Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u6uSu-007Y3o-Q1 for pgsql-hackers@arkaria.postgresql.org; Mon, 21 Apr 2025 16:57:53 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u6uSs-0074ga-Pt for pgsql-hackers@arkaria.postgresql.org; Mon, 21 Apr 2025 16:57:51 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u6uSs-0074gL-Ak for pgsql-hackers@lists.postgresql.org; Mon, 21 Apr 2025 16:57:51 +0000 Received: from mail-qv1-xf31.google.com ([2607:f8b0:4864:20::f31]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1u6uSo-001DDE-28 for pgsql-hackers@postgresql.org; Mon, 21 Apr 2025 16:57:48 +0000 Received: by mail-qv1-xf31.google.com with SMTP id 6a1803df08f44-6ecfbf8fa76so49596736d6.0 for ; Mon, 21 Apr 2025 09:57:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1745254666; x=1745859466; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=SoIgWorUbr/wElB0gArwCOS7dJkUwlTkvMjw08UFbtg=; b=Tz7pvzESPjASq3igvBzTHgmcPKTPub3pOV9YZa3+eN/0J3Ai+urT2B/mp98TvbXACW HEzppev9lcAbWvSYFtj7VFhvSiWhW0xFdYywqu83uaQkjEeuF6EwvSDLiumDf0o2qYQm beTLYvZ4BFEk4jQtx9FpYeHWRe1viNqvD1aYiSgXbBFI3a1sRGzGW79aFlPd17Pk4xzh D1ITaKk86B8l1VXbQyOwB/pzm0ydv2UOsb76ubAub5656tyIUwwGCfprOp3Lk1qQkflD oi5ibXRuBAXvxHd6gieQV6dzqTgp+no8N9x5KQmt1qWX/PUTQi5o4EOpxm/zneOsGL6k d/9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745254666; x=1745859466; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SoIgWorUbr/wElB0gArwCOS7dJkUwlTkvMjw08UFbtg=; b=fXBc74tcfo9xtPyX24ZsL3MuMvf4pZcFrW1CiuvMatFLiV+lkRJhMJIMwBU9Oo69ZL t4hRnRG5kdzUQJBaUW3GM2W2r6XM/vIq4XBF+Bw05G1H1kDE2tKFwGym4DxUje6DkYtk mjP40wZExgJvls08F/YYWanHzSV3ZR2JBdkh4mgHIt/CNxO8P2+Qn9MmnFcc3rJBUuHp IePHenTSVOKb36lWBPXnRrUYBaB1KzKEwBB5VSbrRM1dc7nhPHURD5U2EeCjpdDo+FMm pWBvRvPesNeO/pGlsXTgsmXmSsz2SE3/uPa8SzSmMPstC64QtoW28yQRP8x3zoRe9Oe5 Eeyw== X-Forwarded-Encrypted: i=1; AJvYcCWlPwcprfohzsUIaahfwYs+WPjaREr6h90QWyxhZjnQQpiORVMG/XTQtOdT59bqr81Ewcl9S7pv5VBSJ6p8@postgresql.org X-Gm-Message-State: AOJu0YyBU4Qm8MybWgFXHH8kQgw6jyGqZGWk+VgXPKEwUCq10Dm/+gI5 OQvGp+LstPeA05x7V0eDyePTHscsR4xXc6quY/eywaSeKv1KzfSFy9JPWTJxce9PfOU8fYEhNWL tzAlTNDmsKG9TkAh4PF3pq5x03pGqzMk/vq7HySDRSxmx/LK6h+Bm X-Gm-Gg: ASbGncvACcQeg38CNVQwZsYnmjq35PnEtjH1medA/eFdGjwtycV09TlkIFnCHz530ES e6a6/a/8cSWL3OK8G1LGpgydXomwBNDmH0s510BZH8FfqV37H/hPFEAocmjW/bFqhW7SWDrrpDd qmqVm4bkvQffMDoKh6dvJm X-Google-Smtp-Source: AGHT+IGJU3zleNUOf9R+MVBiVuj5JoGQZdXxbQP84zr9PvAEC6kJg5pLOi0ueE5mGTQvZSuAsZ1xBGxX4CtwNjrr8I0= X-Received: by 2002:ad4:5f8e:0:b0:6e8:fa38:46aa with SMTP id 6a1803df08f44-6f2c46527b9mr232724026d6.33.1745254665937; Mon, 21 Apr 2025 09:57:45 -0700 (PDT) MIME-Version: 1.0 References: <487dacec-6d8d-46c0-a36f-d5b8c81a56f1@technowledgy.de> <012b6a4a-aead-411a-a9db-c6c7b25e1dcc@technowledgy.de> <3ef2e077-396c-4953-b062-c28fe16d2749@technowledgy.de> <227ce390-b604-4b1b-924a-1540729d8e3a@tantorlabs.com> In-Reply-To: <227ce390-b604-4b1b-924a-1540729d8e3a@tantorlabs.com> From: Jacob Champion Date: Mon, 21 Apr 2025 09:57:33 -0700 X-Gm-Features: ATxdqUE0anWtt_D5XT3doZGLv2-7qr9O8KBHDJscA7YCQxegEj9wfe4Z2E-hIt8 Message-ID: Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER To: Ivan Kush Cc: Wolfgang Walther , PostgreSQL Hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Sun, Apr 20, 2025 at 10:12=E2=80=AFAM Ivan Kush wrote: > I'm testing OAuth Device Flow implementation on Google. Met several > problems. Hi Ivan, thank you for testing and reporting! Unfortunately, yeah, Google is a known problem [1]. They've taken several liberties with the spec, as you point out. We have some options for dealing with them, since their documentation instructs clients to hardcode their API entry points instead of using discovery. (That makes it easy for us to figure out when we're talking to Google, and potentially switch to a quirks mode.) But! Before we do that: How do you intend to authorize tokens issued by Google? Last I checked, they still had no way to register an application-specific scope, making it very dangerous IMO to use a public flow [2]. Do you have an architecture where this usage is safe, and/or have they added custom scopes? (I deprioritized handling the nonstandard behavior when I couldn't prove to myself that it was possible to use the Google version of Device Authorization safely, but I'm happy to jump back into that if we have a good use case.) > 1) In Device Authorization Request Google returns 428 code on pending > https://developers.google.com/identity/protocols/oauth2/limited-input-dev= ice#authorization-pending Right. I believe there were other nonstandard errors in other corner cases, too. :( > I suggest to add a GUC in postgresql.conf that contains additional > non-standard error codes for a specific service. > oauth_add_error_codes =3D [ > { > issuer: google > add_err_codes: [428], > }, > { > issuer: someservice > add_err_code: [403], > } > ] > So Google can contain 400,401,428 The server config doesn't help us much, since this is a client-side feature. Any "global" configuration is probably going to be done through environment variables or a service file [3]. > Additionally write parsing of such json-like config-values. Will be cool > to create serializer, that matches struct to such json-like GUC. I'm not too excited about a separate configuration DSL. I'm guessing most end users, if they really want Google as their Device Authorization provider, would rather have us switch over to "Google mode" once we notice the magic Google endpoint is in use. > 2) Google requires client_secret only in the Device Access Token Request > (Section 3.3 RFC-8628). > ... > But Postgres sends client_secret in both request, also in Device > Authorization Request. Yes. See 3.1 (Device Authorization Request): The client authentication requirements of Section 3.2.1 of [RFC6749] apply to requests on this endpoint, which means that confidential clients (those that have established client credentials) authenticate in the same manner as when making requests to the token endpoint, and public clients provide the "client_id" parameter to identify themselves. > I suggest to remove send secret on Device Authorization Request. This breaks Okta, at minimum. We can't do it across the board. (As for Azure, I haven't figured out how to configure it to *require* a confidential client secret for the device flow -- which makes a certain amount of sense since the flow is public -- but its v2 endpoint doesn't mind being *sent* a secret.) > 3) Additionally if secret exists PG sends it only using Basic Auth. But > RFC contain only MAY word about Basic Auth. Section 2.3.1 RFC 6749,