Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vQQ4y-0075K2-1s for pgsql-hackers@arkaria.postgresql.org; Tue, 02 Dec 2025 13:06:05 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vQQ4x-007hKx-26 for pgsql-hackers@arkaria.postgresql.org; Tue, 02 Dec 2025 13:06:03 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vQQ4x-007hKo-15 for pgsql-hackers@lists.postgresql.org; Tue, 02 Dec 2025 13:06:03 +0000 Received: from mail-yx1-xb134.google.com ([2607:f8b0:4864:20::b134]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vQQ4u-002kVh-0G for pgsql-hackers@lists.postgresql.org; Tue, 02 Dec 2025 13:06:02 +0000 Received: by mail-yx1-xb134.google.com with SMTP id 956f58d0204a3-640f88b8613so3958660d50.2 for ; Tue, 02 Dec 2025 05:06:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1764680758; x=1765285558; darn=lists.postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=RsrhB9R2fWdo9MpuvJt3Bv7teHzLPnUIGVh+w6817mU=; b=PE6i4OeaCbE92NYWwPkmW8SrXTz75XHgKymY+J+jKGw4PX1qvjN2XLzp21weq9x+HJ jrxgNYg79E9bwX4TKZjNVns3PpNOVxvbmZSlc4uyRIeMR5/f2SVJ3acKKV3T5QVWLlkK ZDzC/PnePv1oH9vs8aGjcHfwEA12mtSFKI4XU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764680758; x=1765285558; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RsrhB9R2fWdo9MpuvJt3Bv7teHzLPnUIGVh+w6817mU=; b=GK26LxZQnOCkGeRrt7uZfEw7woyx7Jl/t6DR+/0AV6ZZuKVKmCMA3iyXj44gpSYo2T p/AOPnwWgzv12X9kRt5V3pTIXzc59cdzTHdNlZEXqQq0T6qL0iRtwJjtfqicOO38xTW5 XGsXMfoFG+2gt+YFNiuhDxquCC+5Twqgiw1H91dGOUd3As9vAv08gO8WOKIgiKHc4qpw 6tXu5U1+839f3oKgEla3yhoZPdFAFASIPKT4VNEwA6bYNOxmu2AL2y6NbjVYL14HL7Nt 1zAtnP65tiyUPmBKC06ARYg6qvHIBjR1xSl2Nb8obvObnAPN3ScfoinydceAwcMWLRQN IiDg== X-Gm-Message-State: AOJu0Yx/HgW4/3pvld7L7WnJMwz+8zWq+4abDItuGkzLxzMDVdT5Vq+p 9Rgj7nGkQeKX6mmWOiNRSZ46w/eTcWr4eng2Zo7WEtIF5yZUa7OlEyA+gvKyEDBym4ECSZp6FKe LOCl6MDZAxBExQ0jX/RjVfZ7iu1K8rFWLtTTbVCJ9Mw9bhSeKQPWF1UTNdgfc4JaNMIth/mqUdr iu0KXdrvj4rws0PSnRFv367bvjIkRMpENT6+SEV1l/3XukHDajMkLvVpe4U0shVC4tSt+DvVRHK PmmHUGZ8cKlWH0dc5/LvKGX1NCDzt5pSn3RtbqvIgrPlbZ+AT/RmWwVB1v/HT/TNOqSSrfQAl3g 1kZnlvU= X-Gm-Gg: ASbGncuNx+qjkuerjQpKURlpAB1NmKJYVjzxpwhpbYQOxwV4nqi1gEZyLp/Gt3PSFBm Yy8FPmMwFUxEQ2JIZoZZloenz9eQ++VtS4X1J6BR10o4NivTKMMOK6zBY3rc0pRmZCOo5FOel2e SOCyDUsnkzMsn+2SIlO2ZlN4FyCzeZY5DdjCugaNN7pwqiIR2Dp7nJg4vp24SKBnyBEZLoW9Oxc qEXhIqTnPu+x5J3rfIekYE9KKyQ51NfsCmfc1hbdr4sour9Q6jy1iIFlRjCdX9hy1jUpMHZG7gT yfwKzaB7gj3nqxbeFMp4JpBtaYjr2KaAM4ADolPspc0Si2+26v70u4rJw8oCuSGeN9U= X-Google-Smtp-Source: AGHT+IFL/I/d9iYn3y6iC7RgXf1NDaqpt1v9H/aaVMKD6Bo5aEGZhtCSh5CbaAJ6Dt2axsOhKB1niFAfoSi7O7OeM4I= X-Received: by 2002:a05:690e:1487:b0:63f:a457:6b21 with SMTP id 956f58d0204a3-64302a5f2b6mr30702865d50.33.1764680758152; Tue, 02 Dec 2025 05:05:58 -0800 (PST) MIME-Version: 1.0 From: Zsolt Parragi Date: Tue, 2 Dec 2025 13:05:49 +0000 X-Gm-Features: AWmQ_blHWEQ8XFq-s7KthUWX8bNdrgYXCxtUO0sRz2c61Tvi_2IBMIQBRKgHmcU Message-ID: Subject: Custom oauth validator options To: PostgreSQL Hackers Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hello hackers, The current OAuth code allows validators to add custom validation logic, but does not allow them to introduce custom authentication-related parameters in the place where they belong: pg_hba.conf. As a workaround, both pg_oidc_validator and postgres-keycloak-oauth-validator (and likely others; these are simply the two I know of) rely on GUC variables instead. I see two issues with this: 1. Configuration for OAuth validation ends up split across two locations: issuer/scope and a few other parameters are defined in pg_hba.conf, while custom parameters must be set in postgresql.conf. 2. We have received multiple questions asking how to configure multiple OIDC servers with different parameter sets. I am not sure how common it is to use multiple OAuth providers with a single PostgreSQL instance, but the question is certainly reasonable. Given this, I would like to ask what you think about making pg_hba.conf extensible. At present, option parsing is hardcoded in parse_hba_auth_opt, and any unknown parameter triggers an error at the end of the function. I can see a few possible approaches: a. Add an OAuth-specific hook that allows injecting additional option-parsing logic into this function, as part of the existing OAuthValidatorCallbacks. This could be scoped to the validator used on the specific HBA line, even if multiple validators are loaded. b. Allow the existing startup callback to supply a list of additional valid configuration names, with the validation callback responsible for parsing and validating them. c. Add a more generic hook usable by any extension. I do not currently have concrete use cases outside OAuth, but perhaps others do. I would be interested in your thoughts on whether an improvement in this area would be useful. I also have two related questions, which might be addressed as part of the above or independently: 1. HBA options are parsed sequentially. If validator-specific options are tied to a particular validator, this implies that validator=... must appear before its parameters when multiple validators are loaded, since we cannot otherwise determine which validator is used. Is this acceptable behavior, or should options be allowed in any order? 2. If a validator introduces many options, an HBA line could become very long and hard to read. Would it make sense to allow loading the parameters for a given line from a separate file? This might already be useful today: for example, if a long issuer URL is repeated across several HBA lines, it could instead be defined once in an external file and referenced multiple times.