Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vVnv2-008FUC-06 for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Dec 2025 09:34:04 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vVnv0-00BjPe-2v for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Dec 2025 09:34:03 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vVnv0-00BjPS-1s for pgsql-hackers@lists.postgresql.org; Wed, 17 Dec 2025 09:34:03 +0000 Received: from mail-yx1-xb12f.google.com ([2607:f8b0:4864:20::b12f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vVnuz-0017fq-2q for pgsql-hackers@lists.postgresql.org; Wed, 17 Dec 2025 09:34:02 +0000 Received: by mail-yx1-xb12f.google.com with SMTP id 956f58d0204a3-6446c2bbfe3so5001919d50.1 for ; Wed, 17 Dec 2025 01:34:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1765964041; x=1766568841; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6afqZcTXO5kEDfJbYRZPw6AvSpf8pJszKz7fJWfcgzQ=; b=blpwnEEnknNr/AqhjIIAo26PRjVuEMnVn/+WV8jP1f2+H4AeLOTRjoHGZRi9X/vf5U 6bCMRagSbDhrsHoS5d437fKB6pBLW1Laf2W22etP7AZKc8iGdMsTbT/SxHZcAchKiC3T AoprI+jNlGwOd+Lhrw5b5koZsyIWJJsF/suKQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765964041; x=1766568841; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=6afqZcTXO5kEDfJbYRZPw6AvSpf8pJszKz7fJWfcgzQ=; b=JhHhIGq+pgKJJQr36lBBGItpqz9xHH9Am+rEqXw/RXpDGTomym/h1Tg4mWX9t9NEFY NK6Cr+tEf4S1PP02Nu62kuYLPgjOB1mnMbWbE+JawKPbjzrA6yoNoDiK8MKFdqd0SZr7 cZPYrq7pOXvvEzJZK4J1xx3JMmOPHxCxyDRC3pbwyFUU6+oYanEqFe07MLToffSJWNkP eR6/mq8h1pzQNCtnfeyXNLm05G3Le6YpDcudQaRp74WxpolQIEMpCoFWvaOCnNT8TCUc 190EVvu0VR3UfNmwEKjgt61kCbFVGmk/iDbRmHGAuzWG+f/O+0N9awsqM8U1wogSeZF/ DJmg== X-Gm-Message-State: AOJu0YyrdvD74QkKNGmxudFCogn/dl7Fakpdqzi7ZAsU1/5ye1eZiKm8 G61dBmewjvC2QOnU9olLJmpc1qXuTCeJS6HC30nBdBJIHB8Dp31rSiJc34GkJZ35TXVy9AmxtLi Zkj0iz0YMdRc7qrN1XjORoUxunrkVrQn7pt5RThuAIUdoalZZWc7zzSMStvnlfciBzEptwoX9Q4 sLTfJWJyAr7r/MFAEbVjNzRjE9uG8M1TuzD+S3wqCvwDglHSFETFZFVTRH8pWsOWTHiwBekhuiD dLA5FzjOzAu7S1nHPiby5jDI+rHxgOo6lhIpbGKhrtk4n0r9jggfJ4FJH9FDUOweXI= X-Gm-Gg: AY/fxX7RsDrLBFotvSWA822QQ3FgguMMoXJlQKjBct+o73nlorwuVG5H0DcLjoQpdli vivtC3HUYD+HNWB/tDX7nUffHa28ooegLJEtvpTcZcuMNeIoLKJDfArOJMhFK3OVF5VDtYJH9Y+ WnE8hOwpE7l8Y0UDPGUxDNL3KLTVIKgVcDKwskfA8cM/9t8WaeurvLaAj7dN0gCRGH+qvcnZV28 HtyvCqDRS/zwdZiq8vYdsw+eXxNCIy3C4VJBtp/2CCBhPUDoVcEQyzOaCFgByKi1OPBFj6dEZhO YXH8MZS0zEPL0muh4K9WEq4p6+2vYtlqWSshAVpf9DeDS36nCQn/kfrZ X-Google-Smtp-Source: AGHT+IGRYE9mT4uAOto1Y6xyhMWIz9PNvEtOtCFZKdfTJpnf93Iay6DdzF7vb7KLryPC9S82vFO4olkakiQ2og+f/uY= X-Received: by 2002:a53:e3c4:0:b0:641:f5bc:68d4 with SMTP id 956f58d0204a3-6455567ba01mr9360080d50.81.1765964040729; Wed, 17 Dec 2025 01:34:00 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Zsolt Parragi Date: Wed, 17 Dec 2025 09:33:51 +0000 X-Gm-Features: AQt7F2oxx7uMCogoEwDWs3qnC0M2sNOSy0F9VaOeMykiOyI5-A0C18YmEB2r2AQ Message-ID: Subject: Re: Custom oauth validator options To: Jacob Champion Cc: PostgreSQL Hackers Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > What kinds of parameters? Having a motivating use case would be > helpful; HBA isn't always as flexible as people assume and I want to > make sure that we can end with a usable feature. One issue we have is that some providers don't allow users to select what goes into the subject claim, but do allow users to define custom claims. Additionally, the subject claim is sometimes a random generated id, which gets generated on the first login to the client, and that makes it practically unusable for pg. It would require: * user trying to login to pg * getting rejected * figuring out what's the subject * adding it to pg ident / some other config * user can finally login Instead we decided to let everyone configure which claim they want to use for user mapping. But because of that, this is a GUC, and they can only configure it once pre server. The postgres-keycloak-oauth-validator is in an even worse situation, they decided to use a long list of GUC parameters[1]. The main reason is that they use an introspection endpoint for validation instead of the JWT, so they need multiple parameters for that. Some of these GUCs seem redundant to me, but some of them are definitely required. They also have parameters for the client id and debugging - those are things we are also considering adding to our validator. > (I'm only halfway serious with (e) -- I don't really intend to drive > your thread straight into a wall. But when I read proposals a-c, I get > the sinking feeling that this *should* be solved in a more radical > way, if we could only agree on a direction...) I tried to propose simple things that are relatively easy to implement, and wouldn't change too much at once, so there's a realistic change for this making into PG19. I'm not against having a bigger goal, and continuing making it even better after that. > A hypothetical PGC_HBA context would seem to fit nicely between > PGC_SIGHUP and PGC_SU_BACKEND. How would you configure that since the hba lines don't have IDs? Should we add a "guc_name" parameter to HBA for this or something like that? I like this idea, it would be fun to implement and see how it works, I'm just wondering how users could use it. [1]: https://github.com/cloudnative-pg/postgres-keycloak-oauth-validator/blob/5fceacf53c3d86fbbe18dab0341311855a89fe6a/src/kc_validator.c#L741