Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVGRk-001phH-0p for pgsql-hackers@arkaria.postgresql.org; Thu, 04 Jun 2026 22:21:52 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wVGRj-008wYy-0N for pgsql-hackers@arkaria.postgresql.org; Thu, 04 Jun 2026 22:21:51 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVGRi-008wYp-2O for pgsql-hackers@lists.postgresql.org; Thu, 04 Jun 2026 22:21:50 +0000 Received: from mail-pj1-x1034.google.com ([2607:f8b0:4864:20::1034]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wVGRg-00000001JRf-1xY3 for pgsql-hackers@lists.postgresql.org; Thu, 04 Jun 2026 22:21:50 +0000 Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-36dd65b95f2so884888a91.0 for ; Thu, 04 Jun 2026 15:21:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780611705; x=1781216505; darn=lists.postgresql.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=rkAdw4VgiKhjYjLKUe8pZQrTnNi5cbdP2skGMyfncWs=; b=cXTnFBnspa3mqZRoygGSWHvLtCf+F31SiueQ1en3ytJkDcxoE8a0et2vChxHqPKaPy 63X8HXpj0z259c9TM6o8pWlXWgzYO1JR3ciMCWubJMxCWKAqXiP531boqlt8TDdutfje W8FbVYzNUFEJXnbEnwUSkszgvwTYhkyMitFQVigCKuevU/GSZnS/FAUY6nCEOHNmpmc+ Bwj2m8ycugv27Fb29GYxZmxlf8ruvPzjRooFUiLx2TQsGSXcJbkmzVZ8Hkq1SsUl69If JJt0g1aPGee2wIg9GsRYbF3oWmUjK9E6OOMd8yxHTcBQsni2E/+0XA529g3djDGdRajc I8kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780611705; x=1781216505; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rkAdw4VgiKhjYjLKUe8pZQrTnNi5cbdP2skGMyfncWs=; b=sBWA6sBFHiIptjkiNo7Tosfh7LLp1rnN9lLL+y3OXQvLna9jtMPDAOScpQtUSgmYv3 KCh7QuytfqKzyWBK9DLV01cVwDONNTvWhea1hrIgOoFAmKyAtNqh6sNuWUFpqJXXBYMW Ah1DhAC52o1s+qj0nntIwqtgp5GnfnLG7eAn5Q70RLIFGYQwP5BoIRzjFvQSzrP92RJN 91lL4q06Ls7h8hovDCC6+Wln8N5RGufoZmUlBycF7uVUFEuiQEl19j8tHiiRs4Z6CJ6p jF5DlxxgushsqqIk/h5tVl8jkwd8CYwsoRydq+abYoAUPcf4p1jgZftMhMMhF2WfcpAQ Ni9Q== X-Gm-Message-State: AOJu0YydGGCu7fLya4Dfx2Tx0Bo0j9HGRnL9KEDZAvE0t2h9EFGEU+44 pChHnOeIdow4lN5qXXD8jCHn38MQOJKlk1tHxY0cREyy1wslvcN33c17 X-Gm-Gg: Acq92OGT85jfPc55c/zgDqlPqcALrZJT+Rcvr3eLQN5BojICYVoEroxJvPEiWdgkcmd dNjtlxWFwCd4O4/YI49g6SsQy692LrhFHnYNQBzRWpQ+W/aghKwSP8DROVPeIMUKOZbSHZm0JHJ xDSM/cluqx/+jv1y2/YV5wtv2SZrUGLlmUrMrpaFhJCkBRZ6vh6F0kIoziAHJ7GJ9L9yb8WrrHo Lx7kHtVwfH3nJNaQXz1G3F4u3C1iN6aog/oy//YsDZJy3XxkQRV9Bo/QMC/T1YSNSjTuYEn5qGS zKyOY2KiiYuR51c6snRMcI61Nq/DC23JplfKMFCPxPMWabrU4VaEbQ5Krat3EMTmEalDn0XeAtY aAVmpORmrtWpbRtm8pNWfnjWiDQcAMXPTfH92g+Qqu0qwckki4IqpsykA3fo/MukxSx4bObiRtN fczcfszo90NCZlFNLT523azZ060W/9DIxZZCdFAQ8QFD99dwJuBl1jTw== X-Received: by 2002:a17:90b:5806:b0:370:aa94:1662 with SMTP id 98e67ed59e1d1-371091f22e2mr300038a91.9.1780611705481; Thu, 04 Jun 2026 15:21:45 -0700 (PDT) Received: from smtpclient.apple ([185.135.79.161]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-370db2e7148sm408058a91.0.2026.06.04.15.21.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Jun 2026 15:21:44 -0700 (PDT) From: Chao Li Message-Id: <28A71A53-EB55-4A29-8C20-BBAF1BC82D2A@gmail.com> Content-Type: multipart/mixed; boundary="Apple-Mail=_7CBA6C13-19A8-4876-AA9B-408594820246" Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.600.51.1.1\)) Subject: Re: Fix OAuth validator docs for error_detail on internal errors Date: Fri, 5 Jun 2026 06:21:07 +0800 In-Reply-To: Cc: Postgres hackers , Jacob Champion To: Daniel Gustafsson References: <0281836A-F5FF-41A5-9EE1-656C1FAAC6B2@gmail.com> X-Mailer: Apple Mail (2.3864.600.51.1.1) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --Apple-Mail=_7CBA6C13-19A8-4876-AA9B-408594820246 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jun 5, 2026, at 04:19, Daniel Gustafsson wrote: >=20 >> On 4 Jun 2026, at 14:33, Chao Li wrote: >=20 >> =E2=80=9CAny result parameters are ignored=E2=80=9D is no longer = accurate; it should be something like =E2=80=9Cany result parameters = except result->error_detail are ignored=E2=80=9D. This patch just makes = that tiny doc fix. >=20 > That's true, but error_detail is explained in detail in the next = paragraph so > I'm not sure this change is needed. Agreed. Adding the =E2=80=9Cexception for result->error_detail=E2=80=9D = sounds a bit redundant with the next paragraph. But =E2=80=9Cany result = parameters are ignored=E2=80=9D also seems to conflict with the next = paragraph, so I think we can just delete that part. ValidatorModuleResult has three fields, so the logic is: * The first paragraph talks about authorized and authn_id when the = validator succeeds. * The second paragraph talks about the validator=E2=80=99s return = values. * The third paragraph talks about result->error_detail when the = validator fails. >=20 > Another thing we don't explicitly document which seems more = interesting is that > authn_id is used even in case of failure if log_connections is = enabled. Maybe > that deserves a mention? >=20 This is a good point. I added that in v2. Best regards, -- Chao Li (Evan) HighGo Software Co., Ltd. https://www.highgo.com/ --Apple-Mail=_7CBA6C13-19A8-4876-AA9B-408594820246 Content-Disposition: attachment; filename=v2-0001-doc-clarify-OAuth-validator-authn_id-logging-on-a.patch Content-Type: application/octet-stream; x-unix-mode=0644; name="v2-0001-doc-clarify-OAuth-validator-authn_id-logging-on-a.patch" Content-Transfer-Encoding: quoted-printable =46rom=20475fc04a7b9d3d388c089126a95686c867b0768e=20Mon=20Sep=2017=20= 00:00:00=202001=0AFrom:=20"Chao=20Li=20(Evan)"=20=0A= Date:=20Thu,=204=20Jun=202026=2019:23:59=20+0800=0ASubject:=20[PATCH=20= v2]=20doc:=20clarify=20OAuth=20validator=20authn_id=20logging=20on=20= auth=0A=20failure=0A=0AOAuth=20validators=20can=20return=20an=20= authenticated=20identity=20in=0AValidatorModuleResult.authn_id.=20The=20= server=20records=20this=20value=20before=0Achecking=20whether=20the=20= connection=20is=20authorized,=20so=20it=20may=20appear=20in=0A= connection-authentication=20logs=20even=20when=20the=20connection=20is=20= later=20rejected.=0A=0AAlso=20remove=20outdated=20wording=20saying=20= that=20all=20result=20parameters=20are=20ignored=0Awhen=20a=20validator=20= returns=20false.=20Validators=20may=20still=20provide=20error_detail=20= for=0Aboth=20validation=20failures=20and=20internal=20errors,=20as=20= described=20in=20the=20following=0Aparagraph.=0A=0AAuthor:=20Chao=20Li=20= =0AReported-by:=20Daniel=20Gustafsson=20= =0ADiscussion:=20= https://postgr.es/m/0281836A-F5FF-41A5-9EE1-656C1FAAC6B2@gmail.com=0A---=0A= =20doc/src/sgml/oauth-validators.sgml=20|=2013=20+++++++++----=0A=201=20= file=20changed,=209=20insertions(+),=204=20deletions(-)=0A=0Adiff=20= --git=20a/doc/src/sgml/oauth-validators.sgml=20= b/doc/src/sgml/oauth-validators.sgml=0Aindex=208aad470a464..245f3ebb95e=20= 100644=0A---=20a/doc/src/sgml/oauth-validators.sgml=0A+++=20= b/doc/src/sgml/oauth-validators.sgml=0A@@=20-395,13=20+395,18=20@@=20= typedef=20struct=20ValidatorModuleResult=0A=20=20=20=20=20token)=20shall=20= be=20palloc'd=20and=20returned=20in=20the=20= result->authn_id=0A=20=20=20=20=20field.=20=20= Alternatively,=20result->authn_id=20may=20be=20= set=20to=0A=20=20=20=20=20NULL=20if=20the=20token=20is=20valid=20but=20= the=20associated=20user=20identity=20cannot=20be=0A-=20=20=20=20= determined.=0A+=20=20=20=20determined.=20=20If=20the=20validator=20= returns=20true=20and=0A+=20=20=20=20= result->authn_id=20is=20set,=20the=20server=20= records=20it=0A+=20=20=20=20before=20checking=20whether=20the=20= connection=20is=20authorized,=20so=20it=20may=20appear=20in=0A+=20=20=20=20= the=20server=20log=20when=20=20= includes=0A+=20=20=20=20authentication,=20even=20when=20= the=20connection=20is=20later=0A+=20=20=20=20rejected.=0A=20=20=20=20= =0A=20=20=20=20=0A=20=20=20=20=20A=20validator=20may=20= return=20false=20to=20signal=20an=20internal=20error,=0A= -=20=20=20=20in=20which=20case=20any=20result=20parameters=20are=20= ignored=20and=20the=20connection=20fails.=0A-=20=20=20=20Otherwise=20the=20= validator=20should=20return=20true=20to=20indicate=0A= -=20=20=20=20that=20it=20has=20processed=20the=20token=20and=20made=20an=20= authorization=20decision.=0A+=20=20=20=20in=20which=20case=20the=20= connection=20fails.=20=20Otherwise=20the=20validator=20should=20return=0A= +=20=20=20=20true=20to=20indicate=20that=20it=20has=20= processed=20the=20token=20and=20made=0A+=20=20=20=20an=20authorization=20= decision.=0A=20=20=20=20=0A=20=20=20=20=0A=20=20=20=20=20In=20= either=20failure=20case=20(validation=20error=20or=20internal=20error)=20= the=20module=20may=0A--=20=0A2.50.1=20(Apple=20Git-155)=0A=0A= --Apple-Mail=_7CBA6C13-19A8-4876-AA9B-408594820246--