Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1w7M04-005DMq-1j
	for pgsql-hackers@arkaria.postgresql.org;
	Mon, 30 Mar 2026 23:26:28 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1w7M02-0075Ho-01
	for pgsql-hackers@arkaria.postgresql.org;
	Mon, 30 Mar 2026 23:26:26 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1w7M01-0075HX-2E
	for pgsql-hackers@lists.postgresql.org;
	Mon, 30 Mar 2026 23:26:26 +0000
Received: from mail-qv1-xf35.google.com ([2607:f8b0:4864:20::f35])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1w7Lzy-000000024r4-1Zbf
	for pgsql-hackers@lists.postgresql.org;
	Mon, 30 Mar 2026 23:26:24 +0000
Received: by mail-qv1-xf35.google.com with SMTP id
 6a1803df08f44-899a9f445cbso58509006d6.0
        for <pgsql-hackers@lists.postgresql.org>;
 Mon, 30 Mar 2026 16:26:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1774913179; cv=none;
        d=google.com; s=arc-20240605;
        b=ZXxNTZ0Ffqtpx70ao0i6rKe3Mz0YLOGBFdc8Pn8NyQY6LZT8IiWZI9VGnrrm/AKLBB
         YnuQfwtfRVFsxhV1NSsUB1nx8RYyDvyGTPAXtIjYR8lG17VxrwWkqd1RgpN93GU6utB8
         e9FHCW6GTTzt1eZDB0EC4oa6JUB2680xbzTdVXZIS2rYl9DVhgq5MQVTiN9rqGN5ji7i
         9ruMVLb1SlmdYhm1uisZshE3PrRGbfwPh86jr/OgyIHmOWy1V5zwMvIYzXzjfqwcayu1
         8ZcoyzdwiOrBjGbBqRRGQeBiQ4bl5+iYY7ukQbo13Z7gDv4n5C0RaFxk39od8qFjjDu3
         yUwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=WtlTlgS9n8v4EGA2JUNr3fYOHOZkKJagrofiGzzZZdM=;
        fh=Uhl2MTexsexFzR1+X600UgWow4h7Z8f6vT6XJ84cwSU=;
        b=D6vS2r5xUDBhM/qmx29SkExJHCFpLgLwLVHH+RctuuTNPOlvLYINuiHjKTScTSp1yl
         n34tMUB+LFD9rK97b354rGq/lDXMrCPuJVpw24mavmDVqNS3zxL4OLAdlBuRU8P4uW8Y
         s+qzfzFhF7EpFFCXcr6k6lKgCV6uUDrQkI4HnQLw1FMYoYE8bhpwc12vC70+8KPfg6JC
         pUp1//W4Rz3ohrWLmkhLYjrdr+lzPASIa00yIWsH907njATozmYKL2xVgExHTVtWJGMd
         d6SJFhGGWuD2m/kSnyjrVKs11xAPTTjR1DpJrvUYw+ahWF+Zv78piUSAsiPAel9O2abf
         m4DA==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1774913179; x=1775517979;
 darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WtlTlgS9n8v4EGA2JUNr3fYOHOZkKJagrofiGzzZZdM=;
        b=UHKq63X6LkSYQmdvQ7r45w4LzuQt5Q/7UrTAEbEAfBS0M7TOxMh+BhWprkT2w1a2pH
         aGA0cG0KPWcdFQcKL1wEjT0EVOAuwgSPKzDjQI21bLqQCXFMsHE+FzVGGCe6yGebGhVA
         rsEp27PHPh9zam2GFxnxA1X7+opAMKyB7KHIJzkVYBoZTINdpNBfNWET+b62551mxq9r
         Sm/pzlFgNlfmYSNsdbhCzU43ZSSWzUWzGKrw7wZgtkZELXJubmjr9fKBux0EqpKGa/sA
         vzwZNpj87dDy9gIbW4pMKCZu42QUvPpv9I6Kx8NfYQHw32lnY0CPtzNSAtZ3k7QJufRW
         Bt1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774913179; x=1775517979;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=WtlTlgS9n8v4EGA2JUNr3fYOHOZkKJagrofiGzzZZdM=;
        b=owUGjewEosfMkWktYarpfCbmFKRjjwBGsJ2YQ9xy8jm11q0eKiI7s/2mHwKWoLP45O
         /nbQA+fSw5qy0CNxdj7Ni8bFMcjoNXsktGq5YtbqkGRO0YVb+Cxh66exSn6xXdxAMHGz
         IiKiis3KmqmbtnnFgS6Gsjlr6epNfVZbjxmMeToJhSqLhZ15dLTXcfMM7Y3W+t0L3tty
         tyEsbkuMatUDNIbD4fVNtXQqzsAHx0PB11B1zaVpCH9MLG12t3DBWZen+gWMdqqPJeXi
         ieM0onTqafJfW4S9X5MzCdFf0vN/wLHces/1wwJR94AClVVovYAFEYg4gsmxIFg/65Fe
         2tRw==
X-Gm-Message-State: AOJu0Yw4rUAyNZr1kZOIE0catn9a8ewSjXd+esv8sImwy2UQNfXm37GE
	2ek/Rpb/458/YMaRB5+14UYnjdoXyyZ+PeI2Bv6SIt/x42gVAdkA8npsFCH30eCrvWbHkztSYUr
	kbACv9CRH0BfRzicGqeaXMG5FqZL5IaZkFdkTD0P8
X-Gm-Gg: ATEYQzyEwIO6jFVL8Ci6kMVtHfnAmsDnj8MTSBa2keuwPB2oPXL2WjiaA/Qd1P0DuT5
	3foE46cJq5GGkzZdaus16YHgi+qvUBi+MPpXr+9vE97ov72+8p0H8+kB9aV9KvdlbuCQ1TOkY50
	HnrufreE3AqhTqX+yDq/AcmDARHP/OvsuVe+Mkd/1zWak8P0CErye8bmw4OJqq1DaHuml2jQcTC
	ZHKX0FWJEBphwMcVxeI7nxnpiu/rw1Y9RbBWyRUzFmgjTSeRqrma2pwHLSIeGs2FSOYj6BV1ASU
	Wry7EcwNPQ==
X-Received: by 2002:a05:6214:528e:b0:89c:e5f0:8f33 with SMTP id
 6a1803df08f44-89ce8d586a3mr194544906d6.10.1774913179247; Mon, 30 Mar 2026
 16:26:19 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CAN4CZFMmDZMH56O9vb_g7vHqAk8ryWFxBMV19C39PFghENg8kA@mail.gmail.com>
 <CAOYmi+k_et3yXpJ8op71-95j7OYg-kX5bWLgW9YTV_5G7f+O1A@mail.gmail.com>
In-Reply-To: 
 <CAOYmi+k_et3yXpJ8op71-95j7OYg-kX5bWLgW9YTV_5G7f+O1A@mail.gmail.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Mon, 30 Mar 2026 16:26:08 -0700
X-Gm-Features: AQROBzBtoa3Y4XMVw1Ea3_TIKku9XKoEs-wTOGZiXVkhI6GBZFlT4d2Po7ANBMg
Message-ID: 
 <CAOYmi+kivcSnazEJA=KWknd3azGYnU3mMq9SUvht5Zq74qNcYQ@mail.gmail.com>
Subject: Re: [oauth] Split and extend PGOAUTHDEBUG
To: Zsolt Parragi <zsolt.parragi@percona.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAOYmi%2BkivcSnazEJA%3DKWknd3azGYnU3mMq9SUvht5Zq74qNcYQ%40mail.gmail.com>
Precedence: bulk

On Mon, Mar 30, 2026 at 2:41=E2=80=AFPM Jacob Champion
<jacob.champion@enterprisedb.com> wrote:
> v2, attached, rebases this over 993368113. The big change is the
> removal of `custom-ca`; there were a couple of other tweaks to get
> both commits compiling independently.

Now for review. 0001:

I like how the UNSAFE: split works in practice. Implementation-wise, I
think I'd prefer that the debug flags be implemented as bits in a
uint32, and then we can cut down on the boilerplate.
fe-auth-oauth-debug.c is IMO too much code for what the feature is
providing. We should ideally be able to include this in a header from
both locations it's used.

I think `fast-retry` needs to be moved under UNSAFE and renamed to
something that doesn't sound "good". `dos-interval` maybe?

nitpick: `poll-counts` and `print-plugin-errors` choose different
naming conventions, and we're not referring to the poll() API for the
former. `call-count`? `dlopen`?

We need to test that ignored unsafe options are in fact ignored (the
parsed flag is currently being accumulated anyway, in contradiction to
the warning message).

I have a sample patch locally for these suggestions, if you'd like.

--

I'm not a fan of 0002; I don't think it provides enough useful
functionality to offset the cost. You said

> validators authors should be able to verify that mismatched
> configurations are rejected properly by the validator.

but "mismatched configuration" is kind of meaningless here: the
validator interacts with a token, not a client. Real-world validator
implementations already need to test against all manner of broken
tokens -- creating one that's signed by the wrong party shouldn't
really be harder to create than one that's signed by the right party
-- and the code to send a custom token from libpq is minimal (<40
lines).

--Jacob