Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1viINr-002Zt0-2m for pgsql-hackers@arkaria.postgresql.org; Tue, 20 Jan 2026 20:31:28 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1viINq-003BMf-32 for pgsql-hackers@arkaria.postgresql.org; Tue, 20 Jan 2026 20:31:27 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1viINq-003BMM-1L for pgsql-hackers@lists.postgresql.org; Tue, 20 Jan 2026 20:31:26 +0000 Received: from mail-yx1-xb133.google.com ([2607:f8b0:4864:20::b133]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1viINn-001TjT-26 for pgsql-hackers@lists.postgresql.org; Tue, 20 Jan 2026 20:31:25 +0000 Received: by mail-yx1-xb133.google.com with SMTP id 956f58d0204a3-6493937c342so1591378d50.1 for ; Tue, 20 Jan 2026 12:31:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1768941083; cv=none; d=google.com; s=arc-20240605; b=k5SXE5kBoIO2Pm1fecigSHTaSjloyUxApHOxNMgyY/4ltGTVk0i3aQFzG75fds8Z2b EZv+/hXWAmxpNDr+Ji6IrmAoDA/olK/RHLQgR2r1RNc6tlSKnDvAnPzoZsdhRSMCOSgV YSHneLREpZKIscpTFnJXhpSwLBJErJWSyIiIBFGeEoSuHsiP32iEvE6I0lyYpItimnuI i67a9ZpDf5dOqx8tsSLhRw49idUcDO28CsJ2Y/nfhK9rAlyqGubTPa16+z6Q84+rl1pL eutmHao0eiqPalPS3rsdMljskiiAjDgvb1fQBVcREnHO0G7OUzl5QOmBMDQ3hF1uK67/ dNRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=IdgtfkxCbzRzL4wOVUKMMBpHtPsVLrl86LgQVlAai/0=; fh=smtt8mwBrYDUEki4gmwUjaVTzHqN84hDrWuSya0D9Lk=; b=Cka3Pc16KIH1jjAdvL5ZEwPuiPaEqzOqKv3LycmMfQGawJ94hyE3PD/kguwRl38BkS gNdeYKmLMtWXp9tVrNJ+P69SanbCqaJOjj3pPTB+j4+Wr48yDgYaDrqFofyxXULmo6DY GVqSZNs0YDiAf4EG2FNPX/iPRXig3G/1lYUzXV908g3a/hDucqO/PfBMGRnWvAMDAm9a i5qL+icjPFrsUzC4aNTtbEXjeAOBLV3tJBhmehAxo5e7bDwMYAxvWK8pAEafai0DSteL lMZhBoEf/xF1Kv9GrLiZO9o0zLO9bK1qYXNbb/rg1ZkpaiW3JU8i849eH7vJeuMOEibM B3uA==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1768941083; x=1769545883; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=IdgtfkxCbzRzL4wOVUKMMBpHtPsVLrl86LgQVlAai/0=; b=WHkR+auHEEaHXcXRGgBZi6TVDxHTFUwv7Mc7hzt/MdHSF41eW440nDSX/Mdbv/pmzb oBA5CBQviYZ/ao09Yc+aBZI6GqAprbL/HDthP3TRZmbo1H74ICPSF1WrAaBM9tDeK6LQ FSPAw6p54AL8Zv0a0+I6vmBObs6mEk7o2WZvM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768941083; x=1769545883; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=IdgtfkxCbzRzL4wOVUKMMBpHtPsVLrl86LgQVlAai/0=; b=iuV6gKJGrLm/GfWfbxPgEm9d7q8b+ho+MlwbSzJzRXqxfbqbTRdSvvWNywOdnsLoD5 TUPFhYH88fFlvc48Jf4qWoAYlJ2wClbzlQM1E3zWZUyuHw/SCw1OPRRLf7B3CjVsiiD0 lvJIv80E/8Gi8x/2DDJ5o80K7g1qeCepbUrgYY0QQbCDjDOMoSeICGXKJit6glavzhme b5NgaoWgRrCSnrPoOpoBE44QB4Yv8cZqAdaZpSOX2DxCMfiTh9QRUssbkwM9b+siFsJr dAkmvAWNmSBdHvmgD7zLEmQY5Z/F6UKERXh2N/66zBzxeh6ys33S9Zby63s6BCg9wwDi 23Wg== X-Forwarded-Encrypted: i=1; AJvYcCVslhOW2T5J6BrAvFX61HQirWjpx0F/wggDptcGJGOb8VnqXZF25fPJFM7ojlRD8pFUjb2Sx8zCg5Dm45V0@lists.postgresql.org X-Gm-Message-State: AOJu0Ywj3D/Adf1+kKzBJTURQ3DKdEWucQviMgk1YoeHIgf5XDECTnmd QcczGyMZNkB5J8VRJ9bHF+FeLZdLqtxHD95YUFDgCG3uHHd8BEgLdtGToo2XZQiVxYpCDShbCTT zFwYslEbVhrEtzFnhkfDAJ/meabc1qofT1G1X4OqiHEnCh2lSKF4DYQR7go6LPFeZdQhpK72yZJ S3s4ZAoqn+OsUR8AgIn8mju5/LUmCODRaHnFsEBPmpKegX8lYxVuKj1m7W7eCQzCQ7JP4Tm1MaY o302XlX0Db+LHOadOoBa08fsuHplQU6l0VGx8M/CpXI7Udl75FwZ5HZpRJvKhg/Stk= X-Gm-Gg: AZuq6aKar6q+gSI5cg9JRr2bHKdZISl9iNocMWdOSvxGGByEdUWqNi3XDDX9wz3oich FwF0CSiTV73Z6bKj08tt/cFiPpC8UD2KcoIrnh8xKeV2bjA4DMnm+xF9I+lpIgzQO5TdvFtfgiR NnTJkN0OLxlHamXLebzE727fjaj59mKWJ2JcjI/vKbt5nZqiIpKxJvrAglooFRv5YGOyDYgSJeQ jXj9yhZOUMg3/TqTxRQL+yLUYdbmCkaAl6it/YbfBHoe05uOhOYjju3dIUHDmpHVKAwrzc0YjKG 65Z0TmxK1qVC9MWfR0jWKvvl5LrDce+Ybx4UTA5mc3btPil04UXQ7Hdn X-Received: by 2002:a53:ce86:0:b0:642:b37:ff94 with SMTP id 956f58d0204a3-6491770532emr9691750d50.31.1768941083233; Tue, 20 Jan 2026 12:31:23 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Zsolt Parragi Date: Tue, 20 Jan 2026 20:31:11 +0000 X-Gm-Features: AZwV_QgikQo823duKaYBLARgJlmVtCzo7MbDO2NsHVcOOJe2AwuCIQcbzOW45Iw Message-ID: Subject: Re: Custom oauth validator options To: Jacob Champion Cc: VASUKI M , PostgreSQL Hackers , david.g.johnston@gmail.com, Robert Haas , myon@debian.org Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > I'm not sure I've solidified my thoughts yet I can wait if you would prefer more time to think about the problem, I can work on other things in the meantime and we still have several months before the code freeze. I mainly wanted to share my findings with this experiment, and that was also a fun side project to try. > 2) do you agree with the above? Yes. I'm fine with not verifying everything perfectly (or as close as perfectly as we can). I like my currently submitted version better than the child process verification version, but I wanted to see if it is doable or not, and to see what challenges there are. > But if someone decides in PG20 that > pam_use_hostname is a good GUC name for something, we're in trouble, > because the existing HBA options do not plug into the GUC system. We could make them reserved names? Or maybe even accessible as GUC variables, even if we leave the current parsing/validation logic as is. Making them proper GUC variables seemed like a clear follow up patch to me, even if not for pg19. > I'm worried that it's about to make a different decision from the > decision that is being made for the pg_hosts.conf file for SNI. I probably should read that thread in more detail, but I assume that your worry is about pg_hosts being a hardcoded configuration instead of using a similarly customizable GUC context? Shouldn't that be fixable in the future similarly? > 3) can your option (b) or (c) make enough use of existing GUC > infrastructure, so that a future PGC_HBA could easily subsume an > OAuth-specific solution, if people want to continue down that path in > a less OAuth-centric thread? I'm not sure about reusing existing GUC infrastructure, but I could make it look similar from the users perspective for example by adding a function DefineCustomValidatorStringVariable that has a similar interface to DefineCustomStringVariable, and in the future, this function could simply forward to DefineCustomStringVariable. That would limit the variable to be only definable in pg_hba, not postgresql.conf, but otherwise should work similarly for validators/users. I think this would be a larger patch than the real PGC_GUC, but it would be limited to the pg_hba parser. > 1) how close to the sun do you feel like flying today? Now that I have tried the PGC_HBA approach, I like how that works and integrates with everything, this is a much better solution than my original ideas. On the other hand, it would be great to get something working in PG19. By that time more libraries/tools should actually start to support oidc, and we will see more use of the feature, and the way we configure these parameters is important for the validators.