Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pUb3p-0005sD-QM for pgsql-hackers@arkaria.postgresql.org; Tue, 21 Feb 2023 22:24:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pUb3o-0003ll-Dy for pgsql-hackers@arkaria.postgresql.org; Tue, 21 Feb 2023 22:24:32 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pUb3o-0003kr-2X for pgsql-hackers@lists.postgresql.org; Tue, 21 Feb 2023 22:24:32 +0000 Received: from mail-oa1-x2d.google.com ([2001:4860:4864:20::2d]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1pUb3h-0002vp-IL for pgsql-hackers@postgresql.org; Tue, 21 Feb 2023 22:24:31 +0000 Received: by mail-oa1-x2d.google.com with SMTP id 586e51a60fabf-1722c48a773so4273892fac.2 for ; Tue, 21 Feb 2023 14:24:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timescale.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KKl4sYh+VA0wsA32calu7fFrsi1/GNsU+WuVKOm27eQ=; b=KILm/0vreyMZDKQ1peVXVGrtKqQvnbNZ6JDM+ysDicxFg70PDkPzpc+JCsGLAjyE9z D+uFp6mb9BgxRaI+i7SJR441saas71sWNX32UbORvmT3M9VAFzkdzK9uzDu/K6nPBy2V b2AFgAEJlgnZbRVjDNzPZ96N4ejAUAGhY7lYert9FJDs9WFQ3RiSaQV5YWYR0T6unv6g qQnBsbj2MjvYgL7it7dYCpiK17gIV692NaZBEi3A2CqiMQJ4K25/+reNztp1rsxp79Z5 J1f1FQbG0OYCuZMpP0iRUKVpGS3Vzag8/93GjG8KWjdGMTwQTa8b2voPiILfPY4Dc1ok aYCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KKl4sYh+VA0wsA32calu7fFrsi1/GNsU+WuVKOm27eQ=; b=5ypujtLwIH3mO/m18WU0UnqiuQHypilcUNwkQsD5vZ/cdDLu8NizaJXoogdf7mFMQd A9ZtwwTcaDLWz1NJ+GoBqV6gIicp0sXg/GO+eEElzhUQE0g0r2PZP6xmUNMTFkScgHkO UxYY1OaoIlVlromNlbj+FJBHmsWg8ZQWOnyizU4F0/xMXz0IxPzFZVLSHaQdz/LEs6aP IBZ7BqrPeNYO2FvizcCfE/NRz0N+sb3XuREFWS57SRoLM+WCMoHmThF47lXGHt7UnqKh HzKa7ZmRlY6Vd+ty+i/9bK5uMMj6mtadnGgyFr01sFpQDjRiD5cpNvTvgwvabNKidCMY O8fA== X-Gm-Message-State: AO0yUKVI1gGqhuIGaVbxTsyBWemI4NasVeA2iQEyoJVB/CT4bLAj8qzW GfeKZ5iZ0MIgoEbiWp8TdTYiVAkrt/GRJveSoGN1hQ== X-Google-Smtp-Source: AK7set9Hst8c+N7XwvCz02xL9zIkEBNsyvUWOIJ0KD9ZVPbJb+h1cOh7ajkvfCt0RcfEE8Lz84UsnCxLPDKhoBgqdd0= X-Received: by 2002:a05:6870:e38f:b0:16e:27ce:7782 with SMTP id x15-20020a056870e38f00b0016e27ce7782mr1561094oad.213.1677018263479; Tue, 21 Feb 2023 14:24:23 -0800 (PST) MIME-Version: 1.0 References: <705e7eb8-29ee-a707-5a67-d2acfb2f3fad@timescale.com> In-Reply-To: From: Jacob Champion Date: Tue, 21 Feb 2023 14:24:12 -0800 Message-ID: Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER To: Stephen Frost Cc: mahendrakar s , Andrey Chudnovsky , hlinnaka@iki.fi, Michael Paquier , Pg Hackers , smilingsamay@gmail.com Content-Type: text/plain; charset="UTF-8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Feb 20, 2023 at 2:35 PM Stephen Frost wrote: > Having skimmed back through this thread again, I still feel that the > direction that was originally being taken (actually support something in > libpq and the backend, be it with libiddawc or something else or even > our own code, and not just throw hooks in various places) makes a lot > more sense and is a lot closer to how Kerberos and client-side certs and > even LDAP auth work today. Cool, that helps focus the effort. Thanks! > That also seems like a much better answer > for our users when it comes to new authentication methods than having > extensions and making libpq developers have to write their own custom > code, not to mention that we'd still need to implement something in psql > to provide such a hook if we are to have psql actually usefully exercise > this, no? I don't mind letting clients implement their own flows... as long as it's optional. So even if we did use a hook in the end, I agree that we've got to exercise it ourselves. > In the Kerberos test suite we have today, we actually bring up a proper > Kerberos server, set things up, and then test end-to-end installing a > keytab for the server, getting a TGT, getting a service ticket, testing > authentication and encryption, etc. Looking around, it seems like the > equivilant would perhaps be to use Glewlwyd and libiddawc or libcurl and > our own code to really be able to test this and show that it works and > that we're doing it correctly, and to let us know if we break something. The original patchset includes a test server in Python -- a major advantage being that you can test the client and server independently of each other, since the implementation is so asymmetric. Additionally testing against something like Glewlwyd would be a great way to stack coverage. (If we *only* test against a packaged server, though, it'll be harder to test our stuff in the presence of malfunctions and other corner cases.) Thanks, --Jacob