Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vVeBH-005vQD-0N
	for pgsql-hackers@arkaria.postgresql.org;
	Tue, 16 Dec 2025 23:10:12 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vVeBE-008z8T-1U
	for pgsql-hackers@arkaria.postgresql.org;
	Tue, 16 Dec 2025 23:10:09 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vVeBE-008z7t-0P
	for pgsql-hackers@lists.postgresql.org;
	Tue, 16 Dec 2025 23:10:08 +0000
Received: from mail-qv1-xf2c.google.com ([2607:f8b0:4864:20::f2c])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vVeBA-0017tL-39
	for pgsql-hackers@lists.postgresql.org;
	Tue, 16 Dec 2025 23:10:07 +0000
Received: by mail-qv1-xf2c.google.com with SMTP id
 6a1803df08f44-88a2fe9e200so25427366d6.0
        for <pgsql-hackers@lists.postgresql.org>;
 Tue, 16 Dec 2025 15:10:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1765926602; x=1766531402;
 darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FcH2iTISSXRg0qydimaiOAnDZeMC5Lswx2DUHWcVb2M=;
        b=lAExQY+4DRBeq4CSJixASant5Bfp4mn9seUjZE3JXJucf9TtDMIJ6pPoTEFhvVGQ6P
         2b/DlO4dT70Id8If7MIsmBr0krmWnQ+ypXM+kG2ogvHMezTk5zRkuCQIGB2lTkpzlN/p
         nvwJJm/QhHD5WSRuNlhMlTcP7FVA89sb+L9bVzyzedxqsd9dxAW4WiAdAdDsIxhTWB2f
         05oLZ66z1Yy7khLVgg48L/CWIh/GsDA4JIFzu3xjOhfGDLO4hUvGI8IeccwQVSNySiDH
         cMkWFbMrH0B29mNPW16WwnIPCWNhJCY61ohx2U+YKfHd+f407qMjmXcsAWKU/RFDDCn7
         REmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765926602; x=1766531402;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=FcH2iTISSXRg0qydimaiOAnDZeMC5Lswx2DUHWcVb2M=;
        b=SUvP4gJTShpCubce3eqvMtOAp9o4q/005y+elRoVrwFoHoJzjeyb+uHRauuVJHSNia
         CIgbbaoJCvfscHZKhLOOaNiWgzUGZXjg064o0kWM2m/gD/zXH95e5MRil3Sn51mPTd3E
         wav6LeX3tn01jAQ1I1bo92M8SvhcMChFPo+Bf0uH/3+KGjhNU88PnVaFRc5I4v0sZzIU
         HY0JDBsnoO8iZYU+UjekL6feYKkKxWjSwkc4WnyW/fwuTK7muLSebrYs/mxunQvfno7r
         BtPuB5s1byko8EuK8ygmj2QoiwZxawi84KKgC9ZSCKvjDrJwbwIwPqVh3UJIHe2sGiGM
         p2vg==
X-Gm-Message-State: AOJu0YxmVEkIqh3df+fLscG7E1b7u/vldep/v77Ztzf43Csl3PAEB5b5
	7y2nF2ChHU0jJ8kSYDguoTgyNIoorfMsrSIzMZbx/DRtYmFHMpFcCNFC4RR3X8YxVOIStvotkjc
	sqPNGZYZMYHYso8vScPSHY/aUsJGmE/ZHgDNatNpe
X-Gm-Gg: AY/fxX6L2PzZ6NfI/MyVKC2n9l2T+ANs/FetMkpRhGxD0ITMffbVhGB39+9Si83Umv8
	bEXR2u1cHqgWCBRsRuf1RSbahK6vUXpi2KehFkx9bX5Okmj85mXAKNTshHo+j5vn3gmWKo89GME
	7FUpvrrxkqzgrwEiocBrGziMEJY/+QeXaConZEceCY+6VsuwT1lC3WXuJoKKdWhCYB5+hXQlMU9
	+RzIGc2sFZem/vcVv9gqE8ajidoROYo7tgF8+R0YytBjoJt+tXano08pvLn7JrPdacD5oQuBQ==
X-Google-Smtp-Source: 
 AGHT+IF5toR7HpBTWnlTfJ4sPgB9sdOtPk3DIc/faXKAiftctFLJAHfpuV8oC4ksyhjT1gIuzkqwZvXAzuRI4PAYEkY=
X-Received: by 2002:a05:6214:2f08:b0:88a:316f:252f with SMTP id
 6a1803df08f44-88a316f2757mr123852826d6.53.1765926601816; Tue, 16 Dec 2025
 15:10:01 -0800 (PST)
MIME-Version: 1.0
References: 
 <CAN4CZFM3b8u5uNNNsY6XCya257u+Dofms3su9f11iMCxvCacag@mail.gmail.com>
In-Reply-To: 
 <CAN4CZFM3b8u5uNNNsY6XCya257u+Dofms3su9f11iMCxvCacag@mail.gmail.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Tue, 16 Dec 2025 15:09:51 -0800
X-Gm-Features: AQt7F2qUHnX8EC3s1363nQe5ConxsfgBlOrLcndKRG9p_2UVugwjjClF7YKXaw8
Message-ID: 
 <CAOYmi+kvDACPXX_p2fF7+3CXza=VjjPTn2UDjd2dMAsgP6S53w@mail.gmail.com>
Subject: Re: Custom oauth validator options
To: Zsolt Parragi <zsolt.parragi@percona.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAOYmi%2BkvDACPXX_p2fF7%2B3CXza%3DVjjPTn2UDjd2dMAsgP6S53w%40mail.gmail.com>
Precedence: bulk

Sorry for missing this thread!

On Tue, Dec 2, 2025 at 5:06=E2=80=AFAM Zsolt Parragi <zsolt.parragi@percona=
.com> wrote:
> 1. Configuration for OAuth validation ends up split across two
> locations: issuer/scope and a few other parameters are defined in
> pg_hba.conf, while custom parameters must be set in postgresql.conf.

Yeah. (This has come up before a couple of times that I know of, in
the context of pg_hba and pg_ident splitting important configuration
between them [1], and in the context of SNI's proposed pg_hosts config
[2].)

> 2. We have received multiple questions asking how to configure
> multiple OIDC servers with different parameter sets. I am not sure how
> common it is to use multiple OAuth providers with a single PostgreSQL
> instance, but the question is certainly reasonable.

What kinds of parameters? Having a motivating use case would be
helpful; HBA isn't always as flexible as people assume and I want to
make sure that we can end with a usable feature.

> Given this, I would like to ask what you think about making
> pg_hba.conf extensible.

Your proposals (and the concerns they raise) seem reasonable enough at
first glance. (I still want a motivating use case, though.)

Honestly, I'd *prefer* that any solution not be OAuth-specific. I
might throw two alternatives onto the pile:

d. Have HBA plug into the GUC system itself

A hypothetical PGC_HBA context would seem to fit nicely between
PGC_SIGHUP and PGC_SU_BACKEND.

e. Subsume HBA, ident, (hosts,) etc. under postgresql.conf

This is my personal white whale. I think pg_hba+ident is no longer fit
for purpose. It makes nonexistent use cases easy and common use cases
unnecessarily difficult. Most people ignore half the columns. New
users are surprised that you can't choose between authentication
options. You have to correlate a bunch of different files with
differing syntaxes to figure out what is going on. Etc, etc.

This is why I bypassed pg_ident for validators, so that they could be
free to do useful stuff while the core caught up. But I didn't intend
to keep them separate forever.

(I'm only halfway serious with (e) -- I don't really intend to drive
your thread straight into a wall. But when I read proposals a-c, I get
the sinking feeling that this *should* be solved in a more radical
way, if we could only agree on a direction...)

Thanks,
--Jacob

[1] https://postgr.es/m/0e0c038ab962c3f6dab00934fe5ae1ae115f44c0.camel%40vm=
ware.com
[2] https://postgr.es/m/CAOYmi%2B%3DZjGJLw8tCkzY88acd%3Dir1r8eAxO-%2B5wXm9g=
tCUV97Sg%40mail.gmail.com