Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vW6Kq-00D6cE-0V
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 18 Dec 2025 05:13:57 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vW6Ko-000I1z-1z
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 18 Dec 2025 05:13:55 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <vasukianand0119@gmail.com>)
	id 1vW6Ko-000I1q-0x
	for pgsql-hackers@lists.postgresql.org;
	Thu, 18 Dec 2025 05:13:55 +0000
Received: from mail-ej1-x62a.google.com ([2a00:1450:4864:20::62a])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <vasukianand0119@gmail.com>)
	id 1vW6Km-001M6E-0M
	for pgsql-hackers@lists.postgresql.org;
	Thu, 18 Dec 2025 05:13:54 +0000
Received: by mail-ej1-x62a.google.com with SMTP id
 a640c23a62f3a-b76b5afdf04so32595066b.1
        for <pgsql-hackers@lists.postgresql.org>;
 Wed, 17 Dec 2025 21:13:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1766034831; x=1766639631;
 darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=c33yI7ebjLrR0Qq7alX5rPcO5jlqp46Kl1J6NShYD10=;
        b=AU9isUMuz+HaaH2IYwe1bJR1wenemPYElaN/T1VQdL9vwkTVrIlRdKOg9gLGWXe2WW
         5PdkWaJmLQ30sl8p79ntdOvr7vjHIPSWQm7/j5YtB05mmDv15f0XWZlBmZJ7SmdTo0lW
         SDX59LVo68rZVA+I1HR+G5v+hlOtVlbCthHm9Y7wWFWekRYJOyZ2nKJNft3tx2UkGXW5
         bc0KgQAIMj0FoQbVqbxQCglD3xkhFRtrkHERuAqiD0wV6H1aV0g+YeZFMllpr487+e39
         M8mXkzq8OXDfpLwsJs5pM6YF3+oKK0hPNbZn74yB7yPWCtftHYH+8C7ekoGDv1miAZtz
         KYDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766034831; x=1766639631;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=c33yI7ebjLrR0Qq7alX5rPcO5jlqp46Kl1J6NShYD10=;
        b=rubdJIfZNMNX4yKnXEUZ2h5/ZWUFBtekYtf2UeiajOXvodkmSDRQ0zmW6+dCCnk4SP
         CzCIadFLHyH5OZDZmI+coRCduAo0duF2fOogYD7voV80vw5Kj0kF0creUpXzDT2C7AHQ
         dOX8uCDXz9zGb6FTQmSOg0e8ZfoWglxBywcg7PPu5nRRrz+6Uccp2iAGm/J6bbGvzSUZ
         Oaxxlp7IeARDAkyYaB3edTTEvU67oXXPxSp2pNHWxRHP9WbCjZJIbLGaZfyjUA+8Nl5+
         +GxWbacr1rxQsv71G/AGDqcr8ppZ4ZT0qN3sCVU2WFBBKmwT93lqcCvwgxA6rSjC9vbh
         87tQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUMLuJIKagEBi2Vjq2a54X1iNRfUgCegsmQ4cCJPKRn/nx4qLxgAU+BqXuFsC+GOcMEsnoD/xQ657IJuOCq@lists.postgresql.org
X-Gm-Message-State: AOJu0Yx0I1Fp3A1zTZ2UNxj3qESXdOgeyhncbX6WWZ/eFPkrVpeXO3Dl
	c9LeBnn7fprfZbdOMr8AtoXJ3fSMkcPxh4nD15Kg8FurUf3ZDUjvVDdlM5Ec0Sea8dd1oDbS2FV
	XuDsAqx5IzRg4qANnWWMXPGM/FHYh7HQ=
X-Gm-Gg: AY/fxX4nXuwFnYp1GaaAKgIPFgeaN+aPvHUsLmlcN3zHO/qHO6CXn30M7tDxnj2e6+r
	CYMroKG81BkDWVPHeFXrhwf2WX2VkjYQf4uX2gWtSTQ7icuo10Tn0bWFofGBrxgUWEaY8Gc0nHe
	Ej3E320azCkys3A5CvS67wyKp1aJ+k3sBao2vAfY5WTRhvHTLnR3ELdnSQfNmcH7CocGUqthUYZ
	oxzOk64sayucOGGeFDd2hfrA1+pBgzzDJ1iqPfxdO+5kITayLmJz6zDUjxHWu1WIfodyOA=
X-Google-Smtp-Source: 
 AGHT+IHiRlcn9cqk8CYg73d68dm6cvwatYdmmXqJuN4vtlO1O5DCe/3hWrQjB5rjAuy2i5zvabEVJVC4nG1+PFMFTSQ=
X-Received: by 2002:a17:906:30d9:b0:b7a:6eed:b590 with SMTP id
 a640c23a62f3a-b7d236639f8mr1505087066b.25.1766034830634; Wed, 17 Dec 2025
 21:13:50 -0800 (PST)
MIME-Version: 1.0
References: 
 <CAN4CZFM3b8u5uNNNsY6XCya257u+Dofms3su9f11iMCxvCacag@mail.gmail.com>
 <CAE2r8H55geNFtECuFunpgn0LJK2+rntGuTeqNr6mP7gGhWFRbA@mail.gmail.com>
 <CAN4CZFP_2fe2-18wUoXDZodV8suVe9o++pv=hP8KxxvWkmCx7A@mail.gmail.com>
 <CAOYmi+kMuA7t9ao6rWZ=5kn_Zmd7qtwOay_ocEBXwkzKWbefhQ@mail.gmail.com>
In-Reply-To: 
 <CAOYmi+kMuA7t9ao6rWZ=5kn_Zmd7qtwOay_ocEBXwkzKWbefhQ@mail.gmail.com>
From: VASUKI M <vasukianand0119@gmail.com>
Date: Thu, 18 Dec 2025 10:44:05 +0530
X-Gm-Features: AQt7F2rtcVCDfSmo5c19aiTeAG6FZcB6QE3gW-hg1sLXu_uYOdg95uU4N47vyYQ
Message-ID: 
 <CAE2r8H439jg+e5gXJpNNMoroe4CfWauDRfUBZC_9NUNTOhqzBQ@mail.gmail.com>
Subject: Re: Custom oauth validator options
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Zsolt Parragi <zsolt.parragi@percona.com>,
	PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>,
 david.g.johnston@gmail.com,
	Robert Haas <robertmhaas@gmail.com>, myon@debian.org
Content-Type: multipart/alternative; boundary="000000000000bdb2540646330647"
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAE2r8H439jg%2Be5gXJpNNMoroe4CfWauDRfUBZC_9NUNTOhqzBQ%40mail.gmail.com>
Precedence: bulk

--000000000000bdb2540646330647
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, Dec 18, 2025 at 12:31=E2=80=AFAM Jacob Champion <
jacob.champion@enterprisedb.com> wrote:

> On Wed, Dec 17, 2025 at 1:28=E2=80=AFAM Zsolt Parragi <zsolt.parragi@perc=
ona.com>
> wrote:
> > Instead we decided to let everyone configure which claim they want to
> > use for user mapping. But because of that, this is a GUC, and they can
> > only configure it once pre server.
>
> We're getting closer; I agree that this needs to be more flexible than
> it is, and I'm on board with a change, but I'm still missing the
> "killer app". What's the case where a user has multiple HBA lines that
> all want to use unrelated claims for authentication to one Postgres
> cluster? Is this multi-tenancy, or...?
>
> Beyond multitenancy,per -HBA OAuth  cases where options are needed for
safe provider migration[blue/green],per-database security policies,mixed
Human/machine authentication[JWT/Introspection] and incident-response
scenarios -all global GUCs are too coarse.

See also the old conversation regarding LDAP hba/ident
> [1]
>
> [1]
> https://postgr.es/m/CAOuzzgpFpuroNRabEvB9kST_TSyS2jFicBNoXvW7G2pZFixyBw%4=
0mail.gmail.com


 Thanks, Will go through it.

Regards,

Vasuki M
CDAC,Chennai.

--000000000000bdb2540646330647
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote g=
mail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Dec 18,=
 2025 at 12:31=E2=80=AFAM Jacob Champion &lt;<a href=3D"mailto:jacob.champi=
on@enterprisedb.com">jacob.champion@enterprisedb.com</a>&gt; wrote:<br></di=
v><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;borde=
r-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Dec 17, 2025 at=
 1:28=E2=80=AFAM Zsolt Parragi &lt;<a href=3D"mailto:zsolt.parragi@percona.=
com" target=3D"_blank">zsolt.parragi@percona.com</a>&gt; wrote:<br>
&gt; Instead we decided to let everyone configure which claim they want to<=
br>
&gt; use for user mapping. But because of that, this is a GUC, and they can=
<br>
&gt; only configure it once pre server.<br>
<br>
We&#39;re getting closer; I agree that this needs to be more flexible than<=
br>
it is, and I&#39;m on board with a change, but I&#39;m still missing the<br=
>
&quot;killer app&quot;. What&#39;s the case where a user has multiple HBA l=
ines that<br>
all want to use unrelated claims for authentication to one Postgres<br>
cluster? Is this multi-tenancy, or...?<br>
<br></blockquote><div>Beyond multitenancy,per -HBA OAuth=C2=A0 cases where =
options are needed for safe provider migration[blue/green],per-database sec=
urity policies,mixed Human/machine authentication[JWT/Introspection] and in=
cident-response scenarios -all global GUCs are too coarse.<br><br></div><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-lef=
t:1px solid rgb(204,204,204);padding-left:1ex">See also the old conversatio=
n regarding LDAP hba/ident<br>
[1]<br>
<br>
[1] <a href=3D"https://postgr.es/m/CAOuzzgpFpuroNRabEvB9kST_TSyS2jFicBNoXvW=
7G2pZFixyBw%40mail.gmail.com" rel=3D"noreferrer" target=3D"_blank">https://=
postgr.es/m/CAOuzzgpFpuroNRabEvB9kST_TSyS2jFicBNoXvW7G2pZFixyBw%40mail.gmai=
l.com</a></blockquote><div><br>=C2=A0Thanks, Will go through it.<br><br>Reg=
ards,<br><br>Vasuki M<br>CDAC,Chennai.</div></div></div>

--000000000000bdb2540646330647--