Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1obEFB-0001Oh-34 for pgsql-hackers@arkaria.postgresql.org; Thu, 22 Sep 2022 04:55:25 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1obEF9-0004al-Ua for pgsql-hackers@arkaria.postgresql.org; Thu, 22 Sep 2022 04:55:23 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1obEF9-0004ab-J7 for pgsql-hackers@lists.postgresql.org; Thu, 22 Sep 2022 04:55:23 +0000 Received: from mail-ej1-x635.google.com ([2a00:1450:4864:20::635]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1obEF6-0001IE-Jc for pgsql-hackers@postgresql.org; Thu, 22 Sep 2022 04:55:22 +0000 Received: by mail-ej1-x635.google.com with SMTP id 13so18444890ejn.3 for ; Wed, 21 Sep 2022 21:55:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=1NtMqwbwSJqTUVQjyiZD+D3lVB61jQwGHWdfwDZ+j1s=; b=JJyPChgUqiRZdgBSqbzg0mjtbcfEpeZu207HbCIrspvO6etNvezCGPsPbgCF/P5tSQ H0fg/jACbG3JMi8e58qXBCNxlUDajzltY4bhQMhAsQNYbbUHpBD28lHRerGJPD3Qbq3d /PvHbCibqv68UgF2NJsRyKkTwYWdrHbA0YWxquh2WM6gLHOarBqBPSYYQAHFc7lSmuEK fXpk36i0hZO/+6DdSB4CBb3AvQNJmkAxfGbSn+Yoe3zXjn/Dk4twjQE0tLqArTIR9uK6 2t0Ycb0gm2upsCYA3IRHhT3+VaVizcjQEOxqbuoIv06gWzQby4iOpnZ7JQ1bwQd5hhas qhgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=1NtMqwbwSJqTUVQjyiZD+D3lVB61jQwGHWdfwDZ+j1s=; b=nYZAtg2unydcwL/vVFVrQbVDESDJUrsi3yslUoLVQZOSKWQ69d9yF6Qh/g+fhidUN6 XWxAP0RwnYheNQM2mK0IBCcDJZK8j/0ke/gU/uvroUYRYKaNyN4+0u3WBq9sO3phuuWD FvIRPm1pb3Hpk3W6H032L48hdGA+0ZxJVHKV4pHtIPJHZ8z4BeAqzdLgsBtLbTliMgcn FF69WQY2g2TRtKF//t7dT3omdQ7yd6NEdXyrbf2aRGrZvjiIc0iayT0EKg19V6SEpo2H Da1eWQ0PwpbusVio9P7nqQArtEJ7HduU0T0TvP3cmbnbFaGb18V45pMeE+B3ed2nOvDm iPnw== X-Gm-Message-State: ACrzQf2p+pRypUEle1qPGsXV4Vfw6E1mc3Hf4P/DNG481grtORO7K6YE pnPVvefwQdzYUoYhhxZTiudk/gCRWYblUCAOaMA= X-Google-Smtp-Source: AMsMyM40outdUM1pxWC+NLVZlfyd+qg9NZDtnTvO6pkUxxrcAWCLoNGP1JqB+R0jpCx+OWCAvhy9B9qKbvmwmvA9CJo= X-Received: by 2002:a17:907:3f19:b0:781:e579:46c2 with SMTP id hq25-20020a1709073f1900b00781e57946c2mr1230588ejc.382.1663822518698; Wed, 21 Sep 2022 21:55:18 -0700 (PDT) MIME-Version: 1.0 References: <2f06a4aef1d5defe4b7aaec01478572e5557d32a.camel@vmware.com> <8a5a35b31c3f25f6b047e77def0445a60399981d.camel@vmware.com> In-Reply-To: From: Andrey Chudnovsky Date: Wed, 21 Sep 2022 21:55:08 -0700 Message-ID: Subject: Re: [EXTERNAL] Re: [PoC] Federated Authn/z with OAUTHBEARER To: Jacob Champion Cc: Andrey Chudnovskiy , mahendrakar s , "pgsql-hackers@postgresql.org" , "smilingsamay@gmail.com" , "andres@anarazel.de" , Mahendrakar Srinivasarao Content-Type: text/plain; charset="UTF-8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk First, My message from corp email wasn't displayed in the thread, That is what Jacob replied to, let me post it here for context: > We can support both passing the token from an upstream client and libpq implementing OAUTH2 protocol to obtain one. > > Libpq implementing OAUTHBEARER is needed for community/3rd party tools to have user-friendly authentication experience: > > 1. For community client tools, like pg_admin, psql etc. > Example experience: pg_admin would be able to open a popup dialog to authenticate customers and keep refresh tokens to avoid asking the user frequently. > 2. For 3rd party connectors supporting generic OAUTH with any provider. Useful for datawiz clients, like Tableau or ETL tools. Those can support both user and client OAUTH flows. > > Libpq passing toked directly from an upstream client is useful in other scenarios: > 1. Enterprise clients, built with .Net / Java and using provider-specific authentication libraries, like MSAL for AAD. Those can also support more advanced provider-specific token acquisition flows. > 2. Resource-tight (like IoT) clients. Those can be compiled without the optional libpq flag not including the iddawc or other dependency. ----------------------------------------------------------------------------------------------------- On this: > What I don't understand is how the OAUTHBEARER mechanism helps you in > this case. You're short-circuiting the negotiation where the server > tells the client what provider to use and what scopes to request, and > instead you're saying "here's a secret string, just take it and > validate it with magic." > > I realize the ability to pass an opaque token may be useful, but from > the server's perspective, I don't see what differentiates it from the > password auth method plus a custom authenticator plugin. Why pay for > the additional complexity of OAUTHBEARER if you're not going to use > it? Yes, passing a token as a new auth method won't make much sense in isolation. However: 1. Since OAUTHBEARER is supported in the ecosystem, passing a token as a way to authenticate with OAUTHBEARER is more consistent (IMO), then passing it as a password. 2. Validation on the backend side doesn't depend on whether the token is obtained by libpq or transparently passed by the upstream client. 3. Single OAUTH auth method on the server side for both scenarios, would allow both enterprise clients with their own Token acquisition and community clients using libpq flows to connect as the same PG users/roles. On Wed, Sep 21, 2022 at 8:36 PM Jacob Champion wrote: > > On Wed, Sep 21, 2022 at 3:10 PM Andrey Chudnovskiy > wrote: > > We can support both passing the token from an upstream client and libpq implementing OAUTH2 protocol to obtaining one. > > Right, I agree that we could potentially do both. > > > Libpq passing toked directly from an upstream client is useful in other scenarios: > > 1. Enterprise clients, built with .Net / Java and using provider-specific authentication libraries, like MSAL for AAD. Those can also support more advance provider-specific token acquisition flows. > > 2. Resource-tight (like IoT) clients. Those can be compiled without optional libpq flag not including the iddawc or other dependency. > > What I don't understand is how the OAUTHBEARER mechanism helps you in > this case. You're short-circuiting the negotiation where the server > tells the client what provider to use and what scopes to request, and > instead you're saying "here's a secret string, just take it and > validate it with magic." > > I realize the ability to pass an opaque token may be useful, but from > the server's perspective, I don't see what differentiates it from the > password auth method plus a custom authenticator plugin. Why pay for > the additional complexity of OAUTHBEARER if you're not going to use > it? > > --Jacob > > > >