Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vWKdx-00H9IC-2K for pgsql-hackers@arkaria.postgresql.org; Thu, 18 Dec 2025 20:30:38 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vWKcx-004BTw-1j for pgsql-hackers@arkaria.postgresql.org; Thu, 18 Dec 2025 20:29:36 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vWKcx-004BTo-0R for pgsql-hackers@lists.postgresql.org; Thu, 18 Dec 2025 20:29:35 +0000 Received: from mail-yx1-xb12d.google.com ([2607:f8b0:4864:20::b12d]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vWKcu-001TTQ-2o for pgsql-hackers@lists.postgresql.org; Thu, 18 Dec 2025 20:29:35 +0000 Received: by mail-yx1-xb12d.google.com with SMTP id 956f58d0204a3-644715aad1aso1279009d50.0 for ; Thu, 18 Dec 2025 12:29:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1766089771; x=1766694571; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=93mbR/26HWHPuNMkYtp2JHmZueADa3tBKL2y0orwlpA=; b=FjoEql8fLej3j+vNvF9xNYkkZf3MgRzON9TkY5kTEj2rqeYg0UWmXENk7NN5REmReE iuZG60PIG4eE3ESXcRF1FseWgtMwgvyMmfSwy2C/UlerotoHshHspZ1FtGs67gN6yadv O0p4xfHWBbCDG55nnzRIjGt6igCaAiWgm+HZ4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766089771; x=1766694571; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=93mbR/26HWHPuNMkYtp2JHmZueADa3tBKL2y0orwlpA=; b=do6jpjXoWhcIx0DYT6EH4aYa/JqlbrU7sT3m1+MUr3x4fBNA2On3XF7meBcZvDumKh Q/XFN/cIkyc0tsGlRtQkXwxo9fvdnQiocQ8JgltH4OC7jLCXXud4zvdt1OqMLIn9XCc9 qwP40wgBK9G4VNGQOTMXEhYQcReoAf4M4CLalS+9p4fBEVajNT/DzOb5IO6q4LTnDJfB aBTJ+ODAkI8gOmwIfySl11fXJ0yPp/B8xXO1+hzSp0mjOgyiZAWEpk4d1hHXqPpwM60O AMwuhG2DqtkspiDqPKSs0oQGJ4SXtq5weQzCuMdRj6sh3AG/TYQyWYLt25z0eHrfbAem /NvA== X-Forwarded-Encrypted: i=1; AJvYcCXE5zsPc79RCAsXGwUzgwlUdfnOnZSvI3kP9zLY2bVcixnzUgvuEnd/MssvX+N/rLpu3KGb4GK7AIheEPTY@lists.postgresql.org X-Gm-Message-State: AOJu0YxpE4KZhbuvVzye2icwwaVm83gKHLgBfsdp9Ca8Uyywu/Rr5RvT FfHCPMmcXvPsFbhOwEIfzT2MWrSOAMaslnv4jpgrB6Wdu8qKkgIHwaNFAK9L3dvwKDW+RzkmulC athx1mVma9+Ycdg7zgYGYuFsWQlWD7Lf9yBHPZctdmNuxFf75AsFsREjyxe8wsG3mOw2wyW4mlg eKkS+9mvQznVI8gVF07qM+tUeIXwwCNx2x/v0uGvQYicAJ/dvN4OokH0sIBMEJ+EY3TbA/ik3fB 9xFicEQOUZgXQmVF5Xi1meQqfyy1N0IYFf9zu/DvdUhqbj2d+N0Ix51eyaD2G9iKsA= X-Gm-Gg: AY/fxX4Oj+YP1iyVFryRvS81KaSqSdQsgFNh0DZ0RVY00NCLyy7rwZjF2dsMvtDJHBf RR65ZB8DqAVjGg0A6X7YXwnlYPMIjE3XW711hRDRkzoyf5NcL1TLC1oRMDE++m/Lxiv2VcTp+y1 ovZ5sRqKJ2qEvtO0qmb54mY2FmGjrdK+HYZOQoEYNmaKwgGXa+aW7+HyKbhkcUVwEe7KmTIdy3c We5jZReqYFfEG4dfpwv6jcK+vCED5SrDh5pMwFx35JmDgryx5rdowCy90Kyf6nOBYYTrBOeHmw3 7Mq2pBtPZHPXqlq+q9xCv3hROBHEePlsUlkoDdnRNWl4Cz17TYeH3TcUlEqXpbGqhZo= X-Google-Smtp-Source: AGHT+IFGVUjZF3+plY+JLkDlLO8B0iX7UA9curAO95EKUQblMC32kJcuczInzi6bxpX+OLq68nLhrBAp1GedMaykgY8= X-Received: by 2002:a05:690e:1894:b0:63f:7c9d:d378 with SMTP id 956f58d0204a3-646632247a7mr3070996d50.5.1766089770987; Thu, 18 Dec 2025 12:29:30 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Zsolt Parragi Date: Thu, 18 Dec 2025 20:29:20 +0000 X-Gm-Features: AQt7F2oTxPcYo9JEU29BaRgChvg4WQm1ToC0CJt7OqhT2-58y6AUZi6CfMCWvz0 Message-ID: Subject: Re: Custom oauth validator options To: Jacob Champion Cc: VASUKI M , PostgreSQL Hackers , david.g.johnston@gmail.com, Robert Haas , myon@debian.org Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > I think I need to do more staring at the intersection of GUC > registration and session_preload_libraries, because my memory of the > order of operations was faulty. I won't be able to do that before the > holidays, most likely. Maybe I'm missing something, but why do we need session_preload_libraries? oauth_validator_libraries is processed earlier, it can already define sighup GUCs, it should also work with a new level around that. I assume that if postgres gets another authentication plugin point later, it will be executed around the same place, during authentication, so that also shouldn't be an issue. The question is if non-validator libraries should be able to define PGC_HBA variables. If yes, then either * we don't validate that all HBA variables are valid - if somebody made a typo, we can't detect it * we add a sighup guc with a manual whitelist * require shared preload libraries or oauth_validator_libraries, because those are loaded before or during authentication * require session_preload_libraries. We proceed with authentication even with unresolved HBA variables, but abort the connection if there are still unknown parameters after loading session preload.