Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tgUiY-00BBHd-EE for pgsql-hackers@arkaria.postgresql.org; Fri, 07 Feb 2025 20:12:51 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tgUiX-005IMW-Hz for pgsql-hackers@arkaria.postgresql.org; Fri, 07 Feb 2025 20:12:49 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tgUiX-005IMN-2o for pgsql-hackers@lists.postgresql.org; Fri, 07 Feb 2025 20:12:49 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tgUiU-004QNm-0c for pgsql-hackers@postgresql.org; Fri, 07 Feb 2025 20:12:48 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 720D727C6D4 for ; Fri, 07 Feb 2025 21:12:45 +0100 (CET) Received: from s979.loopia.se (unknown [172.22.191.6]) by s807.loopia.se (Postfix) with ESMTP id 6283627EA94; Fri, 07 Feb 2025 21:12:45 +0100 (CET) Received: from s898.loopia.se (unknown [172.22.191.6]) by s979.loopia.se (Postfix) with ESMTP id 5EFB810BC450; Fri, 07 Feb 2025 21:12:45 +0100 (CET) X-Virus-Scanned: amavisd-new at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.2 X-Spam-Level: X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1] autolearn=disabled Authentication-Results: s898.loopia.se (amavisd-new); dkim=pass (2048-bit key) header.d=yesql.se Received: from s899.loopia.se ([172.22.191.6]) by s898.loopia.se (s898.loopia.se [172.22.190.17]) (amavisd-new, port 10024) with LMTP id TiEoqlzyltNY; Fri, 7 Feb 2025 21:12:44 +0100 (CET) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.193 Received: from smtpclient.apple (customer-89-255-232-193.stosn.net [89.255.232.193]) (Authenticated sender: daniel@yesql.se) by s899.loopia.se (Postfix) with ESMTPSA id 9C41B2C8BA5C; Fri, 07 Feb 2025 21:12:44 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se; s=loopiadkim1707475645; t=1738959164; bh=u/QoeylxDXCLyYEq5/T1Jh6wcxCLGhveDFa5zcp+NTM=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=n0SyNjS5fAXkGWzROGft5mVNZGjd2aAshG8TJT/0P7ofGUqFXIIwLEUZgvcxILlnZ K47hQVxGFuiY1T6GuIyYl07AevClH9FY+idyP73OnSN6Zcv+0IRa/E7SDjMU1WxGwb eLfoCVCWi3umbze+p8AY3Zf50Fjjbv4pFETun8BYVDmrzpLCdJ4hvqe+vP4pouTvZ6 zf6GU95FRlmk8u5wxAZUISCZyqUYxBl9e+RiQhqc34Hy+c/IJEXUCehR7qvuIWODsf PyfSdQj0F3D32XcrxGXKpmclQF+yAt9HNipOj39lNOzLQXmS0l/LDiOZnhR164Fr/g I1+apXwxOAaiQ== Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.1\)) Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER From: Daniel Gustafsson In-Reply-To: Date: Fri, 7 Feb 2025 21:12:34 +0100 Cc: Peter Eisentraut , Antonin Houska , PostgreSQL Hackers Content-Transfer-Encoding: quoted-printable Message-Id: References: <6bde5f56-9e7a-4148-b81c-eb6532cb3651@eisentraut.org> <9B417838-B872-453D-BBFB-99FA957EB723@yesql.se> <54c008ad-1c23-47d8-ba6c-bed98a39c31c@eisentraut.org> <06102deb-00ef-431d-a3ea-65afb246700a@eisentraut.org> <39A09EC8-2D72-4130-8C3E-8F3D1CC69A12@yesql.se> <55EA9E76-9866-486C-9C7F-C5E8B071C50E@yesql.se> <35CBB6AD-B847-4C26-9A7B-019279F280C8@yesql.se> <9F184CFE-ED8D-4B86-9529-F07821108C93@yesql.se> To: Jacob Champion X-Mailer: Apple Mail (2.3776.700.51.11.1) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 7 Feb 2025, at 06:48, Jacob Champion = wrote: >=20 > On Thu, Feb 6, 2025 at 2:02=E2=80=AFPM Daniel Gustafsson = wrote: >> Attached is a v46 which is v45 minus the now committed patch. >=20 > Thank you! Attached is v47, which creeps ever closer to the finish = line. Great, thanks! Below are a few quick comments after a first = read-through and compile/test cycle: > - 0005 warns at configure time if libcurl doesn't have a nonblocking > DNS implementation. Is it really enough to do this at build time? A very small percentage = of users running this will also be building their own libpq so the warning is = lost on them. That being said, I'm not entirely sure what else we could do = (bleeping a warning every time is clearly not userfriendly) so maybe this is a TODO = in the code? > - 0006 augments bare Asserts during client-side JSON parsing with code > that will fail gracefully in production builds as well. + oauth_json_set_error(ctx, /* don't bother translating */ With the project style format for translator comments this should be: + /* translator: xxx */ + oauth_json_set_error(ctx, > - 0007 escapes binary data during the printing of libcurl debug > output. (If you're having a bad enough day to need the debug spray, > you're probably not in the mood for the sound of a hundred BELs.) Does it make sense to prefix the printing in debug_callback() with some = header stating that the following data is debug output from curl and not = postgres? I have a feeling I'm stockholm syndromed by knowing the internals so I'm = not sure if that would be helpful to someone not knowing the implementation = details. > - 0008 parses and passes through the expires_in and optional > verification_uri_complete fields from the device endpoint to any > custom user prompt. (We do not use them ourselves, at the moment. But > after seeing some nice demos of RHEL/PAM/sssd support for device flow > QR codes at FOSDEM, I think we're definitely going to want to make > those available to devs.) Aha, cool! I was a bit surprised to not find a definition of expires_in = in RFC 8628, as in what happens if -1 is passed? 8628 seems to broadly = speaking fall into the category of "just dont do the wrong thing and all will be fine" = =3D/. Another question that comes to mind is how the reciever should interpret = the information since it doesn't know when the device_code/user_code was = generated so it doesn't know how much of expires_in which has already passed. = (Which is not something for us to solve, just a general observation.) + even if they can't use the non-textual method. Review the RFC's + notes + on non-textual verification. To align more with the rest of the documentation I think something along = these lines is better: "For more information, see section 3.3.1 in RFC 8628. Assert(cnt =3D=3D 1); - return 1; /* don't fall through in release = builds */ + return 0; While not introduced in this fixup patch, reading it again now I sort of = think we should make that Assert(false) to clearly indicate that we don't = think the assertion will ever pass, we're just asking to error out since we = already know the failure condition holds. > - 0009 is gold-plating for the OAUTH_STEP_WAIT_INTERVAL state: + actx_error(actx, "failed to create timer kqueue: %m"); Maybe we should add a translator note explaining that kqueue should not = be translated since it's very easy to mistake it for "queue". Doing it on = the first string including kqueue should be enough I suppose. -- Daniel Gustafsson