Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vVwmK-009zWy-1J
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 17 Dec 2025 19:01:41 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vVwmH-00FsJT-1E
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 17 Dec 2025 19:01:38 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vVwmH-00FsJC-09
	for pgsql-hackers@lists.postgresql.org;
	Wed, 17 Dec 2025 19:01:37 +0000
Received: from mail-vs1-xe31.google.com ([2607:f8b0:4864:20::e31])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vVwmE-001HPd-0A
	for pgsql-hackers@lists.postgresql.org;
	Wed, 17 Dec 2025 19:01:36 +0000
Received: by mail-vs1-xe31.google.com with SMTP id
 ada2fe7eead31-5e5697a2cfcso2118048137.2
        for <pgsql-hackers@lists.postgresql.org>;
 Wed, 17 Dec 2025 11:01:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1765998092; x=1766602892;
 darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=dh/EneXsKwDtWx2JKSca7ddN5gXBnOK7YDU0/EfykzQ=;
        b=hV8S+zI/oilUNPlTQeSmdk1rNnXbda/RtTIByUR/pO19QBPmUIOiZIPUTGS4SSJizV
         x7bO2Zo6oB3CSNNaXLpW4/+x8PuaBlNNmDa5/5/ObigPIswPuZzyHvIMtfq+WdhGv1Rg
         NNIhoxPe4UAdwSB3H73M2njmvA5ws7vtkGFKWQanKITlWMgjdhVPTXMQbYFMU5FP+QX1
         OP2nTHA5JFptbTelgrGdf3S2Tpp56LTzSxlrdJXwIyQZw82aKPj3IswtfuZOQLTBEv9P
         ZoD9zI/IFjNt+fuET/UkqO/5O1vUx12NdNnc6RkWkx4lk0E7kw0Vg00mb2ptVeyc5ZOw
         2yfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765998092; x=1766602892;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=dh/EneXsKwDtWx2JKSca7ddN5gXBnOK7YDU0/EfykzQ=;
        b=vGev5BQ0WoqJ1Aj17lu4h9c1OzOYnoyg3Vs/KipPQ4+0IpbtdSgjsM7dD09zI3TiC4
         HN1XmqiyBdBuTL4A50nFWE/AsYwdWqUIjE2MWw70876KzIvBEJpQyZqsUUHCeVoU0di/
         r0YgcHdOPGXCG7f75w/PX+HBX7kmkJU6J/oY3VQh8o//jpHj5YRSJ3OCV41bsAr+FTLH
         Qou2emtsVyApr0E53z7IY2XKrDS94axwHTMusD988MwHi0Axo1mtySLD7/QQ6tfuJrxz
         6G2opuCgr/RSQIJWfKT9JDC3RM66BJdmRdpRFiTMmgTS4tpdB6tEWVQTAazcmUNXL8wi
         h3bg==
X-Forwarded-Encrypted: i=1;
 AJvYcCUeRT1jojkvS6AWutrigu0mGIG2LyKXNErBbd8hRjvIVhlXloCpAQQii5Aa3Tg66IYsGu5TUDVUcD+DnuI3@lists.postgresql.org
X-Gm-Message-State: AOJu0YzXGfDVd3PXKCMo2PjKMK6XKGXqqD5snCGJV46nYQqe8SNW+57q
	bg4lBmPpprebYlufl7XsFfXZadu174wrpdrSWTpOWtoxnfKNfEacwHVIiNTqc6dlwogF1IYld22
	OKBrKxyYPCYOicRa3BOVumjxT7FcwOTnko+YkhtD4
X-Gm-Gg: AY/fxX4wbSrFbzMZCbLpvRUgsz+O7wcPZm72nKd1/7/17RUpeaF7RbP+L5aucke6kp8
	6SAvXG7V6zf2bP49c70GGsD5LBenOMX17/LIisRaoKkao9JTtqynYlDXZx5AsEtezm0vojGcQV2
	+efDLPg1G6/gmB/gigpwMd4FcpOmho/JjJC+GvVtAMxbMT6/H90s8t3Zbvg6YBxNxfHpgBfj4u2
	3/qjGXYMfFKmGQTGdMk+Nh+iITjbz9KqR7nIlt9ziPoc5uJFGTF3Ou5ytELirImgecfJehhdQ==
X-Google-Smtp-Source: 
 AGHT+IEkgfc+Zj38gTKZtGuSjY9Rj4KGML8gaIxQcZHFe6KZMI5YZU5ZXtsC7VR4L678LWCJ8yimbI9sbdAB/N0PLIk=
X-Received: by 2002:a05:6102:5e84:b0:5db:417d:923d with SMTP id
 ada2fe7eead31-5e8277b1d1bmr5728246137.22.1765998091903; Wed, 17 Dec 2025
 11:01:31 -0800 (PST)
MIME-Version: 1.0
References: 
 <CAN4CZFM3b8u5uNNNsY6XCya257u+Dofms3su9f11iMCxvCacag@mail.gmail.com>
 <CAE2r8H55geNFtECuFunpgn0LJK2+rntGuTeqNr6mP7gGhWFRbA@mail.gmail.com>
 <CAN4CZFP_2fe2-18wUoXDZodV8suVe9o++pv=hP8KxxvWkmCx7A@mail.gmail.com>
In-Reply-To: 
 <CAN4CZFP_2fe2-18wUoXDZodV8suVe9o++pv=hP8KxxvWkmCx7A@mail.gmail.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Wed, 17 Dec 2025 11:01:20 -0800
X-Gm-Features: AQt7F2pHKwtfHajQ-QykbI5bohVRhVkYzAHNh4kOtvYqehQlu7kI3mO8JJMknX0
Message-ID: 
 <CAOYmi+kMuA7t9ao6rWZ=5kn_Zmd7qtwOay_ocEBXwkzKWbefhQ@mail.gmail.com>
Subject: Re: Custom oauth validator options
To: Zsolt Parragi <zsolt.parragi@percona.com>
Cc: VASUKI M <vasukianand0119@gmail.com>,
	PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>,
 david.g.johnston@gmail.com,
	Robert Haas <robertmhaas@gmail.com>, myon@debian.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAOYmi%2BkMuA7t9ao6rWZ%3D5kn_Zmd7qtwOay_ocEBXwkzKWbefhQ%40mail.gmail.com>
Precedence: bulk

On Wed, Dec 17, 2025 at 1:28=E2=80=AFAM Zsolt Parragi <zsolt.parragi@percon=
a.com> wrote:
> Instead we decided to let everyone configure which claim they want to
> use for user mapping. But because of that, this is a GUC, and they can
> only configure it once pre server.

We're getting closer; I agree that this needs to be more flexible than
it is, and I'm on board with a change, but I'm still missing the
"killer app". What's the case where a user has multiple HBA lines that
all want to use unrelated claims for authentication to one Postgres
cluster? Is this multi-tenancy, or...?

> I tried to propose simple things that are relatively easy to
> implement, and wouldn't change too much at once, so there's a
> realistic change for this making into PG19. I'm not against having a
> bigger goal, and continuing making it even better after that.

Absolutely -- that's a tried and true strategy. No objections to that.

But I also didn't want to stay silent on my longer-term goals here.
That way (hopefully), no one's surprised to find I'm lukewarm on
patches that are extremely OAuth-specific, or that don't give us a way
to improve/evolve later. The additional flexibility of OAuth should
ideally be mirrored in other auth methods when possible.

> > A hypothetical PGC_HBA context would seem to fit nicely between
> > PGC_SIGHUP and PGC_SU_BACKEND.
>
> How would you configure that since the hba lines don't have IDs?
> Should we add a "guc_name" parameter to HBA for this or something like
> that? I like this idea, it would be fun to implement and see how it
> works, I'm just wondering how users could use it.

I hadn't thought it through very far; my initial impression was that
we'd need some sort of additional syntax. But I keep coming back to
httpd-style configs and then I choose something else from my TODO list
to focus on. :) See also the old conversation regarding LDAP hba/ident
[1].

On Wed, Dec 17, 2025 at 1:36=E2=80=AFAM Zsolt Parragi <zsolt.parragi@percon=
a.com> wrote:
> Personally I would go with either (a) or (c), and I was planning to
> clean up / improve / share my (c) patch as a second attempt for this
> thread, if it didn't receive any replies. I can still do that, so that
> we have multiple test implementations.

The more the merrier!

Thanks,
--Jacob

[1] https://postgr.es/m/CAOuzzgpFpuroNRabEvB9kST_TSyS2jFicBNoXvW7G2pZFixyBw=
%40mail.gmail.com