Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vFxoW-004a3a-1w for pgsql-hackers@arkaria.postgresql.org; Mon, 03 Nov 2025 16:53:51 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1vFxoU-006CG9-RP for pgsql-hackers@arkaria.postgresql.org; Mon, 03 Nov 2025 16:53:49 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vFxoU-006CG0-GM for pgsql-hackers@lists.postgresql.org; Mon, 03 Nov 2025 16:53:49 +0000 Received: from mail-yw1-x1133.google.com ([2607:f8b0:4864:20::1133]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vFxoR-005FRd-2C for pgsql-hackers@postgresql.org; Mon, 03 Nov 2025 16:53:48 +0000 Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-784966ad073so56492577b3.1 for ; Mon, 03 Nov 2025 08:53:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1762188827; x=1762793627; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=nfb9ch1bhNtbQaiFcWKsPSbR2/V+7GC1Vbm7ZSBJ2iw=; b=O1+uMdIJtI9KkrgqBr2Cs3aoUQavtGq5Kd2lySu0KUf5wkV+mQ6oX9ym7hdIIYj2FO MpHfPDEqCZyhzMjdv3PnCWTCXxsQ2c+CAVU/ccdSDR2fOUjLkINpwUG9jveKaLnGwtpd ZKcGS3dNOANruV70yKSeUL5sOOzYhRgpnKQ/g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762188827; x=1762793627; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nfb9ch1bhNtbQaiFcWKsPSbR2/V+7GC1Vbm7ZSBJ2iw=; b=CxuAv2E4gXCd86lExm1CSlTm0jYRXxo1FkFnt1BWs6c3ZJlzUut71d1vH11pve0VEl gOaOLfd01XlUiqZ0toSFaE8HW+KO9hl3YGAf+K2ec2IxdGbEAigyG5+zHITD4d9Lnroc nXn3FnS8jl+vBG8jnADYw2M87+x/+vuwE6ZHAqetCQlHhZmPKzLi7e4Z4A1weGARHrnu J/kxRoDEWVW4UQ4z9snbcfcJHNHHyNB0NL/tcCNGzZKEeEamI3XGf22T0/GPa8+zasXf 1Yp4XuS4e5QiA3dNbx+gvzzh6mBdxSrBwDStXiK3+7yH+MERnNBn+b+bMdoF5N7OBDRz 87wQ== X-Forwarded-Encrypted: i=1; AJvYcCWdQzGphv6ApDsjkBgHLacquPeGY6ayGixZkWQRxNU9SNunF8x9/XkVmOGK3WPK5LEu7v2kfAY+aXGtdx61@postgresql.org X-Gm-Message-State: AOJu0YxDYTfpkFCqZEtXUWUa/vOVZFdBriGICPKvUQ4nLTf1QnDupY12 tOIWNPGox6xgw6nSki8cnv9knDUAysxW44jKmeUeXrWjsQoMtoIMHVycdGlrSo+8rwfeDn54jo8 38OMVYW3z9InW32BWqRuG5cx8A9ol4dRCrIS70bA5qZ25kgWLiTFW3uT38hZj+2MNggHkMgqTFe tjeY25BD10adbtyo1objSQAu0WWVxU9dIpVULmA1cwdtG9SBuYv0fr7rWkd+hkBvyFtV/dQEoxb RXs6MG1h/Y8QE8dZ8eea2fzLSaINHnt+S2ErtOj6GiRlruptV8= X-Gm-Gg: ASbGncsUxrdFEOhAIXxbF57fYBzgF0Bjnw8vdH9UKlvuDMTzpUePiVe0k/9E0LFIspW u8wdhuS16v8kd+BwzuRvSbOGVnV3+6AA+g2VAfXcxtq4OsuibNkeYs91pUNNma51Ox34pTAYwP6 etxVqsbgeTmEksD2rwmwOkDYUseOcxg63wjhAILS3nR7kSN3zDbCKvTXsc2tyd5GKAz7/SJ8jkk 2c+LplxdHKOML1o7uqqxh+vWdFgac6ZH5z6T6HKFG8W7wq1ZnGBOHIWy4EmKzAVUv4FTIanVm5Q /GDILn7xIq2A8/OihA+o0bweGgkPf57Cv4m6o8QP/kej59vP2oKM2vsd X-Google-Smtp-Source: AGHT+IFUB6ADZtLilApXutDB6DvtY7u2Qhbp6MRqVxUMhH0jzCYgYVn0D7nVG0mv+tlkbYW13q73Yzh7uR4kvaLduUI= X-Received: by 2002:a05:690c:9:b0:786:6aca:9d54 with SMTP id 00721157ae682-7866aca9f8bmr61749067b3.61.1762188826815; Mon, 03 Nov 2025 08:53:46 -0800 (PST) MIME-Version: 1.0 References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com> <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> In-Reply-To: From: Zsolt Parragi Date: Mon, 3 Nov 2025 16:53:35 +0000 X-Gm-Features: AWmQ_bmM_3qQ4tK7-zcvw_XkZu3p31OAsaNCGE17u8pjLYTnZGzyJaldilEdGOA Message-ID: Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode To: Jacob Champion Cc: Daniel Gustafsson , "Jonathan Gonzalez V." , PostgreSQL Hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk I was thinking about asking something similar. In our case, we have two problematic use cases: quick demo setups and CI. When you start up a simple keycloak instance, you have two easy options: either use http, or self-signed certificates. For a CI setup, I can create disposable containers, generate self-signed certificates, make the OS trust them, and run the tests that way. But it's complex, and even if it were simple, it's not ideal for a quick "how to set up a test environment" guide. I also considered creating a demo docker-compose setup, but even with that, I can't make the user's browser trust the certificates. I also do not want to instruct users to specify this variable, as it provides tons of debug output, some of that is sensitive tokens, and the users might now know that. > The reason I ask is that we'd briefly talked about splitting > PGOAUTHDEBUG into more granular settings than just "off" and "UNSAFE". That's more similar to the direction I considered going, I was thinking about adding a PGOAUTHDEBUG=3Dhttp option. That way there's no need for self signed certificates, and it's easier to explain to users that this just allows a less secure quick http setup. On Mon, Nov 3, 2025 at 4:25=E2=80=AFPM Jacob Champion wrote: > > On Mon, Nov 3, 2025 at 6:24=E2=80=AFAM Daniel Gustafsson wrote: > > If we do allow this (IIRC we did discuss during development to allow th= is but > > erred on the side of caution) > > Yeah, the replaced comment explains it. The assumption is that > whatever device you're using to log in (presumably a browser, not > Curl) has to have the certificates figured out for production use, so > overriding it for Curl alone is probably only good enough for dev use. > > But I ran into this annoyance (wanted to override the CA for temporary > development purposes, got sprayed with debug output) during a demo > just last month, so I'm in favor of doing something to make this > easier. > > > it should probably be made into a env var *and* > > connection param setting like how libpq is otherwise configured? > > I'm still not quite sure about the target audience. If it's just for > developers, I don't necessarily see a need to take up connection > string space (or provide our proxies with yet another setting to worry > about). > > Jonathan, the patch itself claims to handle two cases. What's the > production use case where a company has its own CA isolated from the > Internet but isn't willing to add that CA to the system trust? > > The reason I ask is that we'd briefly talked about splitting > PGOAUTHDEBUG into more granular settings than just "off" and "UNSAFE". > So if this is a developer-only thing, we could maybe put some more > design work into the list of debug features. That list currently > includes the stderr spray, turning off HTTPS, allowing sub-second ping > intervals, overriding the CA, debugging libpq-oauth link failures, > counting the calls to the flow -- all of which run the gamut from > "completely unsafe" to "completely safe". > > Thanks! > --Jacob > >