Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1suFEe-005Ka6-4h for pgsql-hackers@arkaria.postgresql.org; Fri, 27 Sep 2024 17:58:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1suFEd-00CsiC-Bs for pgsql-hackers@arkaria.postgresql.org; Fri, 27 Sep 2024 17:58:31 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1suFEd-00Csi3-14 for pgsql-hackers@lists.postgresql.org; Fri, 27 Sep 2024 17:58:31 +0000 Received: from mail-ed1-x52b.google.com ([2a00:1450:4864:20::52b]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1suFEU-001OO4-Ec for pgsql-hackers@postgresql.org; Fri, 27 Sep 2024 17:58:30 +0000 Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-5c718bb04a3so2977937a12.3 for ; Fri, 27 Sep 2024 10:58:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=cybertec.at; t=1727459901; x=1728064701; darn=postgresql.org; h=message-id:date:content-transfer-encoding:content-id:mime-version :comments:references:in-reply-to:subject:cc:to:from:from:to:cc :subject:date:message-id:reply-to; bh=SUUvR+nEkgbI0eiAAu3xB1JHQZRN0hcQJ7YAyRfGIA0=; b=DFMdP3JMS0q8/3iRnVNvlIYGQY+qGxwkO1iMWRbQTP475bL8uWt9vfQxllrV4gsKKc d57wlqx8lFrUTmAWzMbiCxkz/dfoXx2D8McvNYUA4Gw1DoIfJ6egDUI4uV0JLtNqxH5t 43TJ5UA7/2JEbvKJzhIPf9qCZ3ghdLPPAqK/Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727459901; x=1728064701; h=message-id:date:content-transfer-encoding:content-id:mime-version :comments:references:in-reply-to:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SUUvR+nEkgbI0eiAAu3xB1JHQZRN0hcQJ7YAyRfGIA0=; b=k5njtRcipmllIB+jsnRS5wQFA29U+ZiBoefPO6MVPy6n3m6QKmL9fNCbpjxmhXWOat hICpDRIM7AIxM8qbd0Olq6KXh8NW78HcbzQpKTKWox8n92s18CboURu0X1b6sI4W/A80 voEkGIAfxM1uL34eneItGv4FqT5Cm1TettTf5SnrOEBil1vlP8Rab9Qcjv/n4Fled3bZ YbfiyCe1sbpOEgiuEBSd3ev+KXT8BtDmjcFn+rHmciXnfAIyiyAvIBtcH1EQDowPqveO 5IArS5u8gRso6aGWNWijKbAdQLOWKy2onxdHYANAurT25KEFogoNIJf8Jn/j9UG2AY8I jQTA== X-Forwarded-Encrypted: i=1; AJvYcCU8UkFZOjYrTKNrBKfn/OqsloI8mtvynQlVYBEKA6+Zde4hpGyLhQTNWZK6aZ7PAzcXVLjRrAJklmgIxpUV@postgresql.org X-Gm-Message-State: AOJu0YzciF4155waOX8cNKnyhd/jgBBgzPkp/3VkkEjdh8j5rDeypPlA D74GBMFq9Dg6+uFKNbYSHDRme/RDaobhetGNuXM6Yp4Z4n9lANKH8g0VZkaXkxk= X-Google-Smtp-Source: AGHT+IFWSI56T5nDcgj6PRQdNG+rx4bQ30fmBXRAEko3u3aZoeFOTNCU+6OjJjrTUV+n7T7ssG8sfA== X-Received: by 2002:a17:907:7fa5:b0:a86:820e:2ac6 with SMTP id a640c23a62f3a-a93c49087ffmr451952966b.22.1727459900858; Fri, 27 Sep 2024 10:58:20 -0700 (PDT) Received: from antos (109-81-174-135.rct.o2.cz. [109.81.174.135]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a93c297bdeasm157193266b.167.2024.09.27.10.58.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Sep 2024 10:58:20 -0700 (PDT) From: Antonin Houska To: Jacob Champion cc: Daniel Gustafsson , Peter Eisentraut , PostgreSQL Hackers Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER In-reply-to: References: <3603e9bb-9a69-4761-869b-f5b1f204b840@eisentraut.org> <390f9699-6275-4e1e-a600-11452bee0576@eisentraut.org> <67b7e52e-0d6e-4eb5-9318-fdcfa4e7ea51@eisentraut.org> <20A6A78C-D5B1-4BA3-8CD0-99AF18A04B48@yesql.se> Comments: In-reply-to Jacob Champion message dated "Wed, 11 Sep 2024 15:54:18 -0700." X-Mailer: MH-E 8.6+git; nmh 1.8; GNU Emacs 28.2.50 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <4811.1727459899.1@antos> Content-Transfer-Encoding: quoted-printable Date: Fri, 27 Sep 2024 19:58:19 +0200 Message-ID: <4812.1727459899@antos> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Jacob Champion wrote: > Peter asked me if there were plans to provide a "standard" validator > module, say as part of contrib. The tricky thing is that Bearer > validation is issuer-specific, and many providers give you an opaque > token that you're not supposed to introspect at all. > = > We could use token introspection (RFC 7662) for online verification, > but last I looked at it, no one had actually implemented those > endpoints. For offline verification, I think the best we could do > would be to provide a generic JWT Profile (RFC 9068) validator, but > again I don't know if anyone is actually providing those token formats > in practice. I'm inclined to push that out into the future. Have you considered sending the token for validation to the server, like t= his curl -X GET "https://www.googleapis.com/oauth2/v3/userinfo" -H "Authorizat= ion: Bearer $TOKEN" and getting the userid (e.g. email address) from the response, as describe= d in [1]? ISTM that this is what pgadmin4 does - in paricular, see the get_user_profile() function in web/pgadmin/authenticate/oauth2.py. [1] https://www.oauth.com/oauth2-servers/signing-in-with-google/verifying-= the-user-info/ -- = Antonin Houska Web: https://www.cybertec-postgresql.com