Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vW1KS-00Aqoj-06 for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Dec 2025 23:53:12 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vW1KQ-00Gzbu-3D for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Dec 2025 23:53:11 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vW1KQ-00Gzbl-2A for pgsql-hackers@lists.postgresql.org; Wed, 17 Dec 2025 23:53:11 +0000 Received: from mail-yw1-x1133.google.com ([2607:f8b0:4864:20::1133]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vW1KQ-001Eek-0J for pgsql-hackers@lists.postgresql.org; Wed, 17 Dec 2025 23:53:10 +0000 Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-78c4aa7af99so279217b3.0 for ; Wed, 17 Dec 2025 15:53:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1766015589; x=1766620389; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eGNSiNNEC/DHMpJlZwSfsyb+TSqoD6VWVt5+Xg1tS4M=; b=bl7AR3IGNbPXVfuiNQXZHudm8qbo7y52gYIkeYCMYwt10dIY0CmuuDsFm2UmBexObM c1qu8FCBQwZw5fPbfWltEFGLY4PtI/G/dt+CP6jDsOvCAMONKEj5HeYqaHLF6/EK/Vhs C9iE7zhjopJyg6Xs8r3WNRJ0ILqr+V2xgUaQY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766015589; x=1766620389; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=eGNSiNNEC/DHMpJlZwSfsyb+TSqoD6VWVt5+Xg1tS4M=; b=TSehthH4RDk9O4nety9Xj8fPhBvSFrG4ZnbFTsanDhAooPe66FKVJWW4HvN/jif7TK PmhVB56LQqJSf7N+tPgRrwOuiazxAhd0O5SLk52KqljUfWnDt2Vz8tPkY2L5sm1C2XmB /9jObrq2Hcsv7J38t6j1jOborAOmUsArMcCsGY8D5MYFRb+582OnV+29TM/+BZxQJuF6 OxNXuxElfpy/omRI68sxU6ER3YUJpykplHID9abZfBED6pY+Rh1CpQCZEVyOAlPty/el e/vcL+1gj2NsfRBa+AsQXspEDlJZAKzG5BVYj4VeQAJua2+uq9E1XRwbQj7Q2Q7WB5PS CSkg== X-Forwarded-Encrypted: i=1; AJvYcCUPhiHOFjNRpfhk7QocrPKE25rExlxcjtViEsQMYb/yssk5x6rGm9ZRecdBBGDcE/ODK4dPYrLq7JsxgB0y@lists.postgresql.org X-Gm-Message-State: AOJu0Yx6m1tI07wIrrh9Iz1alzCgd2OAA8988XxcwYI0PE3tTzdRsgyU AHKZJMnHhocqDUU8MRwvuTB32skS8MaT2ya2PkMHlv9QGyvwDuWFVCs5QSYgXeT+1At3EFEqF+Z ffz4aJh/tZnrFiOzVbuGNYE+JbvWwwugO1dbnG8oKosS/jmauOGVxVAyezALqNZXcgaTKyceNsJ tKjKqm3RUtlH/r1TXwMsvUSf+pKWp5lDmLY8PqXIUrwio5S1VoS8TJCcOMc6HSCbztOLGlFZVma 7BGfXDdV2dMyVwVAJPFcBxSx2v04MtplN/93AUrnWkpvpV2HphvAEWYCBagNJ6xtAE= X-Gm-Gg: AY/fxX6jpbRTqPuhqCafJe6g1LVrKcESawkx9tq5Z3AgDO7XFYmkUl+9+P7pAipCd0s gajdYOgKJQdfc4dckrgTnVx/6o4/vZ13J9cwqZ/WxLGGdQ9EJtfFTZ+wh2qYWGiAkSDDjvtdiYI hssZqDUGDFt5/AKQapf3nqNi+vemSW1dp8HxW0jkcUremnO+bbpryx+/97hq0rZE4W4cNYYj1aP vmk2rRBkFsFtnx4VT9I8d5RXlKTtGo0i6vihmHRUuZx3PGRMS7SZlXDeaRbdtOkzJB3OOkzvaJH HT2PSbv8ncK9pJOMWMCdM2D7qLkRT9zyk2NO7zZyXsRxc2rqsjPg3iz5 X-Google-Smtp-Source: AGHT+IFzLJASvfYOTuYQEOAJH0mAfmuchtyMoO8wEJvnRg5owl0bBo/Xat5wBYkgfYOVgpy+SfdAyYQILm376CzUrfE= X-Received: by 2002:a05:690e:1c1d:b0:641:f5fa:e9be with SMTP id 956f58d0204a3-645555eb736mr14910431d50.34.1766015588861; Wed, 17 Dec 2025 15:53:08 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Zsolt Parragi Date: Wed, 17 Dec 2025 23:52:57 +0000 X-Gm-Features: AQt7F2qCeajQ4-lbKNoAWwV9PTX1HNUJ2rX8oWAHbH_FqJqzyDYI2AzdO-zfof0 Message-ID: Subject: Re: Custom oauth validator options To: Jacob Champion Cc: VASUKI M , PostgreSQL Hackers , david.g.johnston@gmail.com, Robert Haas , myon@debian.org Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > I forgot to mention in my reply to Zsolt, but we've supported inline > inclusions in HBA for a few releases now. (I just frequently forget > they exist.) Thanks, I didn't know about that feature, that solves half of my problem. > What's the case where a user has multiple HBA lines that > all want to use unrelated claims for authentication to one Postgres > cluster? Is this multi-tenancy, or...? For configuring the authn matching yes, the use case is multitenancy. But for some other variables that we didn't implement yet, this could be useful even without multitenancy. One thing I mentioned in the previous email is the client id validation. A practical use case of that would be restricting which oauth clients can login to which database. I can't use a SUSET variable with a check restricting it to ALTER DATABASE, because database level variables are not yet available during the oauth validator callback. I could use a login event trigger, but that seems like a bad hack to me.