public inbox for [email protected]  
help / color / mirror / Atom feed
From: Bruce Momjian <[email protected]>
To: Daniel Gustafsson <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: Thomas Munro <[email protected]>
Cc: Jacob Champion <[email protected]>
Cc: Nazir Bilal Yavuz <[email protected]>
Cc: Andres Freund <[email protected]>
Cc: Peter Eisentraut <[email protected]>
Cc: Antonin Houska <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
Date: Wed, 19 Mar 2025 19:59:28 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <CAOYmi+kC9232rEPTMUV8NsGZOFWw-2dmPs=Zz0MT4HXmoBwPqQ@mail.gmail.com>
	<CA+hUKGK4YwqNhFcg=TaQky=sJ5YRH_n54hd0msfRHHG+mbM9Rg@mail.gmail.com>
	<CAOYmi+n8jHAjKKk0oT+HaOdVt7fn2w==MGoFk348ih1j-L8TDg@mail.gmail.com>
	<CAN55FZ2K_aXC89mq3UfB8Z8Okj4Qq-FRxzdrH5me5J+ytY64pg@mail.gmail.com>
	<CAOYmi+kKjhOnwU1LmDksf6RSZtVe9QXnH+6HDuiR=Cv9Z+MnFw@mail.gmail.com>
	<CA+hUKG+dMm6FyQvXM2oD269u6BBnaDoPM4DEyYzZJK6SAFCEag@mail.gmail.com>
	<[email protected]>
	<CA+hUKGKCYRS34L+BUy!5qhMF55Zg-oCMxDhnSgqm0jWkP+6jYBA@mail.gmail.com>
	<[email protected]>
	<[email protected]>

On Wed, Mar 19, 2025 at 02:38:08PM +0100, Daniel Gustafsson wrote:
> > On 19 Mar 2025, at 05:57, Tom Lane <[email protected]> wrote:
> > 
> > BTW, I was pretty seriously disheartened just now to realize that
> > this feature was implemented by making libpq depend on libcurl.
> > I'd misread the relevant commit messages to say that libcurl was
> > just being used as test infrastructure; but nope, it's a genuine
> > build and runtime dependency.  I wonder how much big-picture
> > thinking went into that.
> 
> A considerable amount. 
> 
> libcurl is not a dependency for OAuth support in libpq, the support was
> designed to be exensible such that clients can hook in their own flow
> implementations.  This part does not require libcurl.  It is however a
> dependency for the RFC 8628 implementation which is included when building with
> --with-libcurl, this in order to ship something which can be used out of the
> box (for actual connections *and* testing) without clients being forced to
> provide their own implementation.
> 
> This obviously means that the RFC8628 part could be moved to contrib/, but I
> fear we wouldn't make life easier for packagers by doing that.

I see it now ---- without having RFC 8628 built into the server, clients
have to implement it.  Do we know what percentage would need to do that?
The spec:

	https://datatracker.ietf.org/doc/html/rfc8628

Do we think packagers will use the --with-libcurl configure option?

It does kind of make sense for curl to handle OAUTH since curl has to
simulate a browser.  I assume we can't call a shell to invoke curl from
the command line.

-- 
  Bruce Momjian  <[email protected]>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Do not let urgent matters crowd out time for investment in the future.





view thread (244+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox