Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vVl3W-007D7y-2H for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Dec 2025 06:30:39 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vVl3U-00Adb4-2T for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Dec 2025 06:30:37 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vVl3U-00Adav-16 for pgsql-hackers@lists.postgresql.org; Wed, 17 Dec 2025 06:30:37 +0000 Received: from mail-ej1-x62e.google.com ([2a00:1450:4864:20::62e]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vVl3T-0016FB-1r for pgsql-hackers@lists.postgresql.org; Wed, 17 Dec 2025 06:30:36 +0000 Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-b7cf4a975d2so927117066b.2 for ; Tue, 16 Dec 2025 22:30:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765953032; x=1766557832; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=a1nnALq0PdtqbdC/XR1y9j9q6UJ/8lo6kVDP0rBXJwk=; b=JvAdLTQTXn9PYj+KFTH0NjFIGzlLhYgbG9vuJorEGeSZ78vBmMTUVVCr+Go6cuGs9w M6Cn06FINT9hgwncKNTvik6amLDql167rRXe6AWcQKwQtuNQQAdd9ZvKk8iR5N37VIf2 Ojh5VRFHisnd5L2tRjKEsJkf91+MTvKyrR6spoRdtrKMgMIZD/AjswHI5TyBS3cI2eTL 7UAU0RMLbnWhJ4IwW0T1Y39KG65yAc7ve88HBxhowRh7ihz4PqxQGoKGsKEcpeWk5sYs 8/TjFqX1g9p2mpq5QIUgCp7GjDfvYHhEnLbqGv8udR/apis1u0jBhdnN0XYyAj9Acrgs hGeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765953032; x=1766557832; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=a1nnALq0PdtqbdC/XR1y9j9q6UJ/8lo6kVDP0rBXJwk=; b=KwRdqfvTaGoHQH+sVwNPhfgPe7+Pulv6ulBvz7eU4fRGHR2hmMUU/1OOEtQH30/B7j lq+rEJg/Rbp436pTK4+WPBaHqvEwdr48KQWDyY/H0FDnYX4f/M0VgdWeJ7udYJpx1XRm 5RiXoIMaiDp4WSpVJsa27EcqSVdVXlgAv6jkwFZoV9EK3755lS3ej3nfzYbqZGrs+jCc s6wV2PBQAMc1pqxBcng6mpRmNNN7B/f0m/8LA2jloJNeY+Be+ePh+rWHqkWFA4k2EJ7e yyw7kxP/0B9+ALoWXxO/Pq02yVkTBaEemXGV2ykJXrjcS4xMJRMxkXg/D+34/HgKLsT6 aBDA== X-Gm-Message-State: AOJu0YzwHrB3BaClX0eyWuRK+6uzg0THBJuiXenDAxD++Fnhk5v+7Ph2 lTZeTiVzCWQPDsfkbcsxQTf3av302d7yeIT8eoV90k0iChepzv4ZbIGMnb2viYMGi+wCef4z2l+ XyeyDb6iCe0xkUS7PQFTA/K9Ua3bIuUk= X-Gm-Gg: AY/fxX6OAfAaNwCzFFeEmhgOs08FIRzS7RPzvVzo+iZ/knCkygHy9xDWl2Op4ymUbVQ x0UBstij1pEr45lbI1bGiOEC+7ypLL8ugc2cqU9ho6O6B8VC2DI+YmOtIMBVaDwS0L2F8is10JJ VwUYb7ZJNz5vOQqGuDHGnuzUXX5Ss2bwhpNxwqfR/Gj5ujAKr8yEzLwAaHzujiLDePOMzclJuMm twreKJMnJFu+x4JbTWu2vK3llAay+sUE8JZtkqZYK/19mb/VwIQ9HzhlSiwBGPbrqDiDmg= X-Google-Smtp-Source: AGHT+IEc9QSpueX1xsgtsUAOGK8lStNz4vbz7p/nAA01F8oCYOS8z/elQIceHRp1kB9XfkYGo/jovwl+Xws4AP3ro7Q= X-Received: by 2002:a17:906:c144:b0:b80:b7f:aa10 with SMTP id a640c23a62f3a-b800b7fc025mr139076066b.59.1765953031649; Tue, 16 Dec 2025 22:30:31 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: VASUKI M Date: Wed, 17 Dec 2025 12:00:44 +0530 X-Gm-Features: AQt7F2p4_AmMjP495YFD7yQAqU-e5CHeOOQ2CGX4lukfxPDZm2BE75k8Qo8IqKs Message-ID: Subject: Re: Custom oauth validator options To: Zsolt Parragi Cc: PostgreSQL Hackers , jacob.champion@enterprisedb.com, david.g.johnston@gmail.com, Robert Haas , myon@debian.org Content-Type: multipart/alternative; boundary="000000000000243cc806461ffbfb" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000243cc806461ffbfb Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi All, The core issue,as you said,is that OAuth validators can add custom validation logic,but they can't define their own authentication-related parameters in pg_hba.conf,where they naturally belong.Because of that,validator-specific config ends up pushed into postgresql.conf via GUCs,which feels a bit awkward and scattered. That leads to the same points you mentioned: 1]OAuth configuration gets split between pg_hba.conf and postgres.conf,which is confusing to reason about. 2]using multiple OIDC/OAuth providers with different parameter sets on a single Postgresql instance is hard(or effectively impossible),even though it's a pretty reasonable use case. Given the constraints of the current HBA model(and similar issues that recently came up with SNI),I agree that anything involving generic extensibility or nested configuration would be a big hammer and likely too complex. I also have two related questions, which might be addressed as part of > the above or independently: > > 1. HBA options are parsed sequentially. If validator-specific options > are tied to a particular validator, this implies that validator=3D... > must appear before its parameters when multiple validators are loaded, > since we cannot otherwise determine which validator is used. Is this > acceptable behavior, or should options be allowed in any order? > > 2. If a validator introduces many options, an HBA line could become > very long and hard to read. Would it make sense to allow loading the > parameters for a given line from a separate file? This might already > be useful today: for example, if a long issuer URL is repeated across > several HBA lines, it could instead be defined once in an external > file and referenced multiple times. > > So the direction I'm most aligned with is option (b): letting OAuth validator advertise a limited list of additional valid option names for pg_hba.conf,while keeping parsing,ordering rules,and validation firmly in core.That seems like the least spicy option-incremental,OAuth-scoped,and not a redesign of HBA parsing. Reg. ordering:requiring validator=3D to appear before validator-specific options feels acceptable to me if this is pursued,since it keeps parsing simple and avoids ambiguity. Reg very long HBA lines: totally agree this is a real readability issue,but allowing per-line includes or external file feels like a seperate(and much bigger)topic,probably best tackled independently. Overall, +1 that this limitation is real and worth discussing.I=E2=80=99ll = plan to send a patch shortly exploring option (b). Regards, Vasuki M CDAC,Chennai. --000000000000243cc806461ffbfb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi All,

The core issue,as you sa= id,is that OAuth validators can add custom validation logic,but they can= 9;t define their own authentication-related parameters in pg_hba.conf,where= they naturally belong.Because of that,validator-specific config ends up pu= shed into postgresql.conf via GUCs,which feels a bit awkward=C2=A0and scatt= ered.

That leads to the same points you mentioned:

1]OAuth con= figuration gets split between pg_hba.conf and postgres.conf,which is confus= ing to reason about.
2]using multiple OIDC/OAuth providers with differen= t parameter sets on a single Postgresql instance is hard(or effectively imp= ossible),even though it's a pretty reasonable use case.

Given th= e constraints of the current HBA model(and similar=C2=A0issues that recentl= y came up with SNI),I agree that anything involving generic extensibility o= r nested configuration=C2=A0would be a big hammer and likely too complex.

I also have two related questions, which might be addressed as part of
the above or independently:

1. HBA options are parsed sequentially. If validator-specific options
are tied to a particular validator, this implies that validator=3D...
must appear before its parameters when multiple validators are loaded,
since we cannot otherwise determine which validator is used. Is this
acceptable behavior, or should options be allowed in any order?

2. If a validator introduces many options, an HBA line could become
very long and hard to read. Would it make sense to allow loading the
parameters for a given line from a separate file? This might already
be useful today: for example, if a long issuer URL is repeated across
several HBA lines, it could instead be defined once in an external
file and referenced multiple times.


So the direction I'm most aligned with is option (b): letti= ng OAuth validator advertise a limited list of additional=C2=A0valid option= names for pg_hba.conf,while keeping parsing,ordering rules,and validation = firmly in core.That seems like the least spicy option-incremental,OAuth-sco= ped,and not a redesign of HBA parsing.

Reg. ordering:requiring valida= tor=3D to appear before validator-specific options feels acceptable to me i= f this is pursued,since it keeps parsing simple and avoids ambiguity.
Re= g very long HBA lines: totally agree this is a real readability issue,but a= llowing per-line includes or external file feels like a seperate(and much b= igger)topic,probably best tackled independently.

Overall, +1 that th= is limitation is real and worth discussing.I=E2=80=99ll plan to send a patc= h shortly exploring option (b).

Regards,

Vasuki M
CDAC,Chen= nai.


=C2=A0
--000000000000243cc806461ffbfb--