Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vjR95-00F4R8-1r
	for pgsql-hackers@arkaria.postgresql.org;
	Sat, 24 Jan 2026 00:04:56 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vjR94-001sQ2-19
	for pgsql-hackers@arkaria.postgresql.org;
	Sat, 24 Jan 2026 00:04:54 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vjR93-001sPt-2t
	for pgsql-hackers@lists.postgresql.org;
	Sat, 24 Jan 2026 00:04:54 +0000
Received: from mail-qv1-xf34.google.com ([2607:f8b0:4864:20::f34])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vjR90-001z5Z-1e
	for pgsql-hackers@lists.postgresql.org;
	Sat, 24 Jan 2026 00:04:52 +0000
Received: by mail-qv1-xf34.google.com with SMTP id 6a1803df08f44-894703956b8so44970316d6.1
        for <pgsql-hackers@lists.postgresql.org>; Fri, 23 Jan 2026 16:04:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1769213090; cv=none;
        d=google.com; s=arc-20240605;
        b=EUewDoKoyXHN/k4PLGLjcgLRKPReu3j4f8B6m7+4wiDxDwyedlPXXjADJzO2LEr9bL
         2ZaxdCdXN8RDsxg51ZRaxBwlEbqXGissI98bRPGcWT0wXYlVeDa2ryLe/knsvNYEt3NL
         YIksXf8bA+L232WIHEWKiAW2TQcClQ7f0NmwHV2iRUlUoGaDDBwLesbI0BoUFLBeXr/H
         fw4sN6uhbausXr6YLHhucaTGyUzuJjgYfjN3P6fuTtk1XBdl/0QNb9BOGcl4dNYPGwgL
         rhnnGHyCLzFzoh+9UG7EyI2BdDdk5UC/IW/1Kp1XRZjN607bQuUFUCRST/OpRzGcnyX8
         HCFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=cFov62OkvQqVJyt0Jm2vvoa8mUqHq70gEvSRzQyRJs4=;
        fh=tf32Jv7FN7RT+O0lhvUu24sgI0ZsIZ2sTAGJkBXxh0o=;
        b=cBZjRbN/FB4Rm7nlC0ZW/2jhaIyumulFqWBGtjl80O6mzvzwa+Nb3QNkpf/Xweyi1Q
         0iMqu4hoerReFU1qMKv0NlatJL95DlEFgF9erZ/tridEOXUTdVa+66nZMKcNOTXt8UmN
         mkB08P3qBcglTNI/Gi8OpYCdBJd0ZWXP4vVXR5DNdTO3aLys9yMshuW5WYft4+pRqUNy
         VAu7XCrztxQ/3um4mAgWHtDZjDHYUMO+22nQF3xou1ovcbhoge+tvj1df46yiqsSpL9q
         zXr2F9yHwbQNIaYr9HPJNlJa054gvwVZk3FdAMdsmS8y5zK21MPt0irJZEdC4q+bMV54
         HRVQ==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1769213090; x=1769817890; darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=cFov62OkvQqVJyt0Jm2vvoa8mUqHq70gEvSRzQyRJs4=;
        b=BQqOSBjgM2sw2ciMzpXhQT1+s7siFGr1DKt/TlEpJDaJH1FvR+zsZvXeSe3/VoKyDd
         CK3Q2zvxztA38oX4WwSX4srYAt+DnN2cHi7Ey7oRqeBIUo4nL2YMPHq/vcS61+GLUIqp
         TC8JSjHde2OpH9Z7tzG6OuHEB0T4RBym10G3Ym22Pqnh6OchDItvtGkwN/SjObL9bur9
         R1k3ab5QQoLwlk0M11kyPzJ7jhN7qQIpQR8tpxFXNUfQ0MvvpVBhN44TeQ4SG4F6wzV4
         jQmPkiiWuA/ciLM0MIHm02zfCcirdAO6qKaXOfqIikXVZMRTsZm5fjNkgt7Th7jKQbfz
         DYAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769213090; x=1769817890;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=cFov62OkvQqVJyt0Jm2vvoa8mUqHq70gEvSRzQyRJs4=;
        b=bFIxxxNQThLpcjIkaFZV58DiqIZPhF4581tHj6s4PczdcSyuDwNe+4pSvEnyZCL9RN
         Rmj/dP/fI379S180ypFbrqPD+Mvvz0mFoGMiBd5xqEXjJIMHhoeua9y+aRY1bGNdlS5d
         +jpY+7b05/HuNQ80/K6mlVvXdbavReODXGBpQnfRmSFR8BDN3CdCAny1swFfYhu/aEFu
         eXctqDSITzGIPZwtWymuHNNcvVbZwFxc+t9HY6C8f9HwTxZuC3g4dQ+ais3TGBq+8TIy
         XI0qCKWDixv/mayu59X9ciDkWwo33Cf7POvqvKv0J4DUTxN9sDUCF3ASxg5ftFGrx9XO
         6gfg==
X-Forwarded-Encrypted: i=1; AJvYcCVw6Iq079riN+7rZeZU1LKNA5ukN0d7KPBPCHBQvtoHpNgXGQ8WyPaaQmutfAIxLp5fvb5AL1x3fs8GAf+D@lists.postgresql.org
X-Gm-Message-State: AOJu0YySoJaz2HXYYVK55Q1tw2ssvpQgDsvKpC5pVUwdNL2KFrIReRko
	CkaL8IBdZk0LigqTf3SSEeToSfrTijFFrX/De7PJ+ZmZ6eTSf1G2FzdDnCHgI/jIEtFbMrZpYpX
	+59vcLb/KqyA0nGQOm7JXbIWSMEEzLIyMGAbKSmpU
X-Gm-Gg: AZuq6aJhLQ6JPviqesM68Rn2OxLhc3G0crTGrdR1o+70G/9lx4PcQa0fRUm+SiB3Gx6
	TE80CuB6nC9YXA2qU3umHQ2RAJuTfEpBFe7n19vfo/CLrWcwlTdAYGt5QAjTesCaFvrcKm7HPmU
	XcyK237MSWMfZ4trQXK9a3ffv2weFlV8UmOnxOE4Y/RPWGG0Jt2AZGap1K/STNuDZaH7M/V7sWE
	Othe/VAdUKh9lZicsJvtkj+DOVytEL8j4zDTdQPJLWLqkVqqPeWBrDHo6LTIDE7IxSnacveUw==
X-Received: by 2002:ad4:574f:0:b0:894:5cfd:22c9 with SMTP id
 6a1803df08f44-8949022b7cbmr72488076d6.65.1769213090227; Fri, 23 Jan 2026
 16:04:50 -0800 (PST)
MIME-Version: 1.0
References: <CAN4CZFM3b8u5uNNNsY6XCya257u+Dofms3su9f11iMCxvCacag@mail.gmail.com>
 <CAE2r8H55geNFtECuFunpgn0LJK2+rntGuTeqNr6mP7gGhWFRbA@mail.gmail.com>
 <CAN4CZFP_2fe2-18wUoXDZodV8suVe9o++pv=hP8KxxvWkmCx7A@mail.gmail.com>
 <CAOYmi+kMuA7t9ao6rWZ=5kn_Zmd7qtwOay_ocEBXwkzKWbefhQ@mail.gmail.com>
 <CAE2r8H439jg+e5gXJpNNMoroe4CfWauDRfUBZC_9NUNTOhqzBQ@mail.gmail.com>
 <CAN4CZFN9RMF_79kx75SkQZezd91DocUzz89bJeBJrMO=uNuG2w@mail.gmail.com>
 <CAOYmi+krPZDC8K+9z64M2EY9fELTKzLbqw8fD_wK=87YV+TBgw@mail.gmail.com>
 <CAN4CZFPvjAt+eZJd=Rxp=yXRjva8CpJ_BbnF=vQW6uXCqfrjEg@mail.gmail.com>
 <CAOYmi+nbCrvcE9wLQdNCgMwDbbi_UzGYrzfC54txmMBJ9KxO=Q@mail.gmail.com>
 <CAN4CZFNywvG59B+nBgD1_1fHE2uODBH3EcF_gwLmC7Y5U6Ru4Q@mail.gmail.com>
 <CAOYmi+=-OdzHMzqg9i8TwYvgKwE-vroj0d-9SqnRnwbz02SgTg@mail.gmail.com>
 <CAN4CZFPo1POb9fWMihTACFxE=xSxKEANHRkxN4YbMMN-0SML=w@mail.gmail.com>
 <CAOYmi+kVAiKf=WrnyzGxCmx-uu=arPE0=+Mf_AOhuTzkvCNC2w@mail.gmail.com>
 <CAN4CZFMeTuH4uANV1bOox0d-1mycCnyghY49cL+E8PYZ4Y=0Kw@mail.gmail.com>
 <CAOYmi+nKQ_7+pWSzw=rP2_T9UL=URHBsKq005BDeMmmC_=PV8g@mail.gmail.com>
 <CAN4CZFM8TgqDi=5Bot2imtd2heGESjpMfQ7kW4qeFSjO7NTAQQ@mail.gmail.com>
 <CAOYmi+kVCWCbf+yjmFSeddmqxgYTO5vU+CqwFq6EbpyLkpW=Bw@mail.gmail.com>
 <CAN4CZFNt3WVPsORSFfdZo3nYn9Fa1-CkKKdu3_gVNpw4jbenjg@mail.gmail.com>
 <CAOYmi+n9+VDNayxsZuG30YLxOXrVB2Wu=jBR4WrEdJvxjTATKw@mail.gmail.com> <CAN4CZFP2N=+bqJL7PUiy0DR0dGwbdd1Na0rdMCpzdpaH50O87w@mail.gmail.com>
In-Reply-To: <CAN4CZFP2N=+bqJL7PUiy0DR0dGwbdd1Na0rdMCpzdpaH50O87w@mail.gmail.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Fri, 23 Jan 2026 16:04:39 -0800
X-Gm-Features: AZwV_QhBVW1XCpNuXH0t1EUzU2xAE9XVIXfKQyK5zJF2oE-2L34HPSqHXXap46A
Message-ID: <CAOYmi+nhh-fChn-8K7HV4kwVwsTm_gVy5jBgUBMqfM6Hm5E4zg@mail.gmail.com>
Subject: Re: Custom oauth validator options
To: Zsolt Parragi <zsolt.parragi@percona.com>
Cc: VASUKI M <vasukianand0119@gmail.com>, 
	PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, david.g.johnston@gmail.com, 
	Robert Haas <robertmhaas@gmail.com>, myon@debian.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/CAOYmi%2Bnhh-fChn-8K7HV4kwVwsTm_gVy5jBgUBMqfM6Hm5E4zg%40mail.gmail.com>
Precedence: bulk

On Tue, Jan 20, 2026 at 12:31=E2=80=AFPM Zsolt Parragi
<zsolt.parragi@percona.com> wrote:
> > But if someone decides in PG20 that
> > pam_use_hostname is a good GUC name for something, we're in trouble,
> > because the existing HBA options do not plug into the GUC system.
>
> We could make them reserved names?

I'm wondering if we should maybe do the opposite, and namespace the
GUCs instead? The vast majority of settings in an HBA are not going to
be GUCs, they're going to be method-specific parameters. So maybe it's
okay to have to do more typing to do the uncommon thing, and reference
them like `guc.log_connections` or something.

> Or maybe even accessible as GUC
> variables, even if we leave the current parsing/validation logic as
> is. Making them proper GUC variables seemed like a clear follow up
> patch to me, even if not for pg19.

Hmm... we may want to discuss my (e) option derailment more seriously,
if we're planning to go in that direction (and if other people like
that direction).

> > I'm worried that it's about to make a different decision from the
> > decision that is being made for the pg_hosts.conf file for SNI.
>
> I probably should read that thread in more detail, but I assume that
> your worry is about pg_hosts being a hardcoded configuration instead
> of using a similarly customizable GUC context? Shouldn't that be
> fixable in the future similarly?

"Fixable" in what sense? pg_hosts.conf is currently similar to
pg_ident.conf in that it has no place for key=3Dvalue pairs, and if you
add them after as an optional "column" for compatibility, you still
have to write something for all of those columns that you were trying
to replace with the GUC settings.

> > 3) can your option (b) or (c) make enough use of existing GUC
> > infrastructure, so that a future PGC_HBA could easily subsume an
> > OAuth-specific solution, if people want to continue down that path in
> > a less OAuth-centric thread?
>
> I'm not sure about reusing existing GUC infrastructure, but  I could
> make it look similar from the users perspective for example by adding
> a function DefineCustomValidatorStringVariable that has a similar
> interface to DefineCustomStringVariable, and in the future, this
> function could simply forward to DefineCustomStringVariable.

Might work, yeah.

--Jacob