Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1t1ftb-00HNMP-Fb for pgsql-hackers@arkaria.postgresql.org; Fri, 18 Oct 2024 05:51:31 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1t1ftY-00GG3R-OA for pgsql-hackers@arkaria.postgresql.org; Fri, 18 Oct 2024 05:51:29 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1t1ftY-00GG3I-95 for pgsql-hackers@lists.postgresql.org; Fri, 18 Oct 2024 05:51:28 +0000 Received: from mail-ej1-x641.google.com ([2a00:1450:4864:20::641]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1t1ftV-001UBj-Gt for pgsql-hackers@postgresql.org; Fri, 18 Oct 2024 05:51:27 +0000 Received: by mail-ej1-x641.google.com with SMTP id a640c23a62f3a-a99f629a7aaso298734166b.1 for ; Thu, 17 Oct 2024 22:51:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=cybertec.at; t=1729230682; x=1729835482; darn=postgresql.org; h=message-id:date:content-transfer-encoding:content-id:mime-version :comments:references:in-reply-to:subject:cc:to:from:from:to:cc :subject:date:message-id:reply-to; bh=u8Sqd5bweqRKny0qmUg3qlelmUDIM6DssvtjzFhy8Ps=; b=FYkUM1KDynwLW/GftOLH176bZ+pkj9QXe+F9Y1b6TwmpqWnH83onuAZHueVA/dN259 yp2rb3Al3iF0UkXS1SdhhgCabhPNA3xibr9gdnEoxL2+VrxNzTUlDPZGQdMamJ1V0+A1 Jv9+i3wfJS5+Su3OTudLxOjlMwYaAlxHXrioA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729230682; x=1729835482; h=message-id:date:content-transfer-encoding:content-id:mime-version :comments:references:in-reply-to:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=u8Sqd5bweqRKny0qmUg3qlelmUDIM6DssvtjzFhy8Ps=; b=PcRqKY78yMOV6ed1U1/A80kGnNBLVIbPx4ChYJpJPizRgttx4BJoY7wYIIsxjEhn4F j2Vq9l5ev7QipPL9UtmNQzXgvaf7lnBddyRCsJ2EdiDypz0+6AC+HjCJsr1tbA1ClUBn FlsMJ5Vv+1ZlX1FlBynr0tPgxVng1hYmq3EeT7YL2aFp/mpixyC9vR4nWLZv/JG4awA8 ggFMA6WbioOSUFVTotV2sT/iulyfr8DNY/ZqOd9ggfTUvDZ+9cSQPuVy4uJGKcCL0YAW MckHgaGcvtt/gSKXEG6AYNEbgrDG+qjAYPLcaCMe2g5Vkw2hrp///onEKu9bnzKB9eAC 9kEg== X-Forwarded-Encrypted: i=1; AJvYcCVo2K7SPB9wtHb9sxYxDKhlH+Qjjkl4q8xoFs8cJ0s+T1/WMJ2VNF+oGIWLlaE11oMAyl9ZVt8HILL/ooVD@postgresql.org X-Gm-Message-State: AOJu0YyhHy+JhNNzwz7qVe3ymmK2NE5ZlnCkm02yFhqzL6Rqa8JfLQbw duz1qJU6C80ENHEZ/YtWqZIJyzsGYCMrNFNEhZF8VIAG5F1EaiLQC71DDsVf/ciVq8dHi7Nhd2f zFlfGyA== X-Google-Smtp-Source: AGHT+IFNCUa4enCnCCGqrz8hmrNa2Xa563a2zOgSvXWkK3vkRwHZQJkLGdXcWKGz2P7UdDXtZikLFQ== X-Received: by 2002:a17:907:9404:b0:a99:ee26:f416 with SMTP id a640c23a62f3a-a9a4c2ef2a6mr560614166b.14.1729230682116; Thu, 17 Oct 2024 22:51:22 -0700 (PDT) Received: from antos (109-81-174-45.rct.o2.cz. [109.81.174.45]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9a68bc46fcsm46588866b.111.2024.10.17.22.51.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Oct 2024 22:51:21 -0700 (PDT) From: Antonin Houska To: Jacob Champion Cc: Daniel Gustafsson , Peter Eisentraut , PostgreSQL Hackers Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER In-reply-to: <63648.1728384409@antos> References: <3603e9bb-9a69-4761-869b-f5b1f204b840@eisentraut.org> <390f9699-6275-4e1e-a600-11452bee0576@eisentraut.org> <67b7e52e-0d6e-4eb5-9318-fdcfa4e7ea51@eisentraut.org> <20A6A78C-D5B1-4BA3-8CD0-99AF18A04B48@yesql.se> <4812.1727459899@antos> <4503.1727703521@antos> <63648.1728384409@antos> Comments: In-reply-to Antonin Houska message dated "Tue, 08 Oct 2024 12:46:49 +0200." X-Mailer: MH-E 8.6+git; nmh 1.8; GNU Emacs 28.2.50 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <2452.1729230680.1@antos> Content-Transfer-Encoding: quoted-printable Date: Fri, 18 Oct 2024 07:51:21 +0200 Message-ID: <2453.1729230681@antos> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Antonin Houska wrote: > I'd like to play with the code a bit and provide some review before or d= uring > the next CF. That will probably generate some more questions. This is the 1st round, based on reading the code. I'll continue paying attention to the project and possibly post some more comments in the futur= e. * Information on the new method should be added to pg_hba.conf.sample.meth= od. * Is it important that fe_oauth_state.token also contains the "Bearer" keyword? I'd expect only the actual token value here. The keyword can be added to the authentication message w/o storing it. The same applies to the 'token' structure in fe-auth-oauth-curl.c. * Does PQdefaultAuthDataHook() have to be declared extern and exported via libpq/exports.txt ? Even if the user was interested in it, he can use PQgetAuthDataHook() to get the pointer (unless he already installed his custom hook). * I wonder if the hooks (PQauthDataHook) can be implemented in a separate diff. Couldn't the first version of the feature be commitable without th= ese hooks? * Instead of allocating an instance of PQoauthBearerRequest, assigning it = to fe_oauth_state.async_ctx, and eventually having to all its cleanup() function, wouldn't it be simpler to embed PQoauthBearerRequest as a memb= er in fe_oauth_state ? * oauth_validator_library is defined as PGC_SIGHUP - is that intentional? And regardless, the library appears to be loaded by every backend during authentication. Why isn't it loaded by postmaster like libraries listed = in shared_preload_libraries? fork() would then ensure that the backends do = have the library in their address space. * pg_fe_run_oauth_flow() When first time here case OAUTH_STEP_TOKEN_REQUEST: if (!handle_token_response(actx, &state->token)) goto error_return; the user hasn't been prompted yet so ISTM that the first token request m= ust always fail. It seems more logical if the prompt is set to the user befo= re sending the token request to the server. (Although the user probably won= 't be that fast to make the first request succeed, so consider this just a hint.) * As long as I understand, the following comment would make sense: diff --git a/src/interfaces/libpq/fe-auth-oauth.c b/src/interfaces/libpq/f= e-auth-oauth.c index f943a31cc08..97259fb5654 100644 --- a/src/interfaces/libpq/fe-auth-oauth.c +++ b/src/interfaces/libpq/fe-auth-oauth.c @@ -518,6 +518,7 @@ oauth_exchange(void *opaq, bool final, switch (state->state) { case FE_OAUTH_INIT: + /* Initial Client Response */ Assert(inputlen =3D=3D -1); = if (!derive_discovery_uri(conn)) Or, doesn't the FE_OAUTH_INIT branch of the switch statement actually fi= t better into oauth_init()? A side-effect of that might be (I only judge f= rom reading the code, haven't tried to implement this suggestion) that oauth_exchange() would no longer return the SASL_ASYNC status. Furthermo= re, I'm not sure if pg_SASL_continue() can receive the SASL_ASYNC at all. So= I wonder if moving that part from oauth_exchange() to oauth_init() would m= ake the SASL_ASYNC state unnecessary. * Finally, the user documentation is almost missing. I say that just for t= he sake of completeness, you obviously know it. (On the other hand, I think that the lack of user information might discourage some people from runn= ing the code and testing it.) -- = Antonin Houska Web: https://www.cybertec-postgresql.com