Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vcpSt-00BGMB-2E
	for pgsql-hackers@arkaria.postgresql.org;
	Mon, 05 Jan 2026 18:38:04 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vcpSs-003U3f-0K
	for pgsql-hackers@arkaria.postgresql.org;
	Mon, 05 Jan 2026 18:38:02 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vcpSr-003U3F-2U
	for pgsql-hackers@lists.postgresql.org;
	Mon, 05 Jan 2026 18:38:02 +0000
Received: from mail-qv1-xf35.google.com ([2607:f8b0:4864:20::f35])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vcpSo-004jLJ-2s
	for pgsql-hackers@postgresql.org;
	Mon, 05 Jan 2026 18:38:01 +0000
Received: by mail-qv1-xf35.google.com with SMTP id 6a1803df08f44-8887f43b224so2102826d6.1
        for <pgsql-hackers@postgresql.org>; Mon, 05 Jan 2026 10:37:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1767638276; x=1768243076; darn=postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=pDRV6lxFZywb2jldsUjmG9u3PNv27Qv/OTjqiS6vTzg=;
        b=LpQXnAqtknLf7dmLsoYkw/nd+NKxGmiEb0czGJfOfDT79Bb1ZGxGioM5OfwJgoEZQn
         uVRyKpZ8ibwtJxW52tgUrVJHyUIUJBHzIFLF+FfeSBXd1rvwTH8YaPHQVzC5HsWxxMW7
         gdzas4ExqCyVuR1esK9auSUxqT0n4/t0g0Gl21SLUP7dfmc3npTjKoIHr8HUg4pKURa8
         1V8PZhgvwVQri2g1Ah5MveHZCwFcUlHft7Ga/oHzKw0CEH1bNhnisNVMFaRxPsLOcd/f
         LTCRSlQV1nx8JxDTYGjleFJarCbHRtiBz9FLfZwkhY9HBa6l1p3AFRUX9ZzOzc0cMlJy
         911A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767638276; x=1768243076;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=pDRV6lxFZywb2jldsUjmG9u3PNv27Qv/OTjqiS6vTzg=;
        b=ZoyfaMeqHnMpmvFkYGkw7soFsQQ8HsEA4zwIvOVABH5S2xlCbAVUsYmB5baR8z+CcD
         SQgnGHk8xaK8Z7wk5RGKmx74R5Wl4pICh9jfiKIRHvl9Vg7F6UrRdEDSE0nmRixSAgh9
         xGOT4Ia6WhzJePPOmHzOs1jqwmVuBXVFu0uCQ9JxNEPDiuumKVzvui8MZ1OWc2ugWhzG
         PBO9i7Mv1JFCYN4869Q27QcgDEW718Sc5H7hCGLbwZYBoTZEQX0HpOxDXB1Ojr0I5evv
         WzX7LvCmfBxuymF1fFT29sL1cbY+yM6bqk/XFmwEcKOipUX52btLHZ/4OoTJAhtFoVju
         +yPw==
X-Forwarded-Encrypted: i=1; AJvYcCXw0vh3Lg2rcFrXCCGzxJ9o2X2m8oLL/XVDjX2CeRnGaeX1W0+N4KpLzGsOqomsOIaSz+25v8wQj9VSE5PB@postgresql.org
X-Gm-Message-State: AOJu0YyO/A6JDqNEN3mRu5OaESgcBdxJUdR4Lbtc/lNdR+2oCSIxhvbv
	j+1t07vBDlztb2D+eotpyxbnyu24P3zJl6g7wl9Pszj5FLduuDNOnzq5CI/703+V8vBqK5chtCR
	sTCo/QFwRWwl6p5bNr8oZE9RNgH6+AhsXeFdg31ps
X-Gm-Gg: AY/fxX5ZeVtgEP5P5PQnyIq4lp6N/+8t3bbxG+5WsN+/it1buUxPp/y9w0aA+EQeTEx
	XIW1G9h90dsv+t8Xmg7ezO8QsD2pV6PmN/Ct5JbrlTKe62LbMRDrP1VecrpZVVAolVysZATWM46
	+pBY/G4+rWrZ4dFVTrXuNRRBmRPsmddEAVEwbTLj6+QT2aH8dHM29+lzs+WnOPnJHGANva/F9ae
	NIOVQg0Jk0nPUNm2sMUweBqUbmEocPJkN1dKNT8FGMIuh6c1QfRfTZQsGS1z8q2wHxl0XZ2gRbj
	qL/3+QXL
X-Google-Smtp-Source: AGHT+IGlQnTCyIPduJctILoZZmBlNQlO/PSbVx195B5EcFJe+rlSggwb65K2cd4kkSJ30M4h6PuzxbAHgRdLkatL89M=
X-Received: by 2002:a05:6214:2503:b0:882:7571:c023 with SMTP id
 6a1803df08f44-89075e957c1mr8070406d6.47.1767638276225; Mon, 05 Jan 2026
 10:37:56 -0800 (PST)
MIME-Version: 1.0
References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com>
 <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> <CAOYmi+=fbZNJSkHVci=GpR8XPYObK=H+2ERRha0LDTS+ifsWnw@mail.gmail.com>
 <CAN4CZFPhm2NCRWzZpX=kRLqyxu4Ps-d0xE5W75a-iDoKrLbXBw@mail.gmail.com>
 <CAOYmi+=HcXJub1rDsQ7vpKMHuBB6NTA2Z5T=zAkaFdRThf+9zg@mail.gmail.com>
 <b08bf613bba131eaf15ac163d84604db452d4fde.camel@gmail.com>
 <CAOYmi+mMx1DnNpKG8RdknH0-GuPR9jv+G9r2iFND=Yve7DOF6g@mail.gmail.com> <7a0464f0c05db689eb97ba963b212d477d03f5a3.camel@gmail.com>
In-Reply-To: <7a0464f0c05db689eb97ba963b212d477d03f5a3.camel@gmail.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Mon, 5 Jan 2026 10:37:45 -0800
X-Gm-Features: AQt7F2qKj9Mx4cA717VdUwJQ2RQv0a3kmtKtq92LTT-ln2iokAdqnrT8cJ90VSg
Message-ID: <CAOYmi+nQawWHzC4mRhJnzZzzqjnUDg-yxN3f3ZqPX=+jpKU+zg@mail.gmail.com>
Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode
To: "Jonathan Gonzalez V." <jonathan.abdiel@gmail.com>
Cc: Zsolt Parragi <zsolt.parragi@percona.com>, Daniel Gustafsson <daniel@yesql.se>, 
	PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/CAOYmi%2BnQawWHzC4mRhJnzZzzqjnUDg-yxN3f3ZqPX%3D%2BjpKU%2Bzg%40mail.gmail.com>
Precedence: bulk

On Sat, Dec 20, 2025 at 9:53=E2=80=AFAM Jonathan Gonzalez V.
<jonathan.abdiel@gmail.com> wrote:
> > > > https://wiki.postgresql.org/wiki/Proposal:_Promote_PGOAUTHCAFILE_to=
_feature
> > >
> > > How can we work on that? because of the above it may be required to
> > > add
> > > even more possibilities.
> >
> > Not sure what you mean. I think we're working on it now, in this
> > thread?
>
> Yes, but having a list of ideas listed, that we all can read may make
> sense, that's because following the threads with all the ideas at once
> it's a big difficult some times!

See https://wiki.postgresql.org/wiki/Category:OAuth_Working_Group for
a current list of tagged [oauth] proposals. Or is that not what you're
asking about?

> In my opinion, "debug" it's not just developers, [...]
> since all the systems now days can run on hundreds
> of servers or containers, no one looks into the logs manually, you have
> automated system for it, that will read, parse, collect and distribute
> your logs into different storage, databases(even PostgreSQL database
> can be used for it) or display system. It is for theses cases that
> having something that can be parsed is always useful.

Sure, but that's not the use case for PGOAUTHDEBUG. It's fine to
develop a feature that handles production logging for client
authentication details -- it's just emphatically not what that envvar
was designed to do. This is a developer feature which turns out to be
hiding another feature that people want to use in production today.

I know the most visible aspect of PGOAUTHDEBUG=3DUNSAFE is the logging
spray, so that might have contributed to the confusion.

> Well, I think I was misunderstood here, when I was talking about "debug
> levels" I was talking about logs debug levels

Right, and I'm not. I guess that's the main disconnect here: I'm only
talking about enabling and disabling the features exposed by
PGOAUTHDEBUG. I don't think a debug level helps with that, which is
why I proposed a bitmap.

But that's a feature for a different thread name. I think we should
continue this one by adding an oauth_ca_file connection parameter and
documentation, including the default behavior (which defers to Curl).

--Jacob