Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Jonathan Gonzalez V. <[email protected]>
To: Jacob Champion <[email protected]>
Cc: Zsolt Parragi <[email protected]>
Cc: Daniel Gustafsson <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode
Date: Tue, 06 Jan 2026 09:40:20 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAOYmi+nQawWHzC4mRhJnzZzzqjnUDg-yxN3f3ZqPX=+jpKU+zg@mail.gmail.com>
References: <[email protected]>
	<[email protected]>
	<CAOYmi+=fbZNJSkHVci=GpR8XPYObK=H+2ERRha0LDTS+ifsWnw@mail.gmail.com>
	<CAN4CZFPhm2NCRWzZpX=kRLqyxu4Ps-d0xE5W75a-iDoKrLbXBw@mail.gmail.com>
	<CAOYmi+=HcXJub1rDsQ7vpKMHuBB6NTA2Z5T=zAkaFdRThf+9zg@mail.gmail.com>
	<[email protected]>
	<CAOYmi+mMx1DnNpKG8RdknH0-GuPR9jv+G9r2iFND=Yve7DOF6g@mail.gmail.com>
	<[email protected]>
	<CAOYmi+nQawWHzC4mRhJnzZzzqjnUDg-yxN3f3ZqPX=+jpKU+zg@mail.gmail.com>

Hi!

On Mon, 2026-01-05 at 10:37 -0800, Jacob Champion wrote:
> 
> See https://wiki.postgresql.org/wiki/Category:OAuth_Working_Group for
> a current list of tagged [oauth] proposals. Or is that not what
> you're
> asking about?

Not specifically, but that will work more than fine for sure! Thank
you!

> 
> Right, and I'm not. I guess that's the main disconnect here: I'm only
> talking about enabling and disabling the features exposed by
> PGOAUTHDEBUG. I don't think a debug level helps with that, which is
> why I proposed a bitmap.
> 
> But that's a feature for a different thread name. I think we should
> continue this one by adding an oauth_ca_file connection parameter and
> documentation, including the default behavior (which defers to Curl).
> 
> 

Ok, promoting this to something external to the debug makes a lot of
sense to me, that will help a lot to increase the possible usage of
this parameter.

I will for sure still allow an environment variable too like OAUTH_CA
or OAUTH_CA_FILE, just because environment variable for these
parameters is widely used, just like in curl[1] has cacert_file and
support for CURL_CA_BUNDLE, both options make sure that users may not
be limited.

I already worked a patch (before this one) to add an option to pass the
CA but I discarded that because I didn't thought it was going to be
accepted, I can rework that with all the ideas, but, what do you think
about creating a wiki page with all the ideas to manage the
certificates? probably the CA will require to also add some skip or
insecure options, full bundles and how to build them, etc.

Regards!

[1] https://curl.se/docs/sslcerts.html
-- 
Jonathan Gonzalez V. <[email protected]>
EnterpriseDB

view thread (15+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox