public inbox for [email protected]
help / color / mirror / Atom feedFrom: Zsolt Parragi <[email protected]>
To: Jacob Champion <[email protected]>
Cc: VASUKI M <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Cc: [email protected]
Cc: Robert Haas <[email protected]>
Cc: [email protected]
Subject: Re: Custom oauth validator options
Date: Mon, 26 Jan 2026 09:51:02 +0000
Message-ID: <CAN4CZFPz-O+fCeSnwDcSd2vXfRT2tn1jG_BwNahYbyMmsAr2CA@mail.gmail.com> (raw)
In-Reply-To: <CAOYmi+nhh-fChn-8K7HV4kwVwsTm_gVy5jBgUBMqfM6Hm5E4zg@mail.gmail.com>
References: <CAN4CZFM3b8u5uNNNsY6XCya257u+Dofms3su9f11iMCxvCacag@mail.gmail.com>
<CAE2r8H55geNFtECuFunpgn0LJK2+rntGuTeqNr6mP7gGhWFRbA@mail.gmail.com>
<CAN4CZFP_2fe2-18wUoXDZodV8suVe9o++pv=hP8KxxvWkmCx7A@mail.gmail.com>
<CAOYmi+kMuA7t9ao6rWZ=5kn_Zmd7qtwOay_ocEBXwkzKWbefhQ@mail.gmail.com>
<CAE2r8H439jg+e5gXJpNNMoroe4CfWauDRfUBZC_9NUNTOhqzBQ@mail.gmail.com>
<CAN4CZFN9RMF_79kx75SkQZezd91DocUzz89bJeBJrMO=uNuG2w@mail.gmail.com>
<CAOYmi+krPZDC8K+9z64M2EY9fELTKzLbqw8fD_wK=87YV+TBgw@mail.gmail.com>
<CAN4CZFPvjAt+eZJd=Rxp=yXRjva8CpJ_BbnF=vQW6uXCqfrjEg@mail.gmail.com>
<CAOYmi+nbCrvcE9wLQdNCgMwDbbi_UzGYrzfC54txmMBJ9KxO=Q@mail.gmail.com>
<CAN4CZFNywvG59B+nBgD1_1fHE2uODBH3EcF_gwLmC7Y5U6Ru4Q@mail.gmail.com>
<CAOYmi+=-OdzHMzqg9i8TwYvgKwE-vroj0d-9SqnRnwbz02SgTg@mail.gmail.com>
<CAN4CZFPo1POb9fWMihTACFxE=xSxKEANHRkxN4YbMMN-0SML=w@mail.gmail.com>
<CAOYmi+kVAiKf=WrnyzGxCmx-uu=arPE0=+Mf_AOhuTzkvCNC2w@mail.gmail.com>
<CAN4CZFMeTuH4uANV1bOox0d-1mycCnyghY49cL+E8PYZ4Y=0Kw@mail.gmail.com>
<CAOYmi+nKQ_7+pWSzw=rP2_T9UL=URHBsKq005BDeMmmC_=PV8g@mail.gmail.com>
<CAN4CZFM8TgqDi=5Bot2imtd2heGESjpMfQ7kW4qeFSjO7NTAQQ@mail.gmail.com>
<CAOYmi+kVCWCbf+yjmFSeddmqxgYTO5vU+CqwFq6EbpyLkpW=Bw@mail.gmail.com>
<CAN4CZFNt3WVPsORSFfdZo3nYn9Fa1-CkKKdu3_gVNpw4jbenjg@mail.gmail.com>
<CAOYmi+n9+VDNayxsZuG30YLxOXrVB2Wu=jBR4WrEdJvxjTATKw@mail.gmail.com>
<CAN4CZFP2N=+bqJL7PUiy0DR0dGwbdd1Na0rdMCpzdpaH50O87w@mail.gmail.com>
<CAOYmi+nhh-fChn-8K7HV4kwVwsTm_gVy5jBgUBMqfM6Hm5E4zg@mail.gmail.com>
> Hmm... we may want to discuss my (e) option derailment more seriously,
> if we're planning to go in that direction (and if other people like
> that direction).
I know you wrote that you are only half serious about it, and I
definitely do not want to go in the "lets completely refactor pg_hba
in this patch" direction, but keeping that idea in mind seems like a
good idea to me. The choosing authentication method part would already
be useful with OAuth, and now Joel also started a thread about fido2,
which also brings the question of MFA. Pluggable generic
authentication would also require generic GUC variables at this level.
Scoping validators to a specific prefix fixes the collision issue, but
it also goes in a different direction. Because of this I like the
other alternative idea (DefineCustomValidatorStringVariable) better,
if we want to go with a smaller change for this, but I still have to
implement that and see how it behaves in practice.
> "Fixable" in what sense? pg_hosts.conf is currently similar to
> pg_ident.conf in that it has no place for key=value pairs, and if you
> add them after as an optional "column" for compatibility, you still
> have to write something for all of those columns that you were trying
> to replace with the GUC settings.
pg_hba has the same issue, even if it has custom key=value data
already. What I meant is similarly how we could turn currently hard
coded pg_hba settings into GUC variables, the same is doable with
pg_hosts, either at a separate level or integrating it into the HBA
context. And later either both should get a new line style and
deprecate the old one, or maybe these settings should be configured
completely differently.
view thread (7+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Custom oauth validator options
In-Reply-To: <CAN4CZFPz-O+fCeSnwDcSd2vXfRT2tn1jG_BwNahYbyMmsAr2CA@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox