Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w6GD2-0047Lo-1E for pgsql-hackers@arkaria.postgresql.org; Fri, 27 Mar 2026 23:03:20 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w6GCz-00CjaJ-2I for pgsql-hackers@arkaria.postgresql.org; Fri, 27 Mar 2026 23:03:18 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w6GCz-00Cja6-1B for pgsql-hackers@lists.postgresql.org; Fri, 27 Mar 2026 23:03:17 +0000 Received: from mail-yx1-xb131.google.com ([2607:f8b0:4864:20::b131]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w6GCv-00000001Z4A-3ZIQ for pgsql-hackers@lists.postgresql.org; Fri, 27 Mar 2026 23:03:16 +0000 Received: by mail-yx1-xb131.google.com with SMTP id 956f58d0204a3-64ca423ad53so2766706d50.0 for ; Fri, 27 Mar 2026 16:03:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774652592; cv=none; d=google.com; s=arc-20240605; b=XDL+tTz4qorX39Wgpj8XwzsuyN36itluupADDMPgtSfW7/0Ld46/MFc0OifS73De1q u82Et5WOUxqie2XvWHvWhJziTelGPDjh3QD4eKuZ8cf3Kq9WjWDzzWzdBJRFlbvi9wyS m40GhBysTwvgukXmWEqCoSuvEgj5lWanYCA3SZ/z1TJ2YQh571B8RQxLfFLlN4GA42z2 RNYuCtNZHWZFvpNI+f6ky/g4kwkv6MuL2g3RrwOxFh96okHlVZW9NwEzFSRm4fR4/rLi wl79w3HZZi8sLAcGxAcTTR9gJcbAx/wv0ShdEyZgBh0dPHWPN0TKS/47oyGjSVjXMK9D YGMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3/jyk+JUAgq8B2IDzBYGvUP/kvnkzwICNtQNRMexYhg=; fh=Nzt4OjpJYKf+/NFccZ/MaBrkZPxBUzcvcQK2p5/u9/o=; b=UlzDZoA378bljXPLGRvOaWcgW7s88rmYIklYskHxvG0sRUdONt4KK/USGChfEF7Ukx CKBiU7PNYCEe7i9oLp435ffb+4r9qaw2Uj9BpugGRc+aQbHdQcXHGssg6LPH58gKetxA BzMWniEO+WAEazkVNkQOUtIZNrXmTcmdyOK5R5er+HkyA3OnQUBxTIFoB9F/rAHoffQf dCCfkGsoxPue0aXt8CC+T6owG+VmWDY86Svc/fIGng14mIWKAE2aXoU06z+sX1IxGY9z FPPr2zjcwb9UXFQjZa7Jhllr5CkmhBbNaqmarh3CiBxr9aFVGkqFhzwYR6eLUQodJR6X xIzw==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1774652592; x=1775257392; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3/jyk+JUAgq8B2IDzBYGvUP/kvnkzwICNtQNRMexYhg=; b=I09VmyVHReyM+rLXQX713oOky70at9I1uJIGHDk2MqycTFXE9utBU+MRq4TDTGoU6b L7IHI5C+w7WxQuSb2aH9BcZw3T8yOx08Brx5M23IS1VAZgzUexKvUReTSLHq3JvmL2iW +/akNX2W5y684h4E74jy5Vmh+o57HcyK3yFME+uwecGQsQ6pEJd0mf9MUT92jeEX9xlH BAdqh8T2tJNuUJM0aSeGQLmZiqhhASmwa+XBKzZ+MzK3DGwIpJ4jny2GT0eCbBLrdy26 /I14jl5QpPQL8E8Qncan1/M3HwkXHj0cgguQb3fkiRDootNoQ8QawBrr3m6HDyYhJBpW d2zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774652592; x=1775257392; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3/jyk+JUAgq8B2IDzBYGvUP/kvnkzwICNtQNRMexYhg=; b=PPbclyH2ZbczZuWe2oYozdqcl0oz8GXww4cDYvdWqGzLTTvzdwkVXR7LH9ioGIFtdX 1OO04GM8iGIsFgfFRc4K+mAG4MURcdq89Rq5rxEEfeapkVJ8Xfn50XEqpmQbyyMFNDN5 Ex+WWJwdlA37DYP0dpfzS7yeBAjaKqbd3g1g7HSG+spGi9h6KABhwnOy8Fv4glhL47jF sLC1qTXRvdccJGr03s+RWXgBJHabhws89A0XApyPi+oJBAbEamDaX6UKRFsQ4wZbChw7 MFKqH3p7WgIZCRZAGglRWwmyM8wh5ZTlJk1Gw+GR129awWwXpsWZA2RbHSYXHpYCVDcm BaNw== X-Forwarded-Encrypted: i=1; AJvYcCW5XxnqQgmAPDTGbVwX887pS4XBycZPRyXAqymU0/CAGHCJ/YjNi0K84QcBkH3IJODhnUGOaZZwq5WuPrQB@lists.postgresql.org X-Gm-Message-State: AOJu0Yz3u74LymIJSbJc4+/ryuKPx2vCN4MHgs00vfs+7MSagesnNCmH dFhSa6z+zSAsbHvSEK8Pj4h4v9coNL8RUb3DazudrulqF8jBfbSsKlOYR4R8JrNHrEKNzaA0XRQ scc7YPD1b6WoZMRw4ada3KQPPRTirUBnA4L/+bk2g X-Gm-Gg: ATEYQzzLHOky/xoJo2EdS3secZOIRypXxEm9HmAEvUDz5WwY/ci2bj3XsV92tMHvmqc RdbJLCGivzlorI72oZke6BuehYjYy5bK3uYBEpolfsV/HmgRQcgCTcAO5ugDWMuqieZPUAXwFVu eLNeGkRZUOjU9cxM3fAoO+dzqTAXMUkgQZoeQbNStxrNwcwS3/mD2MuMfQkckCZEhUYyBrJ7VLU mUZYhLDeN3x8JI2HHIxk7dkGGDghkZF9aiCfjCoOHdCM/OrwZLzzRdA7LnWS35U0ELRhYv4gQNQ HqG1OXP3Gg== X-Received: by 2002:a53:ebcc:0:b0:64d:600d:854d with SMTP id 956f58d0204a3-64ff7404b19mr3437094d50.53.1774652591769; Fri, 27 Mar 2026 16:03:11 -0700 (PDT) MIME-Version: 1.0 References: <202601281620.m3hrqtih5b2w@alvherre.pgsql> In-Reply-To: From: Jacob Champion Date: Fri, 27 Mar 2026 16:03:00 -0700 X-Gm-Features: AQROBzChbj99cHSK0QKFCSbpogthJIGytNZQ-TkORrXG4eYmEb5C1TWmQ67jJWU Message-ID: Subject: Re: Custom oauth validator options To: Zsolt Parragi Cc: Nikolay Shaplov , =?UTF-8?Q?=C3=81lvaro_Herrera?= , VASUKI M , PostgreSQL Hackers , david.g.johnston@gmail.com, Robert Haas , myon@debian.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Mar 23, 2026 at 2:45=E2=80=AFPM Zsolt Parragi wrote: > This is my only concern with this patch: since we have a list > separated validatr names as a GUC already, couldn't we require a > . prefix instead of the fixed "validator.", to keep > the hba configuration consistent with gucs? Well, the `validator.` prefix lets us end-run the namespace issue [1]. It's one thing if I claim that single prefix in parse_hba_auth_opt(); it's another thing if I camp out on literally every identifier containing a dot. I'm also not convinced that it's worth spending additional code here to decide _which_ of the blessed validators is in force for the current line. (Deferring the check of the option names is bad enough, but there appears to be no way around that.) > Validators would still have to handle these options differently, but > at least it would look consistent from the user perspective - global > setting in postgresql.conf, same hba-line specific override in > pg_hba.conf. (also, validators already added global GUCs in pg18, and > this would also keep it consistent with that) After the wild goose chase I sent you on, I think consistency-in-form-but-not-function is more likely to be a liability than a benefit. Sure, validator authors will be able to pretend that users can override particular GUCs per-line, but that's not what's actually happening, so that could increase user confusion and support burden for very little practical upside. (As one example, `SHOW my_validator.setting` isn't going to behave intuitively.) Since my pitch here is "this is an architectural dead end, but it'll get us moving while we pursue the better route," I prefer something that's very obviously bespoke. Especially since validators will have to migrate from the old way to the new way, if we get our wish. I don't really want anyone to spend time resolving the collision of the two behaviors; I'd rather just let the old ugly configuration solution wither (or die), and encourage everyone to switch as rapidly as possible. > + REQUIRE_AUTH_OPTION(uaOAuth, name, "oauth"); > > Shouldn't this check go before the name validation? Yeah, I agree. (My original code had a more generic error message when the name check failed, but now that the message is OAuth-specific, I don't think it makes sense to pretend that it could belong to any other auth method.) Thanks! --Jacob [1] https://postgr.es/m/CAOYmi%2Bn9%2BVDNayxsZuG30YLxOXrVB2Wu%3DjBR4WrEdJvx= jTATKw%40mail.gmail.com