Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p2zlM-00022X-UZ for pgsql-hackers@arkaria.postgresql.org; Wed, 07 Dec 2022 19:07:25 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1p2zkN-0000RI-PU for pgsql-hackers@arkaria.postgresql.org; Wed, 07 Dec 2022 19:06:23 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p2zkN-0000R8-AK for pgsql-hackers@lists.postgresql.org; Wed, 07 Dec 2022 19:06:23 +0000 Received: from mail-lj1-x232.google.com ([2a00:1450:4864:20::232]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1p2zkL-0004ev-0E for pgsql-hackers@postgresql.org; Wed, 07 Dec 2022 19:06:22 +0000 Received: by mail-lj1-x232.google.com with SMTP id z4so21985883ljq.6 for ; Wed, 07 Dec 2022 11:06:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timescale.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=cbmsIIantpnQqIbzns6XkmOXTPJCg7W1bthdDnGQSIc=; b=XF4qxMCTCNTUvoc3Zc5dj9siHXNe40Y1PImcDN9xg4alFw34ObPKn1MAPKQsbiTcPF gkrfzuvmHO5b2g6YMDiWg/pTuZmzDVVtcoqQYDTHZK5KfFOr43KIr/vhpTtD9AINWy1g +YWgfWq9l/+sKM0nc4iouDpWuQJHHtmsetLfkdzLC1kP7txzrWWjvbNC3OudpJGdZVaD 8EfPi9woqoHL1T+NO3xCSDMCEQdX1oolr/GQyIuXioPwD7yhtsOU9AHNfNnla11RM8DF IUSiGQke8JZ/WCrQsvl+oZff/Td248CW1q4hrteoeeB41aapThROh71ZGdTDV8r64DGR tMjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cbmsIIantpnQqIbzns6XkmOXTPJCg7W1bthdDnGQSIc=; b=d82JbrrszNwE3RaXWCEUn9lSKE35nztEzH5FdQgdGCsIuq3iiTpl6PUJgggq3XPfQk 1vkJQO92A9qgw9r7uGJTA7DbZJu9FCWVk+nwIfE7D32AQqhPSQZprGGrBbRXhnPR0uGD 2fDmrUuJ0Lk53xBlNyeoGR3POPFC1gPR3MMklyoMOuETOrcHPVqoV65Ht9/vntV2xKKz BJoHAdeVY/uFVsS5EeRizxmKjNXqnoifLLKA0kkr4xj3P2uzI3EKTvEusgA7DNOc4oYh 026TYobz5R9RDJHRNXh8pCD8YMPQb2Za04WpMi7ItTrgGieMIv+L6nkUaQyXI+PxNtwL dBVA== X-Gm-Message-State: ANoB5plmiP9x7uXY4G8PyxKBzJrTf/0bvncqqhZdUaY0KKMHchyxtu66 3zAeesx7dlXo1IcdUqNrunj8nVNm7cQrZnAtUolEdw== X-Google-Smtp-Source: AA0mqf6+PXRhMHwRD1K6B9pcyMSlpyDVOtMpMrPUbvEDFTgGEMiW3xqB3vk+E1t3Tpa8iLEbw9DfgaAXH4YZSm/ngeY= X-Received: by 2002:a2e:3512:0:b0:277:c68:874b with SMTP id z18-20020a2e3512000000b002770c68874bmr26703564ljz.261.1670439979236; Wed, 07 Dec 2022 11:06:19 -0800 (PST) MIME-Version: 1.0 References: <2f06a4aef1d5defe4b7aaec01478572e5557d32a.camel@vmware.com> <8a5a35b31c3f25f6b047e77def0445a60399981d.camel@vmware.com> <0e86fe7e3534fb05db02379fed404a2010eb1d62.camel@vmware.com> <4db7d3ea061f47a15fc6d865f53dd327ea2975fb.camel@vmware.com> In-Reply-To: From: Jacob Champion Date: Wed, 7 Dec 2022 11:06:07 -0800 Message-ID: Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER To: Andrey Chudnovsky Cc: mahendrakar s , "hlinnaka@iki.fi" , "michael@paquier.xyz" , "pgsql-hackers@postgresql.org" , "smilingsamay@gmail.com" Content-Type: text/plain; charset="UTF-8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Dec 5, 2022 at 4:15 PM Andrey Chudnovsky wrote: > I think we can focus on the roles and responsibilities of the components first. > Details of the patch can be elaborated. Like "flow type code" is a > mistake on our side, and we will use the term "grant_type" which is > defined by OIDC spec. As well as details of usage of refresh_token. (For the record, whether we call it "flow type" or "grant type" doesn't address my concern.) > Basically Yes. We propose an increase of the server side hook responsibility. > From just validating the token, to also return the provider root URL > and required audience. And possibly provide more metadata in the > future. I think it's okay to have the extension and HBA collaborate to provide discovery information. Your proposal goes further than that, though, and makes the server aware of the chosen client flow. That appears to be an architectural violation: why does an OAuth resource server need to know the client flow at all? > Which is in our opinion aligned with SASL protocol, where the server > side is responsible for telling the client auth requirements based on > the requested role in the startup packet. You've proposed an alternative SASL mechanism. There's nothing wrong with that, per se, but I think it should be clear why we've chosen something nonstandard. > Our understanding is that in the original patch that information came > purely from hba, and we propose extension being able to control that > metadata. > As we see extension as being owned by the identity provider, compared > to HBA which is owned by the server administrator or cloud provider. That seems reasonable, considering how tightly coupled the Issuer and the token validation process are. > 2. Server Owners / PAAS providers (On premise admins, Cloud providers, > multi-cloud PAAS providers). > - Install extensions and configure HBA to allow clients to > authenticate with the identity providers of their choice. (For a future conversation: they need to set up authorization, too, with custom scopes or some other magic. It's not enough to check who the token belongs to; even if Postgres is just using the verified email from OpenID as an authenticator, you have to also know that the user authorized the token -- and therefore the client -- to access Postgres on their behalf.) > 3. Client Application Developers (Data Wis, integration tools, > PgAdmin, monitoring tools, e.t.c.) > - Independent from specific Identity providers or server providers. > Write one code for all identity providers. Ideally, yes, but that only works if all identity providers implement the same flows in compatible ways. We're already seeing instances where that's not the case and we'll necessarily have to deal with that up front. > - Rely on application deployment owners to configure which OIDC > provider to use across client and server setups. > 4. Application Deployment Owners (End customers setting up applications) > - The only actor actually aware of which identity provider to use. > Configures the stack based on the Identity and PostgreSQL deployments > they have. (I have doubts that the roles will be as decoupled in practice as you have described them, but I'd rather defer that for now.) > The critical piece of the vision is (3.) above is applications > agnostic of the identity providers. Those applications rely on > properly configured servers and rich driver logic (libpq, > com.postgresql, npgsql) to allow their application to popup auth > windows or do service-to-service authentication with any provider. In > our view that would significantly democratize the deployment of OAUTH > authentication in the community. That seems to be restating the goal of OAuth and OIDC. Can you explain how the incompatible change allows you to accomplish this better than standard implementations? > In order to allow this separation, we propose: > 1. HBA + Extension is the single source of truth of Provider root URL > + Required Audience for each role. If some backfill for missing OIDC > discovery is needed, the provider-specific extension would be > providing it. > 2. Client Application knows which grant_type to use in which scenario. > But can be coded without knowledge of a specific provider. So can't > provide discovery details. > 3. Driver (libpq, others) - coordinate the authentication flow based > on client grant_type and identity provider metadata to allow client > applications to use any flow with any provider in a unified way. > > Yes, this would require a little more complicated flow between > components than in your original patch. Why? I claim that standard OAUTHBEARER can handle all of that. What does your proposed architecture (the third diagram) enable that my proposed hook (the second diagram) doesn't? > And yes, more complexity comes > with more opportunity to make bugs. > However, I see PG Server and Libpq as the places which can have more > complexity. For the purpose of making work for the community > participants easier and simplify adoption. > > Does this make sense to you? Some of it, but it hasn't really addressed the questions from my last mail. Thanks, --Jacob