Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vqdKZ-00EqZ2-09 for pgsql-hackers@arkaria.postgresql.org; Thu, 12 Feb 2026 20:30:32 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vqdKY-00B5WY-0t for pgsql-hackers@arkaria.postgresql.org; Thu, 12 Feb 2026 20:30:31 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vqdKX-00B5WQ-32 for pgsql-hackers@lists.postgresql.org; Thu, 12 Feb 2026 20:30:30 +0000 Received: from mail-qk1-x730.google.com ([2607:f8b0:4864:20::730]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1vqdKV-00000000NJy-3d6u for pgsql-hackers@postgresql.org; Thu, 12 Feb 2026 20:30:29 +0000 Received: by mail-qk1-x730.google.com with SMTP id af79cd13be357-8c6f21c2d81so31021285a.2 for ; Thu, 12 Feb 2026 12:30:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1770928225; cv=none; d=google.com; s=arc-20240605; b=bya1xle0JfEo6t8RoOKqyvVF1wpyhp3DKnan/q4Bs9mKKxbp8MNWn0sL58ecz/CAjE Qkx298KIpLFxT8/pvDUgf4BfM6TLcI5TvA0diy9nPizxgh1kSVPmdoyfp0xLzeCUKkBc E9qBUNkyhEc42YHpXvC9xao7E5jIXaTKwlzvxNhX0PBhsum6WzYGO/QRRMLNSPRBkrN6 lXQq/qnJU9QgHnFT7J2tJ1MnskhnPO7AHKtgtNQ+Vvz08aIhdc+KbiXEvbOIkFeJdISp pFPHTj9eI1NwvC/f7J/6FrvPtmZNiMeusMNQRYiXFzdrP8ZSGBxCAY1bdq3aueo0oz0r 9cdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=norWrR5P6GDqNuKiZ0v5zG8Fv4wAKL1dp1PRjzKFecw=; fh=mBP9Da7iq8aa7MSVEUhanVrN65BExFKwFnakkDA0xBE=; b=ZEUt2kfIvVou/vSnaLNARdPKuaVH68xlkkmqIa8BKVCxy6rKe3AM+9eg/p1PA6Ci5/ m4+/SVHl3x40yR3TuyCo+HJgXYPlKwf2e6j+WVb7WyTV7Iv9oPNglgU/17Ys+9WTyot/ yuXKwo+R3BBePNgT82QkWWBQZNkGkjR1lHK8IO8GVuCeU2o299iy5lfASSiLReuUOgIj HAZ0oK+8lsaikcOE20RgpEVCKFE8Y1CJZEsyb2OJ/JNDTokiSCGX9zaxAdy2xiv+iD62 qYqCbm9W/RR4u5Xzqv2IEmGVcydOSRgKVJBx3O4UHVJbHBPNMBtJ+JbEdO23lMOWmJrw EUow==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1770928225; x=1771533025; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=norWrR5P6GDqNuKiZ0v5zG8Fv4wAKL1dp1PRjzKFecw=; b=BIza18mK0FgnlTLs8o+QoIZ3muHqmgtaVwo47he8SEEC1m08MWTs+0Bj6lpk3UBXRs pGuQwIK15iK2guBpVcgGdVvz4XsHg+wixogVeUCBZulKj69BF3N65PcISLyaryNARvqK laQ2E0v/tDM/qOHtXQ0XEj13zTa+aECOkCnIPCgg2C7XEvZCPKsvPxiMjZXJYzSOkqOU oE+I72NN6sMUEQYR9BGNXZZCe/QffN5lZwogewbh8TlIvvARS6dMDT+ZWazJQRF3ECEN UOXa5SWjDQDl8DhnIYvIbyB1EhO9NKUjS0BdS43HSN1rGTJ0qwaeHB64Qf3I3KTx1htd yzYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770928225; x=1771533025; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=norWrR5P6GDqNuKiZ0v5zG8Fv4wAKL1dp1PRjzKFecw=; b=BJxlMTig96W1pRJVea21i90txAHBgxp9fKmqhiIZFNTOPqrgU6KRSSlC0mDUyCH1JI u77mrNw7Ptitwv3YFtxj7+fd70LGzs/S0RfIxvlXy4SGzdlMhDc6J0DDEU+a19ksHW6e xJWbfx7ons0SIdSSMumdxo+6c/doVMk/bHlyryUoPpuofl/d30q3f1SkwUpbL0MJ0Uye G+ApXn/Q0G4AZM3CPU/6CR4e/9xNT407gXI2fKsFumSOUTIu/u2p+nFjAdG3a4dGU6Ql zfRdbJCfiGzqFRjlDj7fTYAQ5OPaoVPU/b2g64Ak9aT1ecfumpD8aLdRfRUFb66D5nYP 6V1w== X-Forwarded-Encrypted: i=1; AJvYcCU1m8l4RLbhzICk0UsRyzzjNnqHoHyD8zXKx5EnWjpBZDZpiYdFP8/UvjsyCRl7/DJBBHHUi0A85mu/znxO@postgresql.org X-Gm-Message-State: AOJu0YyErEhCOYDNy1jrWdWXakBjscVnP6vqi6cNmHJGAkH+hm48Pjmk YaL2eHg93SVV7/RglQ3jBvAB+SZt0Sa5/Ss/JiFltr2Iu1y2F3HmboZu2mY3Cz+DgNKsar7+Suu lBvq8dCYLpa64Ljj9AkglhF8ovhSGJeFG4kDQkRql X-Gm-Gg: AZuq6aIjcbEF51lVpFQBuMZmwioyi72ywEpAO5x8V+chQiG3VeehrCdDWxKak/niKlZ BhIV/j3s9r8lRSbtTb3nhl9HNjNg1GCa4/f3UinrhOz1d23iqBd/idRoMnt3HkW2Azr7/QKkXtD /qGtCs1alxSSo4pWAxv2f2LTBQ97nnIiTgBlyT2vaF6N04gLXxq9hR3PiQGHhD3OdSXZCdLykY+ NV5DCRDkwhtWAuCEgu0/mZVC5veIHbWCQrrzvwVqoqRJD07ytEsk/pnXFfYbu6shzoF7YkQkKl+ DXONczxDiQ== X-Received: by 2002:a05:620a:408c:b0:8b2:f29e:3af8 with SMTP id af79cd13be357-8cb40907faamr20283885a.59.1770928224045; Thu, 12 Feb 2026 12:30:24 -0800 (PST) MIME-Version: 1.0 References: <7DB528BA-C7A0-4B23-890C-5332FB35A16E@yesql.se> In-Reply-To: From: Jacob Champion Date: Thu, 12 Feb 2026 12:30:12 -0800 X-Gm-Features: AZwV_QjhW3PSrYFCD9azExyrMw7YWRsyvSdVgu2bR7Zii3iZubj6LAS5Qq8umCY Message-ID: Subject: Re: Improve OAuth discovery logging To: Zsolt Parragi Cc: Daniel Gustafsson , PostgreSQL Hackers , Michael Paquier Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, Feb 12, 2026 at 10:51=E2=80=AFAM Zsolt Parragi wrote: > > Thank you for the quick review! Thanks for tackling this TODO! :D I have a lot of little nitpicky feedback, but please push back on anything you disagree with (trying to avoid Primary Author Syndrome). I've also copied Michael for opinions on the new API. =3D Mechanism-Independent Changes =3D > +#define PG_SASL_EXCHANGE_RESTART 3 I think the "restart" nomenclature is maybe a subtle layering violation. From the point of view of the server (and especially the mechanism-independent code in auth-sasl.c), we have no idea if the client's going to retry or not. All we know is that the client doesn't intend to authenticate on this connection. (There's also maybe some relationship with SASL's concept of client-aborted exchanges, which we don't support AFAIK, and would be handled at the SASL layer rather than the mech layer.) Maybe something like PG_SASL_EXCHANGE_ABANDONED? > + if (result =3D=3D PG_SASL_EXCHANGE_RESTART) > + return STATUS_EOF; > + > /* Oops, Something bad happened */ > if (result !=3D PG_SASL_EXCHANGE_SUCCESS) Let's keep these two cases together, either as an if/else-if, or by switching STATUS_ERROR to STATUS_EOF as needed. =3D Mechanism-Specific Changes =3D > + if (auth[0] =3D=3D '\0') > + ctx->discovery =3D true; > + > if (!validate(ctx->port, auth)) > { I think this might be more straightforward as a variant of the OAUTH_STATE_ERROR state (OAUTH_STATE_ERROR_DISCOVERY?) rather than a separate `discovery` flag. > - * TODO: should we find a way to return STATUS_EOF at the top lev= el, > - * to suppress the authentication error entirely? > + * The caller detects this case and returns > + * PG_SASL_EXCHANGE_RESTART to suppress the authentication FATAL. > */ IMO this shows that there's no reason for me to have called validate() from oauth_exchange() for this case -- there's nothing to validate. validate() should just Assert that it's been passed a non-empty token. > + errmsg("OAuth issuer discovery requested by user \"%s\"", > + ctx->port->user_name)); Since authentication isn't complete, we don't really know "who" requested discovery. I think we should rely on log_[dis]connections to provide debugging info to the DBA in these situations; this can just log the fact that discovery was requested. Thanks! --Jacob