Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vkn3Y-002A8E-1c for pgsql-hackers@arkaria.postgresql.org; Tue, 27 Jan 2026 17:40:49 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vkn3X-00FI2F-1T for pgsql-hackers@arkaria.postgresql.org; Tue, 27 Jan 2026 17:40:47 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vkn3X-00FI27-0U for pgsql-hackers@lists.postgresql.org; Tue, 27 Jan 2026 17:40:47 +0000 Received: from mail-qv1-xf32.google.com ([2607:f8b0:4864:20::f32]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vkn3U-002bZX-0V for pgsql-hackers@lists.postgresql.org; Tue, 27 Jan 2026 17:40:45 +0000 Received: by mail-qv1-xf32.google.com with SMTP id 6a1803df08f44-8887ac841e2so48953876d6.2 for ; Tue, 27 Jan 2026 09:40:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1769535644; cv=none; d=google.com; s=arc-20240605; b=Omkw64g3KKWl7I9zSIIZm5+YJArQ0d8mwMyyQHvsxtwkeojHYqTmUojyvPUn5Jppk+ oMzP03BX2sJHWlV6FMsGxVelz06vufQ5eg89264j/AMipGNj/eBFJ0Fcf2eoZDLW+N2O gpeuUQ4JTK47Pelot7vgBASI46sfh314btwJKZdq7yGHh9xbXpDYmi4lZgsreStnsm+C HmnYtczGO0jWZOMfm1owZXymPrIVGiVVvUV2a/gA9EBdsWfPtbpBCDqu6wRJ6+iYmopG h1hRnqrbedcrfj+TV2kzSNDUlDmG1yUB6yxspVt8Nrumtsz7n2Xm80V44Sfh+E6DTZz+ LtMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=sFm6qiuO7+qLCBsg9OShjkWRWXs00JvZrJ/YNmagBe4=; fh=nLc/riJHbOFf8lYF6ylcOCfOnKzX+GqYH22KztfN0dE=; b=OOyPO8CrjAxwpKnN46bZQLrQKOagIetjs3Q8tYso9iGqHOIQZGiDp2QuPjWSSjNPvH Dq0g+BZIgyVHl3EAVFFklROM/y0taa47rsc0ZKZexqyaioc6j5glk7fCWeBWNe2KiiDc udX7e2LApNOoLDMzFLqfAk+cgHzjQX3HF1UQHdPePukKZsvQ+PSx/bQS3TEKbje2F5Pf INXwPbnER2J521Ts/IuS6moDVBYmnShXAyq8t/+vQh3MOOV2jPxPsae1TdgSjAkcsCKz b76RvF7ZRoBNQa5m0FaRuGFt/fvMz5gmD1hNqO1/fj5/Ct0h+A7vRUYHbM9VarV9I7vn KEKg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1769535644; x=1770140444; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=sFm6qiuO7+qLCBsg9OShjkWRWXs00JvZrJ/YNmagBe4=; b=Ul5OZ0P76/Umf7mW51ZYFrH1w+cZwX80L+NszYmAaoTrsLJOdfuxbcdKOcFkB1nbu6 D17fRF4rFqfUz9clJhkaAzGo8DJojUPukEyis1iDJH3wXXxVk9ZWxpr42ykNzuVu1ajR kGvZcN0tKCYk9RYDqD56k7QAmTETp5swAlSN+YeqDCO36i9OwlfdCxNa5xtzHiDy/CMR eSyuWozkA0xxD5wZZFBEB5BUWrW1WnYlrBQ18n0auzfSraPZysu6WoO848OnD/JbHS4y KIdKxgUSZrYl56BAh65l1IYk1liaPQd4nlLW4Vv+56/wnlgYcLm6wnMZ0g/nYBgaU18n bdQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769535644; x=1770140444; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=sFm6qiuO7+qLCBsg9OShjkWRWXs00JvZrJ/YNmagBe4=; b=hpG7QZH6vxl2xV1rncx8YPCkRu781kB0fvYtKRLa+Gpey8zvsxypJ9yPvJ+joydJXr BApC5sEamIkLsuPf7PKRx5V0O+488LIR/MkWeJVvC2XoAc5+aUGxUcQwirGk8GZ8NvjM PxU8I0QIIGQg9Z+4K2ll6u6u6I/Iq78/nWuPWvPmp/U+olLW/FXs9pmhiHtTHiJOBYk8 El8BUolnEhfxftarcRVItENA7hJaEOEmjdrjC/1AnObWnmav8AKsIwFVz3VUGS+Vtpz3 99wdhqHB1KemN/e67ZiEoay74QfJFmN/IRqH8wNShmeL8QSo/W81c7VFE2F4tCu6AU/x rTEQ== X-Forwarded-Encrypted: i=1; AJvYcCViWcdLP9ATEe66tu3TZQhIilAuSm5PktxMw95igf8o/1/ft4bWG2XE7dMnRxvj1EjlAdaBW4LTkWiNHzMb@lists.postgresql.org X-Gm-Message-State: AOJu0Yz0Hu/zCeXflBcn+EHHtDrm/Grg1NeQOnLgZZyYR8a+VJzSrphm OccbKhacu63zC0fnJqPiAqGzBguIcbQS8LNDC+j//OBoWt8VaaoziSQgZ2zFnw/BOQiMk7UiaAq oTRrjHH4o+tmCbMYhz2BdYbmW6wW1a61GTUrgAHMj X-Gm-Gg: AZuq6aJA5pgj9nPf+CVX6rjjCYfIBVgG0aAjNLqaNwgbEVEaxxf4n/J/KflJ5QLUyls AZyzFpr2a90qdO3jA3MeOTZEw3hj+9ypysYQuuTawXf7oCOTkPqBhIUgHUm0h3z/65jAfSle4k8 +RUHbTZeUoGMzguT5bmyxah3IZIP8PWf1u0jB5f8417pCPN8BC5aWhyVSjThO1wnI/0vi4sp06N So8s86e2vs2DRyJd551haT8tcoXE6aDjJSBjRN7XwOU6CxjIMkF9vH8Xp/n5KRBLIlCcTpcnQ== X-Received: by 2002:a05:6214:21c2:b0:894:85ee:63c7 with SMTP id 6a1803df08f44-894cc8c98dbmr37654436d6.43.1769535643951; Tue, 27 Jan 2026 09:40:43 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Jacob Champion Date: Tue, 27 Jan 2026 09:40:32 -0800 X-Gm-Features: AZwV_QiexBTaoairHaM20QrLunQaHSYH8xJ2mnCysLAfj12WmWusdGMII_9Cq1c Message-ID: Subject: Re: Custom oauth validator options To: Zsolt Parragi Cc: VASUKI M , PostgreSQL Hackers , david.g.johnston@gmail.com, Robert Haas , myon@debian.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Jan 26, 2026 at 1:51=E2=80=AFAM Zsolt Parragi wrote: > The choosing authentication method part would already > be useful with OAuth, and now Joel also started a thread about fido2, > which also brings the question of MFA. Or just the ability to offer a choice between two authentication methods for a single user, yeah. > pg_hba has the same issue, even if it has custom key=3Dvalue data > already. What I meant is similarly how we could turn currently hard > coded pg_hba settings into GUC variables, the same is doable with > pg_hosts, either at a separate level or integrating it into the HBA > context. And later either both should get a new line style and > deprecate the old one, or maybe these settings should be configured > completely differently. Sure; at this point I think we're violently agreeing. If we suspect the configuration UX needs to be refactored, that's not going to be a decision made unilaterally in this thread, which is why I said I was worried about the scope creep. --Jacob