Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vgnOl-003zFI-0t
	for pgsql-hackers@arkaria.postgresql.org;
	Fri, 16 Jan 2026 17:14:11 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vgnOi-004TDj-1e
	for pgsql-hackers@arkaria.postgresql.org;
	Fri, 16 Jan 2026 17:14:08 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <zsolt.parragi@percona.com>)
	id 1vgnOi-004TDY-0W
	for pgsql-hackers@lists.postgresql.org;
	Fri, 16 Jan 2026 17:14:08 +0000
Received: from mail-yw1-x1132.google.com ([2607:f8b0:4864:20::1132])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <zsolt.parragi@percona.com>)
	id 1vgnOf-000rA4-2c
	for pgsql-hackers@lists.postgresql.org;
	Fri, 16 Jan 2026 17:14:07 +0000
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-78fb7704cb4so19921237b3.3
        for <pgsql-hackers@lists.postgresql.org>; Fri, 16 Jan 2026 09:14:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=percona.com; s=google; t=1768583644; x=1769188444; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=cyE0g6v2ffWEEFtx1y8I5IIuOuNCSnvgAm0jS7+j+Zs=;
        b=aTnzeGQ6DquXoYlM2BydmP0GDM17dTvohk4yZdcqz7pJMmcircT3LxDkmrZXtrD1Q0
         y/LW84GcBr1Vbk2T8kJgJKEG1xiYf01zB/pcXa56EcjObdCZPW+160/sHEKDItebgl2j
         isTEZbnpjs7SXQRlF4TWe47t59BNIIPRumC+g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768583644; x=1769188444;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=cyE0g6v2ffWEEFtx1y8I5IIuOuNCSnvgAm0jS7+j+Zs=;
        b=RI7qmRB+H8ftFvTEec9n2LDOxEDoEbDqZapwYqYLywuS0IJQIvgNHyRdpBiBi1J/cm
         7Xp28036Mm4n9GEiBaRVsxUXotmUoZXsCy8WMDSBq6DYl+OKQfesjw7b5z1n8G/W9KpI
         BhDQm9/CswUEjVxk/oDst3lpJkvi+KXdJqv3vYrB1c0mXWbfKze9wDJFF7+A2jzc4EPV
         Yt1/OQ+lwYYTCQb4GmoangnK8v8/MktwD3URwLvqem9DsQthVK1Hamq3Gce/XTxB1V7J
         0z3QyShYZE0JB4KADoLSwtNcpRYU2XwYp0Axrju2o8kKIrFZIDk3JavWHeVLd2uKJq+a
         tv2w==
X-Forwarded-Encrypted: i=1; AJvYcCXHN/W2yXMLeDQ1+KfEE1GbUPwj8KMiGmB288fg5WAU/j/aU4GAbzSf2Cq2Vi6wwbUhtSBvvBu1YrDRmyeF@lists.postgresql.org
X-Gm-Message-State: AOJu0Ywj8rF60yZ7SKGZe7dFRwRYcqf5oFpbmgIDs6AlKjBllK8j+wde
	RQ+NfEZAHwZ0A4GzXPI9Sv35mSA5R0AhHPPCKkDiWDhEQC+xNG3J4TFEWNMtfGXbyU7GKJYu7oC
	vaAanLTpvU/fLLK8QFt2XH/NZfCz7BNdMEpP7yCmYgad2BncsdQeJrCvqBEdkiJit2br6v8XofR
	tqHfHIr5aMLJeB9Vv3k5zun3Njd0ZsH4/wwCc48V1FE8WjZmXvOvn6f6kk8ro0y7TBD//HGxaec
	clVf6kCzCAxgprZUEtiuBtkU7kjYVYhdcctTFUSrBgSXBHVNq8EhmDEAmyhpBPZD2E=
X-Gm-Gg: AY/fxX4nG/pJx4hWx+DqQKH7wAQ6geOmU6Zq6TpoVEjwoAiYywyvX8XkKcsL2Y5hVzA
	H8AKPjpn2QCPtyxzwugLWVlWJIUHKM0YOtjte+nleTBk530/9RkL1w3a42lO6hEh09JQLAVQEmG
	oX9YNDz9LtXKHWmCnB22zDXHw1KpElSnbWzrJnsGAn0om7pT8RZRjHAmZ5ZRJGkgeHsiMJL4AtJ
	/+sivyOjnXj94dZ7zJ1+SLf2aM4TvA1iKaYnhYUG2j96GC/mLHPYgbunSG4bJjGdFFrQrJPd02K
	8jlEFhoK33x/Qll9fRshqj+kXXkfbEoN7Q4ZfLZPnyxtoM3nvG+5yqxj
X-Received: by 2002:a05:690c:6:b0:783:7143:d825 with SMTP id
 00721157ae682-793c671d3eamr27291167b3.25.1768583643771; Fri, 16 Jan 2026
 09:14:03 -0800 (PST)
MIME-Version: 1.0
References: <CAN4CZFM3b8u5uNNNsY6XCya257u+Dofms3su9f11iMCxvCacag@mail.gmail.com>
 <CAE2r8H55geNFtECuFunpgn0LJK2+rntGuTeqNr6mP7gGhWFRbA@mail.gmail.com>
 <CAN4CZFP_2fe2-18wUoXDZodV8suVe9o++pv=hP8KxxvWkmCx7A@mail.gmail.com>
 <CAOYmi+kMuA7t9ao6rWZ=5kn_Zmd7qtwOay_ocEBXwkzKWbefhQ@mail.gmail.com>
 <CAE2r8H439jg+e5gXJpNNMoroe4CfWauDRfUBZC_9NUNTOhqzBQ@mail.gmail.com>
 <CAN4CZFN9RMF_79kx75SkQZezd91DocUzz89bJeBJrMO=uNuG2w@mail.gmail.com>
 <CAOYmi+krPZDC8K+9z64M2EY9fELTKzLbqw8fD_wK=87YV+TBgw@mail.gmail.com>
 <CAN4CZFPvjAt+eZJd=Rxp=yXRjva8CpJ_BbnF=vQW6uXCqfrjEg@mail.gmail.com>
 <CAOYmi+nbCrvcE9wLQdNCgMwDbbi_UzGYrzfC54txmMBJ9KxO=Q@mail.gmail.com>
 <CAN4CZFNywvG59B+nBgD1_1fHE2uODBH3EcF_gwLmC7Y5U6Ru4Q@mail.gmail.com>
 <CAOYmi+=-OdzHMzqg9i8TwYvgKwE-vroj0d-9SqnRnwbz02SgTg@mail.gmail.com>
 <CAN4CZFPo1POb9fWMihTACFxE=xSxKEANHRkxN4YbMMN-0SML=w@mail.gmail.com>
 <CAOYmi+kVAiKf=WrnyzGxCmx-uu=arPE0=+Mf_AOhuTzkvCNC2w@mail.gmail.com>
 <CAN4CZFMeTuH4uANV1bOox0d-1mycCnyghY49cL+E8PYZ4Y=0Kw@mail.gmail.com> <CAOYmi+nKQ_7+pWSzw=rP2_T9UL=URHBsKq005BDeMmmC_=PV8g@mail.gmail.com>
In-Reply-To: <CAOYmi+nKQ_7+pWSzw=rP2_T9UL=URHBsKq005BDeMmmC_=PV8g@mail.gmail.com>
From: Zsolt Parragi <zsolt.parragi@percona.com>
Date: Fri, 16 Jan 2026 17:13:52 +0000
X-Gm-Features: AZwV_Qioy3o-WY9fc_bnHO2kYo3zcS7D-RENp6ans3YWtv_xZBShlcE1ZQAox5k
Message-ID: <CAN4CZFM8TgqDi=5Bot2imtd2heGESjpMfQ7kW4qeFSjO7NTAQQ@mail.gmail.com>
Subject: Re: Custom oauth validator options
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: VASUKI M <vasukianand0119@gmail.com>, 
	PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, david.g.johnston@gmail.com, 
	Robert Haas <robertmhaas@gmail.com>, myon@debian.org
Content-Type: text/plain; charset="UTF-8"
X-CLOUD-SEC-AV-Sent: true
X-CLOUD-SEC-AV-Info: percona,google_mail,monitor
X-Gm-Spam: 0
X-Gm-Phishy: 0
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/CAN4CZFM8TgqDi%3D5Bot2imtd2heGESjpMfQ7kW4qeFSjO7NTAQQ%40mail.gmail.com>
Precedence: bulk

> Last I knew (which was a while back),

Yes, I didn't want to say anything for sure, but I have similar
memories on Windows a while ago. I don't know anything for sure about
today, and especially on Linux, but delegating things to another
process seems to be a safer approach to me.

> [checks] Ah, it does prohibit those. Why?

Mainly because I couldn't decide where it should fit if the variable
is set at multiple places (or if we need multiple sources like
PGC_S_DATABASE_USER).

* A hba line can be completely generic, which should be above DATABASE
(ALTER DATABASE setting should override HBA setting, as it is more
specific)
* Or very specific about one user in one database using a specific
authentication method, which should be below DATABASE_USER as it is
more specific. (hba setting should override ALTER USER ... IN DATABASE
setting)

The first choice seems more logical to me, as that's how pg_hba is
usually used, but I thought this could still be confusing.