Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w4n5w-002Yia-2E for pgsql-hackers@arkaria.postgresql.org; Mon, 23 Mar 2026 21:45:56 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w4n5u-002aIN-1R for pgsql-hackers@arkaria.postgresql.org; Mon, 23 Mar 2026 21:45:54 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w4n5u-002aIF-0U for pgsql-hackers@lists.postgresql.org; Mon, 23 Mar 2026 21:45:54 +0000 Received: from mail-yx1-xb12d.google.com ([2607:f8b0:4864:20::b12d]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w4n5q-00000000lgD-376B for pgsql-hackers@lists.postgresql.org; Mon, 23 Mar 2026 21:45:54 +0000 Received: by mail-yx1-xb12d.google.com with SMTP id 956f58d0204a3-64ad79df972so4784779d50.1 for ; Mon, 23 Mar 2026 14:45:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774302349; cv=none; d=google.com; s=arc-20240605; b=lYwEkLZdTS/4mFs89Xnutnd2Wu+nx1VlweFGZuxoJjnZz+FQswt6J+fjgeSRIXD2LZ reo/VLCu2WjQ8JyR7x7p7S51HxBiAte3Zu1p20VhgSS+vBYBlIB/udPkXWNA/GXuebf0 96ZNPZIGmjcjSckbQMYItmfyKFDfcwh8PWWr1Aig3F2a0KHknn1D7KdtcdOzAfPkHpMZ gBeQ+MDhbVU8RdXG/S5/UrqPm0YJrUo8qvL9odpwo5p1QnHIzNEyV2PgGGKh7bOs6Rgh WMe7mCGLQHOj1za6x+5KdD797k8BO+tibvUgUTMeGarHw8KBa24LO3xnBp6a7ZhbSQ2U Nebg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=7HFKLN6+g9ZNHKh/AD83eVFLa15M4BhKG78oKiubPvU=; fh=ehM+Hyu+TqIOvxp+syUtc9n3Kn4VKosBRuZAfqIv5Yw=; b=UcL7oVZpvysLG/gUkznpP2/vMpORPecj0f/71/YLo4IWX2v/O6yPHGTSIxDm5S1erZ UlDPbc6praiyWzNVOUBRmJxSawhDPGoRHj7XgfTVdFvXjnI9j0qn7w1x6dky8rcfs0uL WYNHnpOB767pjAD53wWSk1tvIt+lmYHAFByPAmR/5q2qvhBNs5JpFDu+0Eugh3IVP9C5 g+JeQ8CbWvC9fAlBVOB2Rc2ohAJmWqQDNsH4fDv2axW1J93fDEcKi0GFMVJiQZvIaYG4 bNHJxeXHAnwpu1aHN/Cz1T+g/47qGYoP8sA55U6TMHnGM6D9MCopIFF0A0Np/fEPDcbC /sFQ==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1774302349; x=1774907149; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7HFKLN6+g9ZNHKh/AD83eVFLa15M4BhKG78oKiubPvU=; b=LHSGwFyRJoETHGvoZ0vgr6h8IvxeDW1R0JLN2+NTV1JjyAjMOPdjP8iEO1a6RyRq89 FnMCWmcjTwqANJm48okbcR9JEWQPpPUjPMN2fQv6Q9zPS1+iAaoAltQ9FwCPvvSUNDUK HAd3AYiGeg2Ok/bEb+Y5e9Oz01kIShf7OhPaU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774302349; x=1774907149; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=7HFKLN6+g9ZNHKh/AD83eVFLa15M4BhKG78oKiubPvU=; b=J52DyEhxdoEMXAjFVJXrD0G/UAPLhFS7FPjS9krN01G/ctlLPr7TuqkAln3WYVbtNh 0ekeEBPMiCbLM3hrPBKfPnuqOq22CViUPFDNaYXcwxZkI6Mt//ac3C7KT8SKt0x2SuZs Nj0DdKgyHlx8wr7Ua8bw+4cIIxlzZGicjK5yrIr8i0EOeof4GW4hRVPve76xjDyBizPK /ReI898SnMCHqj8xant0iWU5P9ACnfOY7uKTJxAoX2I0RnDcMe89Yha1u+u+u7fo9V4X FV9FQZCQiMzy/keqw5uhqtK77Qc/xzvvLQT3biQVr0y0cmGPsKMAmOBOyonow/F/kjNj 3bpw== X-Forwarded-Encrypted: i=1; AJvYcCUdGbwECfM/j5BiCzy7V7qfbUMJEUFdb5CprZtLNoRTLYx+53IFdFR7Ojj+OHyZPyDv7bvg2U+HGPsVYp0Q@lists.postgresql.org X-Gm-Message-State: AOJu0YxsJ+Plm5o5bide0sXcbejsDS8yKJLnX6efTZQADROLzNeOa0IY cCxc3wLvEOTJTvg4RmzOHc9lsk31QrdQk3r7JYEkKpEatx1sZmJHWaLAaIW7EQEYV5ZNKVj0QGY lcDFSjprYYUZ9MA7Tki/h9c0S+FDjvmNGwF1FyLCdShLLY2gsFd4hnj/66qC1CMaFkN3nYjGaAk qiyI0i/9JFON4tasZ6yYjPSa2S/lz/pNenfmO+6UP7o2wIZHpkGTLHPjTHeQeD3IKInUHec13Fh LRgo+0ZCQZLC3ON6Gai4JqR2RggzyWEmxeB81qLPiPWYJp3Qcn4OstyAWXS1hFsnwo= X-Gm-Gg: ATEYQzyt2j5PSnMf/itti06/9nwZWEJlYCTnhzbIT1yHk+XSbxzOO/eYTT/FvWpNab/ ueSrbsdTj77VqOyOyLhyTSzMjdC4bfKYdS1rE+KEkQDCJzZ6IMNolTLTWXxrycq25vP6/Slhe+8 8wAsw8M1PJLBS7jbpmMXcGhWCJa4JnlosnLT6ft4DYRiIKOKBlch9FdsDRh4MZt7kxcqjQHuVXW sgTGo0BazE42y5A1AxUpLnhLMF575vp0JlX23IEk4bELWCYvVyRIhhxhWUN0Pixj1Z4ifT8FRlC U1QkMAHTyV2q1irXVsXsuodSQuSRtXhiTDMOnWfE00suHduC768Fq/L4YjLPZkNYs9Hdm8cvPoz 04CA= X-Received: by 2002:a05:690c:88:b0:79a:b46c:e60a with SMTP id 00721157ae682-79ab46cefb6mr53855227b3.44.1774302349059; Mon, 23 Mar 2026 14:45:49 -0700 (PDT) MIME-Version: 1.0 References: <202601281620.m3hrqtih5b2w@alvherre.pgsql> In-Reply-To: From: Zsolt Parragi Date: Mon, 23 Mar 2026 21:45:38 +0000 X-Gm-Features: AQROBzDgOXDoXOMxIUAM_uf8TiZ4L9E5Ra9h9gtgR83jiQVZzyhkpZjdJBa2a5M Message-ID: Subject: Re: Custom oauth validator options To: Jacob Champion Cc: Nikolay Shaplov , =?UTF-8?Q?=C3=81lvaro_Herrera?= , VASUKI M , PostgreSQL Hackers , david.g.johnston@gmail.com, Robert Haas , myon@debian.org Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > I considered letting this lapse for 19 instead That was also my conclusion. After the discussion in the SNI thread I started working on a PoC for a more modern syntax for hba/ident/hosts, hoping that a generic extensibility/guc patch could be based on that. I also didn't want to start a thread about this before the feature freeze, so I'm still waiting/prototyping for a few weeks. I'm also not against adding an oauth-only feature for 19, that was my original intention before getting completely distracted by the guc direction :) + else if (strncmp(name, "validator.", strlen("validator.")) == 0) + { + const char *key = name + strlen("validator."); This is my only concern with this patch: since we have a list separated validatr names as a GUC already, couldn't we require a . prefix instead of the fixed "validator.", to keep the hba configuration consistent with gucs? Validators would still have to handle these options differently, but at least it would look consistent from the user perspective - global setting in postgresql.conf, same hba-line specific override in pg_hba.conf. (also, validators already added global GUCs in pg18, and this would also keep it consistent with that) + REQUIRE_AUTH_OPTION(uaOAuth, name, "oauth"); Shouldn't this check go before the name validation?