Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vkJFe-00DUC9-1U
	for pgsql-hackers@arkaria.postgresql.org;
	Mon, 26 Jan 2026 09:51:19 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vkJFd-007EFN-19
	for pgsql-hackers@arkaria.postgresql.org;
	Mon, 26 Jan 2026 09:51:17 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <zsolt.parragi@percona.com>)
	id 1vkJFd-007EFF-02
	for pgsql-hackers@lists.postgresql.org;
	Mon, 26 Jan 2026 09:51:17 +0000
Received: from mail-yw1-x1132.google.com ([2607:f8b0:4864:20::1132])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <zsolt.parragi@percona.com>)
	id 1vkJFa-00000000WLq-1QS0
	for pgsql-hackers@lists.postgresql.org;
	Mon, 26 Jan 2026 09:51:16 +0000
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-79405b3485eso36562527b3.3
        for <pgsql-hackers@lists.postgresql.org>; Mon, 26 Jan 2026 01:51:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1769421073; cv=none;
        d=google.com; s=arc-20240605;
        b=FDWTqHYC7ItDnw/iuCg2NxaiaAxqsCico+qBK4uq8fZG8VNLoYTz7LBpaZfaKeUy4M
         bN53DRWefvG6lNosPTjn2ZbNwbxX3ctd+jAggahO/P6gWbxTMA7OZ0iMPR84CD+1dU9l
         ObEpmG+CKHIx5Nq/nv4PcOLWZZNIsyOYPrdpcNea2LW4nR6aOwn/q2pTSP4gVTKkAHUV
         HGHqmyLj9rjFdbBKDovCDEBOI14cHcmcCLlQdxSPXsUdRBPAUQ6+AhcsA26uyTkEkQpP
         2uIqvWVCz22tOK5J4aU/wegQ4cE03dGE0gEGij5e8/WY/gDquVmBkGx0f6jsGz0lcByi
         y2wg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=GY/suUU8Spgext1F4PJaZtKy00ZZ1Rb7XFZ8vDwmx64=;
        fh=IClpPnmvJMDDQ8HiL3aqJTvjCZebBTeCI+xAjFWLPj8=;
        b=Czaq/Q2463iaGnm+ZJKUxfExhKIxLa48Ks1MoyitrY+50pNjkdKL5le/qlSc1LJcvT
         pCT0D+L5TRJ3eeZBXDjk9HQ+sbvLYDWMisJS3P4phPEvqjxQnVMbKTFwyf3TEz+GP+x/
         wf0UXoTVCDRW8ecRvR1wgesUOPkIakYKoo+q+1h4Z+m+/DQwZ7tgPE5fxCw+sx2WKBAM
         nBjLCcVWIkXTilKtfxxfSgjB/p2IOGRjPYV1JnReyddMsaYrKpoqjzaL3jOASU6nueBu
         l05xkVOXVzQdnlpO7dGZJtzc7bTOToUd4/lr+g+yY8QcWZror44ZX6J14zD8OWpfpk8N
         3tUg==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=percona.com; s=google; t=1769421073; x=1770025873; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=GY/suUU8Spgext1F4PJaZtKy00ZZ1Rb7XFZ8vDwmx64=;
        b=IGPXPPKUPkepY1ZJWYp4BD+of3Iuzp9kH2vMyQNdjjcziYH8dwnvrFwiipl13dHYlH
         ySbQ8pb8gTfclipfBYn4XTbDtdX3MikTHrJO8ktIx4e8psaOwqhvq00zL797Wu6bgftC
         btPrYz+1rA4/HnFJv+G9QrqInvxpvN9ZUxrQU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769421073; x=1770025873;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=GY/suUU8Spgext1F4PJaZtKy00ZZ1Rb7XFZ8vDwmx64=;
        b=hU4ScfVY4ifsIfxxhqCsVIndMMj10hTUZCdxnINmlSrBBvYWnqssdvKca4YebEutbK
         6QZDCquollUVMg5k0GjdPerhKW7M+QrbNMoFqtvBBfJbyQIxDBYawBLwBErySggeMUAS
         7/LbbYRyMJJT3fVtaFPyCi3eApySmNup7SyTLxHeqW7rXe7e6FEOEgwkc1TSja0LBbYz
         Wj6PiGBPmf2s+2nyQczUIwk8avZ+GfiP+dx8aGs4AvM07mNHr3MNRSc4W9JE8Qni8Sd0
         dPFOeYhX0TbpY1nq9v+P8S9xom5hVBEqSGyTZL3UJ1vPbZr5MxVlL/Z9mCA3Z+N3XD1S
         Udag==
X-Forwarded-Encrypted: i=1; AJvYcCUeOHaghpdFMpufwIr+ousFR4eD3NUeMVTvRDpkCdhs7lXj0U7K/yZl+GZFxnunJ6F5GW0+C+Utnmxwuvb2@lists.postgresql.org
X-Gm-Message-State: AOJu0Ywe+uA7udXMMU+1y/Hn0zVjwtqKF6Jbs/uZ5WVgS4GAG5E0trgK
	bMmpPSxepSZoa29NQv8bLWTwUT40R04s6lmpWObLEflDK2ZVAcEkHuhFV5XYNWBbeJVhbmXkkTc
	KCriyD8mToz1kQa/s/MZ+ojmFUr5kynpUM81ysYzvHY2mRa7V1FScrFypO+fCzWGvn9QU5IS0Jb
	OHKQIH6G9pNSF96/ZsAfX8XkK/BFgY4KfvxaLXn3vQngkNURO9q/h/4GuJCglxqWBR9t3bTGhAs
	yo7L7wmI+6xskL8kORCryzwHPSPB35NlGsHTe4OL3J+owthz7Yi7wzfJN/G32ngggQ=
X-Gm-Gg: AZuq6aLQ/BDhAnVr6YZOSlkwzEG99A4bNdUz4ri2PEv4Uoo6C6KOXVfnG+1OlvT6kJg
	zHODIGu0yQ4+Mgp45vdfNjVTY7g7vKuxIrUydDH8aeTceDt/Z420EnvYCZpXRktg6dYdDfwxfBc
	CxzYqYcEsvKIyI61SVmutx1+FBZFnoEW016zw/aE5h7Ov0vHQjylevy/dYKv7HFdFhZVZK63eMF
	re+WHSnmE5P/6qd9H9QpmHcnF/+0IgI8pNCmug2xk9xiOIk4dWgA31zJzhzfZyP8xJT0RXaZh9z
	GbdtL3wUe8IfRbAf2GQ3xcHSh3Ud+10+E7fcM9P7X52EP2t8BgOh0hJtNlVaOU1neWY=
X-Received: by 2002:a05:690c:c512:b0:784:8153:c61a with SMTP id
 00721157ae682-7945a964479mr32120617b3.34.1769421072734; Mon, 26 Jan 2026
 01:51:12 -0800 (PST)
MIME-Version: 1.0
References: <CAN4CZFM3b8u5uNNNsY6XCya257u+Dofms3su9f11iMCxvCacag@mail.gmail.com>
 <CAE2r8H55geNFtECuFunpgn0LJK2+rntGuTeqNr6mP7gGhWFRbA@mail.gmail.com>
 <CAN4CZFP_2fe2-18wUoXDZodV8suVe9o++pv=hP8KxxvWkmCx7A@mail.gmail.com>
 <CAOYmi+kMuA7t9ao6rWZ=5kn_Zmd7qtwOay_ocEBXwkzKWbefhQ@mail.gmail.com>
 <CAE2r8H439jg+e5gXJpNNMoroe4CfWauDRfUBZC_9NUNTOhqzBQ@mail.gmail.com>
 <CAN4CZFN9RMF_79kx75SkQZezd91DocUzz89bJeBJrMO=uNuG2w@mail.gmail.com>
 <CAOYmi+krPZDC8K+9z64M2EY9fELTKzLbqw8fD_wK=87YV+TBgw@mail.gmail.com>
 <CAN4CZFPvjAt+eZJd=Rxp=yXRjva8CpJ_BbnF=vQW6uXCqfrjEg@mail.gmail.com>
 <CAOYmi+nbCrvcE9wLQdNCgMwDbbi_UzGYrzfC54txmMBJ9KxO=Q@mail.gmail.com>
 <CAN4CZFNywvG59B+nBgD1_1fHE2uODBH3EcF_gwLmC7Y5U6Ru4Q@mail.gmail.com>
 <CAOYmi+=-OdzHMzqg9i8TwYvgKwE-vroj0d-9SqnRnwbz02SgTg@mail.gmail.com>
 <CAN4CZFPo1POb9fWMihTACFxE=xSxKEANHRkxN4YbMMN-0SML=w@mail.gmail.com>
 <CAOYmi+kVAiKf=WrnyzGxCmx-uu=arPE0=+Mf_AOhuTzkvCNC2w@mail.gmail.com>
 <CAN4CZFMeTuH4uANV1bOox0d-1mycCnyghY49cL+E8PYZ4Y=0Kw@mail.gmail.com>
 <CAOYmi+nKQ_7+pWSzw=rP2_T9UL=URHBsKq005BDeMmmC_=PV8g@mail.gmail.com>
 <CAN4CZFM8TgqDi=5Bot2imtd2heGESjpMfQ7kW4qeFSjO7NTAQQ@mail.gmail.com>
 <CAOYmi+kVCWCbf+yjmFSeddmqxgYTO5vU+CqwFq6EbpyLkpW=Bw@mail.gmail.com>
 <CAN4CZFNt3WVPsORSFfdZo3nYn9Fa1-CkKKdu3_gVNpw4jbenjg@mail.gmail.com>
 <CAOYmi+n9+VDNayxsZuG30YLxOXrVB2Wu=jBR4WrEdJvxjTATKw@mail.gmail.com>
 <CAN4CZFP2N=+bqJL7PUiy0DR0dGwbdd1Na0rdMCpzdpaH50O87w@mail.gmail.com> <CAOYmi+nhh-fChn-8K7HV4kwVwsTm_gVy5jBgUBMqfM6Hm5E4zg@mail.gmail.com>
In-Reply-To: <CAOYmi+nhh-fChn-8K7HV4kwVwsTm_gVy5jBgUBMqfM6Hm5E4zg@mail.gmail.com>
From: Zsolt Parragi <zsolt.parragi@percona.com>
Date: Mon, 26 Jan 2026 09:51:02 +0000
X-Gm-Features: AZwV_Qj8IN8ER5Ww7yk2o3cJxCs8K5wk_ci4q7yNnH57onsjWwJavMCsFrla1XY
Message-ID: <CAN4CZFPz-O+fCeSnwDcSd2vXfRT2tn1jG_BwNahYbyMmsAr2CA@mail.gmail.com>
Subject: Re: Custom oauth validator options
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: VASUKI M <vasukianand0119@gmail.com>, 
	PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, david.g.johnston@gmail.com, 
	Robert Haas <robertmhaas@gmail.com>, myon@debian.org
Content-Type: text/plain; charset="UTF-8"
X-CLOUD-SEC-AV-Sent: true
X-CLOUD-SEC-AV-Info: percona,google_mail,monitor
X-Gm-Spam: 0
X-Gm-Phishy: 0
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/CAN4CZFPz-O%2BfCeSnwDcSd2vXfRT2tn1jG_BwNahYbyMmsAr2CA%40mail.gmail.com>
Precedence: bulk

> Hmm... we may want to discuss my (e) option derailment more seriously,
> if we're planning to go in that direction (and if other people like
> that direction).

I know you wrote that you are only half serious about it, and I
definitely do not want to go in the "lets completely refactor pg_hba
in this patch" direction, but keeping that idea in mind seems like a
good idea to me. The choosing authentication method part would already
be useful with OAuth, and now Joel also started a thread about fido2,
which also brings the question of MFA. Pluggable generic
authentication would also require generic GUC variables at this level.

Scoping validators to a specific prefix fixes the collision issue, but
it also goes in a different direction. Because of this I like the
other alternative idea (DefineCustomValidatorStringVariable) better,
if we want to go with a smaller change for this, but I still have to
implement that and see how it behaves in practice.

> "Fixable" in what sense? pg_hosts.conf is currently similar to
> pg_ident.conf in that it has no place for key=value pairs, and if you
> add them after as an optional "column" for compatibility, you still
> have to write something for all of those columns that you were trying
> to replace with the GUC settings.


pg_hba has the same issue, even if it has custom key=value data
already. What I meant is similarly how we could turn currently hard
coded pg_hba settings into GUC variables, the same is doable with
pg_hosts, either at a separate level or integrating it into the HBA
context. And later either both should get a new line style and
deprecate the old one, or maybe these settings should be configured
completely differently.