Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vnbHA-009JbH-1x for pgsql-hackers@arkaria.postgresql.org; Wed, 04 Feb 2026 11:42:28 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vnbH9-00B3gf-1T for pgsql-hackers@arkaria.postgresql.org; Wed, 04 Feb 2026 11:42:27 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vnbH9-00B3gX-0R for pgsql-hackers@lists.postgresql.org; Wed, 04 Feb 2026 11:42:26 +0000 Received: from mail-yw1-x112e.google.com ([2607:f8b0:4864:20::112e]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1vnbH6-00000000W3l-2fJ3 for pgsql-hackers@lists.postgresql.org; Wed, 04 Feb 2026 11:42:26 +0000 Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-790b7b3e594so71347857b3.3 for ; Wed, 04 Feb 2026 03:42:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1770205344; cv=none; d=google.com; s=arc-20240605; b=iwbEQLxNOOpVRlqoqgtqEZbLnFXKrdTiRIEKV+O3ZdSDiJA+cny1Hu/mO9Q/oKkNCZ a1gxsmD2zUwuTjtQb7l94hX7HitC31Ci/qZSJoMQj1uyN1FoVNGZXLUn1fjUa/CQBx+f kVMbMD96ueNsfonBtUVNBM22V7mG16qSVIg4q8Bwv1raUWnC+H7Vqh3KRdz1WqOMgf5z R4FPHY3J10H1fLrjbeAREowJoEzAtvKDaivZvHmn9Nn2/sGB2M3BjM8AV+TCq+hiJoyh Dsf+V7o7T39ImsVzH7/sjnOjGyDDdqNCAn92Xes2hsyZeMu1WzVhqni1nbbp9cu58cmN DZVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=VuUJ3iWaRlI/fN/i7Wme538RVUriLCfBeMYrl8wOOL8=; fh=5QRFZa55yGRW+IKmi9DIwbx+Fc9LrAxgsf6LTSCS+8w=; b=Txcf7BWg6cm5icQr10WNKowuWln+oVoyFRqms/zAIjK6vaZW2bbn711opTSSiE6S8E sTQETs+jQdQ2UBaz61jrfpOhMv+xgAMO3yFIIVX3oiA/i3rcQ/HwlCHaWYrfsmOojo1K nM/gMyYQ4N6L1bBCTBNK3TClsI8sf+KuNfP7FpmKG5s7MIaUHvRTApebC3FzztXv0KK5 u3X5PCHsnbGLg7EoUXiLfL/0mOOq4P95DwuSpu0nB3jQ0hDKDjLwFf/jkw2qPs8zHy4X sgDliCpBKMhrDgn7O57cIVOVQfnNHeu/kivcDqrzL3h2g9H5uDwmHnBsO5ycgSHajhKK cBJg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1770205344; x=1770810144; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VuUJ3iWaRlI/fN/i7Wme538RVUriLCfBeMYrl8wOOL8=; b=K5hNXg/nmHIl6gRncuveD1A/JbRuqtK/zUkO1P6cZZ5UVQxSiuJ09GdVU7qR8GiNRf 1NWZ14T0MZqTLh71wpniahtrcL3yY1HPNWeXEk8DORSlLSHcw5NvWcCmhmSa41Q2uGmN sbtiBz7PCC6fLKfnBVipaLjyC9aMqngZqw91c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770205344; x=1770810144; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=VuUJ3iWaRlI/fN/i7Wme538RVUriLCfBeMYrl8wOOL8=; b=j7sevFpksEwOYFQhnRe21XNSd+/sUD+uQ38UCtaS8kRocosXaqeIIQnQ8ssBNUDL2+ Zrj4rrqkVe+TcoKHL3Yy3ohaOYo/gJGf9pShv0Fr0Zaxtjy+CwE7+pKpLH2zzolEGOmw /tAJcrv06B+b1sRtbwKckGU/noOf8ya1Yn/D4A1/lU6PjnEpvcRMqaYlRf7TuxajNyS3 Y3DEybpbC37JRfOPRR0uJaI6RlcPrFDGXsn7v4QcznkKrd/yG5W7WVN2UtHvYZHhhAM5 PLcQsZmcTnGpnkfm9tKCVlUcvS48Fe3OyWRHnTFgVaOeLdu6owvYCznjP+jwkLXp6Dzo 4FhQ== X-Forwarded-Encrypted: i=1; AJvYcCX9bre/EdKsHzOAoOetOLnBza41J8cjQQN7DQn5o78puFVTZ4yaSuCYHrRYKytppJNIEnY29+95SxVEUHFS@lists.postgresql.org X-Gm-Message-State: AOJu0Yz/GeIdjoD+jn0cJR3Ahard0hCqk7VXECiEWiwYAhB+OdHfU//+ zLy25sWWOmP3Wssm3cg6NnCJ4VvcE4KtrcCl0WzfGUirrzEbblZCxu6ciBRpXxVphisegSi+znU lGsDluj2qrsWjeSG93g1sC4EhGzqgzOZfpxtT/FjBFmmBdhizM3aGIIqu7DYrqhkeCcFUWV35d4 NFynXtkJmmiJGSqBvR3zbMEL8asMxVs1PUJpZgAv6sATQiM1L0NtPLgPZK5f5feI9dZtFMCo1Qt fcg3HroioELXXV1XzriIyDMAG+cEUzRXNGzQ0KdmkDtrKqcSK7q71HsjcM9zFWWBuY= X-Gm-Gg: AZuq6aJmcbvQBmDjgFGdtTaGLRcOmXK8D20hTf0QsI0hqVRtxoX4Ak97Qsx2J73NhCz 7lpiwxYCUqN+zSen/56rdE/tOkuvGw7YiI3KSEpX6k1UTpIYyV/g/v1fDBjLHYyotqx40jsjS14 l3tZfzHn9Eh0aztKmsP3a1zCbykQbjCcg27PUacru++BaLBEzZnEaDMOp5WGkJJXh63tM/1T+a/ F3I0F+Rvz5jN9XdgoMILNjIAmCM4DqiYVGBBmJHQVVAK6qEe9jz/ICFMq/116y+hEddjBc+41Jw n6XavVrNiQNmVb13PgDVJ8U2I3uNbuL+BW0nyPVFWf7G53WbMuGZcwrl X-Received: by 2002:a05:690c:62c7:b0:78f:a92d:117d with SMTP id 00721157ae682-794fe78caf7mr24637187b3.47.1770205343532; Wed, 04 Feb 2026 03:42:23 -0800 (PST) MIME-Version: 1.0 References: <202601281620.m3hrqtih5b2w@alvherre.pgsql> In-Reply-To: From: Zsolt Parragi Date: Wed, 4 Feb 2026 11:42:12 +0000 X-Gm-Features: AZwV_QhwUJpFeKDpJYoyaituH2pMrGc_xe4HDm2qD0nL4AcLW9kpB8LeSHrgG0U Message-ID: Subject: Re: Custom oauth validator options To: Nikolay Shaplov Cc: =?UTF-8?Q?=C3=81lvaro_Herrera?= , Jacob Champion , VASUKI M , PostgreSQL Hackers , david.g.johnston@gmail.com, Robert Haas , myon@debian.org Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk I've looked into the patch in more detail. (I will post a review later to that thread, I have some notes I have to format properly) As for this use case, we could use this (for my original B or C options), but I see a potential problem: First, we either only use this code to feed the unknown parameters to the options parser, and keep the existing hba options parser as is for the hardcoded parameters. Or also include the fixed options in it, so that everything works exactly the same. Then we either make it limited to oauth validators, or try to keep it generic for any session_preload_libraries. If we only use this for unknown options, and limit it to oauth validators, then options.h/c could work as is. If we want to implement anything more generic, we'll face issues, as the current API only supports validating the input once. In the most generic case: * Parsing the core hba options in postmaster * Validating core options, ignoring unknowns * Loading the oauth validator * Validating options again, as the validator needs its custom options - having unknown remaining options is still valid * Running the validator * Loading session preload libraries * Validating options again - unknown options are an error now So up to 3 times, and it also needs a way for extensions to edit spec sets. (In the simple case, only the validator has to know about that) I think this makes this impractical for the more complex applications, but if we want to go back to the minimal original concept, limited to oauth validators, it could work. I'm also not sure how useful this non-GUC API would be for extensions other than validators, which also tells me that this version should be limited to the validators. Also, this isn't an approach with an easy way to convert it into PGC_HBA, as it requires a clearly different api in the validator - I don't see a nice way to do that without changing the API used by the validators.