public inbox for [email protected]
help / color / mirror / Atom feedFrom: Zsolt Parragi <[email protected]>
To: Jacob Champion <[email protected]>
Cc: Nikolay Shaplov <[email protected]>
Cc: Álvaro Herrera <[email protected]>
Cc: VASUKI M <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Cc: [email protected]
Cc: Robert Haas <[email protected]>
Cc: [email protected]
Subject: Re: Custom oauth validator options
Date: Mon, 23 Mar 2026 21:45:38 +0000
Message-ID: <CAN4CZFMxQzFD0ZJS7pX5Ajdei7TmpROEZKG5vxmfmhCQEQX3fA@mail.gmail.com> (raw)
In-Reply-To: <CAOYmi+nTXGcroZD_Mnkc8LYWYFbfDYNR4ML_yQ5sF9+DY2amcg@mail.gmail.com>
References: <CAN4CZFPmF9fGOcFubwOxqXymhVo_RvbUx3bLoYQcfk=f0mwECw@mail.gmail.com>
<[email protected]>
<CAN4CZFPUfTj-BF-m5=F7_MnY_T3+Qh-DuG7N7ojdbJDkT8JHeA@mail.gmail.com>
<[email protected]>
<CAN4CZFMCh3vOWGPbU5pTB-bwnoAtgFuDJmGGv7z7xeez+WJiag@mail.gmail.com>
<CAN4CZFMGwGdMnxP07Rk2qrC9eGQt31Lrerrnk66vQuzRhDEwiw@mail.gmail.com>
<CAOYmi+nTXGcroZD_Mnkc8LYWYFbfDYNR4ML_yQ5sF9+DY2amcg@mail.gmail.com>
> I considered letting this lapse for 19 instead
That was also my conclusion. After the discussion in the SNI thread I
started working on a PoC for a more modern syntax for hba/ident/hosts,
hoping that a generic extensibility/guc patch could be based on that.
I also didn't want to start a thread about this before the feature
freeze, so I'm still waiting/prototyping for a few weeks.
I'm also not against adding an oauth-only feature for 19, that was my
original intention before getting completely distracted by the guc
direction :)
+ else if (strncmp(name, "validator.", strlen("validator.")) == 0)
+ {
+ const char *key = name + strlen("validator.");
This is my only concern with this patch: since we have a list
separated validatr names as a GUC already, couldn't we require a
<validator_name>. prefix instead of the fixed "validator.", to keep
the hba configuration consistent with gucs?
Validators would still have to handle these options differently, but
at least it would look consistent from the user perspective - global
setting in postgresql.conf, same hba-line specific override in
pg_hba.conf. (also, validators already added global GUCs in pg18, and
this would also keep it consistent with that)
+ REQUIRE_AUTH_OPTION(uaOAuth, name, "oauth");
Shouldn't this check go before the name validation?
view thread (25+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Custom oauth validator options
In-Reply-To: <CAN4CZFMxQzFD0ZJS7pX5Ajdei7TmpROEZKG5vxmfmhCQEQX3fA@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox