Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w2XF1-000NOZ-1L for pgsql-hackers@arkaria.postgresql.org; Tue, 17 Mar 2026 16:25:59 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w2XF0-00364w-1M for pgsql-hackers@arkaria.postgresql.org; Tue, 17 Mar 2026 16:25:58 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w2XF0-00364o-0N for pgsql-hackers@lists.postgresql.org; Tue, 17 Mar 2026 16:25:58 +0000 Received: from mail-qv1-xf2f.google.com ([2607:f8b0:4864:20::f2f]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w2XEw-00000000dKH-1wl9 for pgsql-hackers@postgresql.org; Tue, 17 Mar 2026 16:25:57 +0000 Received: by mail-qv1-xf2f.google.com with SMTP id 6a1803df08f44-899fc265126so71267566d6.1 for ; Tue, 17 Mar 2026 09:25:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1773764752; cv=none; d=google.com; s=arc-20240605; b=OYuUTvVPbzz6Q/vP6kzIjneysgQmj/NZksrf6Pjpj8AiGq/6YRSncr42tErmi7+DMV QnlZWNmhiFjZ/wQf8R2oawMyWX2MzqG7rz+uwNCLBh4tqUbop5P+gdFs+QsPGHBDu5dm yu9mUFDUeYNZxp/KOywxKeCtTNsawVShxWRmxIcPRm7UVvZhn/4mQn9TXpLFGAqhOAga gIgociJTP9ew8Ns7g6YPbLnQhKsRwMVUo+PJRCoirwhIhvIAhmghPTFNxu4NIaV+OsmC 5CMV0LTlW5lkEgVSXdhsVhwQYRl881rpBF4c9lscAK2wd2mOENwQQmC+dxHHRZPnohFG yfaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=/dDljAhB8R4emfTNs5KnWHoVpoQjcRbsX3MPcAFut7g=; fh=Ho04JElasz2OpcVUkLSkrb/a8HFrpendrQ0WRxEol10=; b=dt9ahst0sAH5Jx0ozuCQjB3j+k1ej8OPDjJ2xWwQmGI8qopCeQdh8qW6vVHkQWsARy FpDHdxb2bvM3b1LCT2xWTqVMXNH/j1xlXbVOuyV8Ardn+cICINntDB2F8E0BEZialIJL o9LlkpbHju7dQqbBqQKdbKP30v4xEbcWyLxhzZHZ3BL1C+GO6ueDgktCEBLl+a8daHGv d3P1QhV+VPwWjMkkLImAEAQLoHP9Zov4hMvGsxAxPsHECgiQlUsgv/0aL4jHXMD9iKja wUS3lOUqDtn6dKQEiJ+e3bQFT1ypNy5zNt33SjeiZDgMgoNAq5MrYbwLarKhOig3iwAT ENIg==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1773764752; x=1774369552; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=/dDljAhB8R4emfTNs5KnWHoVpoQjcRbsX3MPcAFut7g=; b=C3hO2a7ZheehYbuBRqJYfbud8E8i3yNpvguB/wpiO6iJRtjFE1GLjvWIBJZ87hjtBf DEozNTthWgWXQyElOO7tRo5H5orJdz/d9O5Wv5+Cp52XPv0txSPx41lhWABsI9U9K9Oc BksAn2AhbazVZos1T1IYqiw2fhZ3ugJQ0yNUpkq8BbVQgzsa1/nrS3nXX5uL9mSEK9JZ mSljYvfPxFexwuYzGi7AmoK1nGDtt/V03ZKV34jCToi48mCJQ9Ggh4DomO4omhBRv0az IMpE5CJZjB3oFTZYU4zvYL+d+E1mNNfPDiXbz1FYuZKlS+4TKOLrZ0cMgIV64WCSFC8w el8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773764752; x=1774369552; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/dDljAhB8R4emfTNs5KnWHoVpoQjcRbsX3MPcAFut7g=; b=OHMIZUfITT0/78VUDVrlzqdKXW8DZ1MNbuUXTU/FqG/FAevJPrJAcxl6c8MgEED7PH 4PZzz3cUikE7IYZ1KRPuf4z2dwwpB96FqLay91JRwruVWjhzpi60kys6fiUZutPKgNuk HzITMBaphJ6HuCtxYTYb28qUofSCQm/5Iolka9lR2RC/gg+MmGD5kAkRS1jND94VD8xX +SmPg2Ho5if/nDv+ExiD90y4E2RAVfJUsMk/VMGYY7b3NoBwb0uQi9oF3V5bed9OR1X3 sixs4fCJ4Rgr1YEv8BzqvAHWFWrpRK6xMDijoXkV0HuAUg5f9YVYUeZAl6qmx/RspP54 QVUA== X-Forwarded-Encrypted: i=1; AJvYcCXfVRSrcgEH0JbdhdXvDhQcQh3nk9XxsXmM3XdZyEwwk3qvmu0zKWnNcYDjtAAk3RwVMevIHpW9uRnToU6j@postgresql.org X-Gm-Message-State: AOJu0YxjfSz8xxN54bCTpB4qq2B33SGAu1IN3aXswhYfeIWmKFC0ytuo /Q9n+Uh19IqyRuNEVdX1UQiEabOru+GhnYTPkHUSPX4DhnG/JwmhCkEKr6cu+r7RQkv2bEqPXT1 DjgRJrwzBADvVWq09hgPqfc3+86HZs6xlwAHQDre4 X-Gm-Gg: ATEYQzy04WNM0o1VnZI/Uk5+4s5dRFPzeCgM0LyxDj5/gG40ffH/AcOm6ikUiQ2dXaf As4/HpEdaACtr82LjbgDxF0mzAHszJ0Ox1d02qTmoRH3XZQRMCeXDnSECc6czhRgQyiasPpMcrc zEQ1GaA6R4LPswal4QSZpZKyryZ0nygmhwQEEXUitl45F8Cm+4u+9C7zzGmwDqIYW8yj/E6uKkn Mic2HMwY4aSiqgYXF0xGr0Kc8M0wQv9ONrWvea3f1kw2aSUOkV6VoqCx0AVr1GqcqGTbWnKX/S+ D1HMkIrVzw== X-Received: by 2002:ad4:5ded:0:b0:89a:666:ad2b with SMTP id 6a1803df08f44-89c6b56bcf5mr2544386d6.27.1773764752453; Tue, 17 Mar 2026 09:25:52 -0700 (PDT) MIME-Version: 1.0 References: <7DB528BA-C7A0-4B23-890C-5332FB35A16E@yesql.se> <7094F798-8DD1-4974-9A04-10E147B29581@gmail.com> <15434512-B3FB-4AB3-B6B3-5D85ED0B4BBE@yandex-team.ru> <99C6E80B-8770-41C2-8084-BF3C7F389FFF@yandex-team.ru> <1B58D836-6B8F-4B9A-9B84-08965E5AA06B@yandex-team.ru> <1AB529D5-6F5D-426D-AB99-12BB7DD394D3@gmail.com> In-Reply-To: From: Jacob Champion Date: Tue, 17 Mar 2026 09:25:41 -0700 X-Gm-Features: AaiRm50Oa_zm6oq4713IxcRM272yXpBPnY_6-3vDdXzXb1Bm0wTIn-IR3kEv_bQ Message-ID: Subject: Re: Improve OAuth discovery logging To: Zsolt Parragi Cc: Chao Li , Andrey Borodin , Daniel Gustafsson , PostgreSQL Hackers , Michael Paquier , Tom Lane Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Mar 16, 2026 at 10:29=E2=80=AFPM Zsolt Parragi wrote: > > As far as I understand, for a programmer error, Assert should be used. = Why do we use elog(ERROR) here? > > +1 A couple reasons: - to keep it parallel with the similar elog directly above it - to strengthen the API boundary for an esoteric edge case without requiring assertions to be enabled I don't mind relying on assertions for (not an exhaustive list!) well-exercised code, or when performance is critical, or when the callers and callees are in the same source file, or when it's not a security-critical context... This would seem to fail all of those tests. I imagine some of the existing assertions in OAuth should ideally be strengthened into production checks, too. I've considered adding a "production assert" variant for our security code in general, client- and server-side. > I would also say that for CheckSASLAuth, specifying abandoned is > always required, since the caller can't know when it will result in an > error. That's not really true, because the caller hardcodes the mechanism descriptor. The layers above and below CheckSASLAuth are coupled via injection -- ClientAuthentication knows full well that a uaOAuth HBA entry can't be satisfied by the SCRAM mechanisms, and vice-versa. If that were to change in a meaningful way, then sure, the caller would need to always provide the currently-OAuth-specific-edge-case flag. (But in that case, if the caller somehow doesn't have to know the mechanism in use, we could presumably also centralize a single call to CheckSASLAuth().) > Have you considered adding the error level here instead, the same way > as in auth_failed, explicitly defaulted to normal fatal by the caller, > so existing code don't have to change it? That wouldn't need an > SASL-specific explanation or flag in the generic code. I don't think I can visualize what you're proposing. If you mean that CheckSASLAuth should set the elevel with an output parameter, I'd rather not; that moves the responsibility for a very critical assumption (we're ending the process now) across a bunch of different files. (If more things than OAuth need this eventually, maybe it becomes STATUS_SILENT_ERROR or something, to make it even more generic?) Thanks, --Jacob