Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vLnLT-00Ab1U-19 for pgsql-hackers@arkaria.postgresql.org; Wed, 19 Nov 2025 18:55:59 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vLnLR-00Eeff-2v for pgsql-hackers@arkaria.postgresql.org; Wed, 19 Nov 2025 18:55:58 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vLnLR-00EefX-20 for pgsql-hackers@lists.postgresql.org; Wed, 19 Nov 2025 18:55:57 +0000 Received: from mail-qv1-xf2c.google.com ([2607:f8b0:4864:20::f2c]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vLnLO-000O4d-1b for pgsql-hackers@postgresql.org; Wed, 19 Nov 2025 18:55:56 +0000 Received: by mail-qv1-xf2c.google.com with SMTP id 6a1803df08f44-88245cc8c92so691446d6.0 for ; Wed, 19 Nov 2025 10:55:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1763578554; x=1764183354; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=qYiAeYWTeRPxW0jnCmp+GkMkqTQ61GR4shpjULxqFog=; b=V2jZsqXl6jytDhRqlGf7arIvzTf1Uhw/NppvnblKlDHnCh+FQlMqu7IFy1fqBQJNT3 I1u0Pk6oAaWoA4zdUqduQK28Hr83nK+C3QITA+cNKLVqSrcJkK2j6ta6D1CP6wirmNAi nuI5rQeO4PtkrH8UN9m6rbUJ2ZSr+r5gBfXa+B1YPWb3+OiT/7cUbHCwCTMRpKfg2nMa jU/YW6rfTyLtWHzXmNrCG353pKGGOnzUeCGn8TbqfKBCT80lbFSmXk7XTkEribXy9aD2 muGKYCAllvBDR0G8yQRCFpQTT/xpSTvoKrf+TEhojc7DsszOhraLcWHo1eTFgwhW6kgL SwrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763578554; x=1764183354; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=qYiAeYWTeRPxW0jnCmp+GkMkqTQ61GR4shpjULxqFog=; b=KuHkMjbUlA2a5hnlyk9zhX8DCs7dvK67h4GcDiQKDVOZaKhUsaJJeiaep7zUybstvh J1UNx1MHnhtMQ0CWCyJ7rXX8/NU23MHX1GfpsaE5PlGL6fu53fsuH6/OWy31Qc4loYoQ YGku+csL1JuRSMfx/lYLNavznCv8xUfaiVUrmaet+ArutPuOrMvQcpBohSnTNqXIUQWL 6r1NSOluqgaKtihHFb6EWMzFThmAvsD43pa3d6mN9ZQhiAjw4SfiHvqG1hFBAfWuh5+u O0+2OxzI/5cwR1daFx6EIY64+ZkgtFfti+79sCSq4gJIAxIEpt2sYJwv2Peoij+MYGT7 ic7Q== X-Forwarded-Encrypted: i=1; AJvYcCXYxMHTj0mcPe+3xbwxkc6YG5UqPEWur9Yi6v05n4W2UrHXoVZfCYMWEA4jnl+PSsDv1qz07KBmffDrWPrx@postgresql.org X-Gm-Message-State: AOJu0YzALjooS7yof2XTJFtxOOEy+ypd3XPM4QLhNeDvHWn+s3bNk3f6 ikTUPV3VZOg19jLPlYsFnNawvjtFfmUC72CR38Bf94aGpu7fiKW4S9seHzqdEhoBm2x3NPQD4F4 wY+ksjsFqxZX87Y54UBma9WMl2j1LjJw7pQ/MekcT X-Gm-Gg: ASbGncukJWrccTXBTc3D6q5aVsoYg/j0Ls3cWvle+cUQN6Hxmcvcz2zqL4wkH5p13wO w2wzRtsjUSxZu7NXgU+SNz15jy6EuUfBhHMyVOVpJrHKqHd4hGvaNuGtqflx1Zxjr5deJ2S/CqI smsFYD4CPtqhqbjeqmSaNBBrrd8so0Sl6Qr1U0vzFLIOovbDhCg0e+sxID84sn8AZKPt2jZEIqp EwGKbD6OpseR7EY4q1EXLpwx58AW9k+/XwE9msWpQZIQbCJrGQLEDskl/ZTQHfWIbNsUcDgXA== X-Google-Smtp-Source: AGHT+IFb0UdDKUOR2L0eZKmD3jZNjME8jZGJ2n8vjDXJdynfXF8QcTlDvlRu122VCppJ+2lmZWUABclS0GcVaIyIBaE= X-Received: by 2002:a05:6214:2c09:b0:882:3c0c:a410 with SMTP id 6a1803df08f44-8846e1a24ddmr3562646d6.47.1763578554183; Wed, 19 Nov 2025 10:55:54 -0800 (PST) MIME-Version: 1.0 References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com> <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> <7a0e58c5fdaa3686ea0a157ff937fe38954cda8c.camel@gmail.com> In-Reply-To: <7a0e58c5fdaa3686ea0a157ff937fe38954cda8c.camel@gmail.com> From: Jacob Champion Date: Wed, 19 Nov 2025 10:55:43 -0800 X-Gm-Features: AWmQ_bnZc4sDqNSB1sTlT3F3tcv7Gayr9Nl79Ed8P1vduG57bn3aDRcz6Ju3Zws Message-ID: Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode To: "Jonathan Gonzalez V." Cc: Daniel Gustafsson , PostgreSQL Hackers , Zsolt Parragi Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Nov 4, 2025 at 5:02=E2=80=AFAM Jonathan Gonzalez V. wrote: > * In Kubernetes, even with a network isolation, people use to prefer > having TLS connections, just because it's the standard, but in internal > communications (between namespaces and pods), these domains contain the > format: ..svc..local, as you can > already imagine, this kind of domain cannot be verified by an external > CA, but they can be generated and verified with an internal CA. Now the > question is, why they don't add this CA to every distribution? The > defacto standard way to do this in Kubernetes is to take the CA from a > ConfigMap or Secret (objects that can provide content inside the > infrastructure) and deploy this dynamically inside the Pod, so, to > indicate the path to this file, the standard is to use an environment > variable, in this case, if the content of the ConfigMap or Secret > changes, this will be refreshed inside the Pod too. Okay, that's good to know. But I'm still missing how the end user (a human) trusts that magic CA within the browser or device they use to finish the actual flow? > * Big companies like those managing credit cards or big banks, use to > have air gap environment, which may have exactly the same problem while > communicating internally, the CA cannot verify an internal domain, on > these cases the CA is usually moved around and installed in a specific > path and installed on specific path and not the system path (usually > because of compliant reasons), meaning that you will actually have to > provide with a variable/configuration/environment the path to the CA. Same question as above, but I'm slowly being convinced that this thread needs to remain separate from the PGOAUTHDEBUG split discussion, even if they're related. This might be a silly-small example, but I've added a stub spec: https://wiki.postgresql.org/wiki/Proposal:_Promote_PGOAUTHCAFILE_to_fea= ture > * Development cases, I think this is clear, but even when you're doing > development, you'll be using a self-signed certificate, but doing > developing and losing URL and the code it can be really common, it > happened to me many times and it wasn't nice looking for the code. Right. > * CI cases, here, you'll not have time to get a certificate to just > trigger an action against a one time domain, usually with a random > domain to not conflict with other CI running at the same time, and you > should never expose sensitive information on the CI output like the one > exposes when enabling PGOAUTHDEBUG=3D"UNSAFE" Who's running the CI, and how do OAuth and Device Authorization factor into it? (And why would a human user be okay with feeding their privileges into an authorization server with a random-looking host name every time they run it?) > > The reason I ask is that we'd briefly talked about splitting > > PGOAUTHDEBUG into more granular settings than just "off" and > > "UNSAFE". > > I was thinking the same for another patch that will require discussion > for sure, but it's something similar to add some levels of debug, for > example, when you want to have the tokens or when you only want to see > the URLs used to negotiate (which are really useful when working with > the OAuth flows) or the deep one when you want to see the tokens. I think that's reached critical mass, then. > Thank your for looking at this! Thanks for the discussion! --Jacob