcnHlRsTc8zyHTzDEEB7oy_pmS7MMiLwc>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdduhedvvddtucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhepfffhvfevuffkgggtugfgsehtkeertddttdejnecuhfhrohhmpemllhhvrghrohcu
    jfgvrhhrvghrrgcuoegrlhhvhhgvrhhrvgeskhhurhhilhgvmhhurdguvgeqnecuggftrf
    grthhtvghrnhepfeeijeelveethfetudevleeiteeufeefgfelgfdtueeifeffteekgfet
    tddtgfefnecuffhomhgrihhnpegvnhhtvghrphhrihhsvggusgdrtghomhenucevlhhush
    htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhhvhhgvrhhrvges
    khhurhhilhgvmhhurdguvgdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouh
    htpdhrtghpthhtohepjhgrtghosgdrtghhrghmphhiohhnsegvnhhtvghrphhrihhsvggu
    sgdrtghomhdprhgtphhtthhopehpghhsqhhlqdhhrggtkhgvrhhssehlihhsthhsrdhpoh
    hsthhgrhgvshhqlhdrohhrgh
X-ME-Proxy: <xmx:ONx0acRcMIyPd1aV-YYxFM_n0D_5i2awN_0LySrp94DQ-c-UE0807A>
    <xmx:ONx0aSsVZoqpb-FRl0QFQ71oJBGAbFauBCbIgL6l2kVYZ1BIVd-few>
    <xmx:ONx0abyQtw_QbU_xWc2bZkVvH8AmamPzBtAJTwBi5poob5Kw4jKG2Q>
    <xmx:ONx0ac46Fu4AjacJWd9PHrT5DS789oa04NiwXRDHjaEHLFuIvRY4vg>
    <xmx:Odx0aQYRbjg7gbrUMog-RWqSRtf30T-PuRbZ809WKeVtBqIYxP-XXGrN>
Feedback-ID: ie3de48e3:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
 24 Jan 2026 09:50:32 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kurilemu.de;
	s=schmee; t=1769266229;
	bh=kDuBwpe9Q00cuXbd+d5ssFZOhwV/6dZG5FeoJw1951E=;
	h=Date:From:To:Cc:Subject:From;
	b=Ss9W/m1cLqBUvM5yChEXWyGePJHfoHgqihuvzD7nBA/uXgfvWVN72Uw2VKz+bWA2S
	 1vnkTiRa9K1u6yQ85q2XTEraHsy9ewSrCyfPqvuVbAxhbsnDPn5oinGuaqa4voJZrp
	 GOmxp3c9V0o/ACEC8bSFTBfwm+6VHIDwV3CM8HZDXG0tlLefZOMUv4LWECyQRql4cz
	 cBEVzBEV7/tD0IJR4IbVB5Tc16cn2LEwGPZdCeM4Tj4E+4sOgXMrEfZm6pTbZG3PRI
	 bcCbbkgP/sgMFj5D55Oby/gvNgt5oAzULig655TzWscLiXDhq41iKffQ3QNbQrOiWK
	 YJLOdIVhvJ6Rg==
Received: by schmee.kurilemu.internal (Postfix, from userid 1000)
	id F37DD6A; Sat, 24 Jan 2026 15:50:28 +0100 (CET)
Date: Sat, 24 Jan 2026 15:50:28 +0100
From: =?utf-8?Q?=C3=81lvaro?= Herrera <alvherre@kurilemu.de>
To: Pg Hackers <pgsql-hackers@lists.postgresql.org>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>
Subject: unclear OAuth error message
Message-ID: <202601241015.y5uvxd7oxnfs@alvherre.pgsql>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/202601241015.y5uvxd7oxnfs%40alvherre.pgsql>
Precedence: bulk

Hello,

While updating the translation, I noticed this code

    /*
     * Log any authentication results even if the token isn't authorized; it
     * might be useful for auditing or troubleshooting.
     */
    if (ret->authn_id)
        set_authn_id(port, ret->authn_id);

    if (!ret->authorized)
    {
        ereport(LOG,
                errmsg("OAuth bearer authentication failed for user \"%s\"",
                       port->user_name),
                errdetail_log("Validator failed to authorize the provided token."));

        status = false;
        goto cleanup;
    }

I'm not sure I understand the errdetail() part of it.  At first it made
me wonder if it was about a user-supplied module that had an internal
failure preventing it from deciding whether the user was authorized or
not (which would have been something like "Validator failed while ...").
But the code suggests that the module worked fine and made the
determination not to authorize the user.  If that's so, then why do we
have the errdetail at all?  Can't we just get rid of it and let the
errmsg stand on its own merit?

There is one more case for this exact errmsg to be given:

    /* Make sure the validator authenticated the user. */
    if (ret->authn_id == NULL || ret->authn_id[0] == '\0')
    {
        ereport(LOG,
                errmsg("OAuth bearer authentication failed for user \"%s\"",
                       port->user_name),
                errdetail_log("Validator provided no identity."));

Here it seems the validator did indeed have an internal problem of some
sort, because while it did declare that the user was authorized, it did
not provide what we were expecting from it.  Should in this case the
errmsg() be different?

(Actually, there's also auth_failed() giving the same message.)

-- 
Álvaro Herrera         PostgreSQL Developer  —  https://www.EnterpriseDB.com/
"The saddest aspect of life right now is that science gathers knowledge faster
 than society gathers wisdom."  (Isaac Asimov)