Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tv3Jy-00GTdf-GN for pgsql-hackers@arkaria.postgresql.org; Wed, 19 Mar 2025 23:59:38 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tv3Jv-00Dy7K-Ob for pgsql-hackers@arkaria.postgresql.org; Wed, 19 Mar 2025 23:59:35 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tv3Jv-00Dy79-Di for pgsql-hackers@lists.postgresql.org; Wed, 19 Mar 2025 23:59:35 +0000 Received: from momjian.us ([72.94.173.45]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tv3Js-0001Nf-3C for pgsql-hackers@postgresql.org; Wed, 19 Mar 2025 23:59:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2025010100; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description; bh=iOlWoN6HLDUMHqnOk5tW4Tc4e6ROBY+cVkgzD8V48lM=; b=PJ9+G k4cEabcykp78L9coU/uw7bo3KbJFjIUOrgZJpRkvzVL3Y2bM5tzIJU3Yw89SOQ5s9dOgEoipo6oD+ L5nDIzWPrRAkBhcQF/ZeiJ2J0UlMz4Z9Odv+rDC18v8+5RLskjCyIypqGfUgT6WSfEoqSWSnuxWrh tOUBDWIZed8qoZNInN1yoGyYPLLU/OgkeCGqVa2WHcWFQtKaZdzEMxCrU+qPbla92UloJUxgv/ZkR 4wC5YPwLQhRRtPWnbsMrEVTu8qLQAqCxi9E7DTPm+SsnAwYnse6GPNRw1j3mGVNFzRgH/6mM/snEt VfRiyH3mXgC8TOp/B6KahBkMSD+pA==; Received: from bruce by momjian.us with local (Exim 4.96) (envelope-from ) id 1tv3Jo-007kPS-0F; Wed, 19 Mar 2025 19:59:28 -0400 Date: Wed, 19 Mar 2025 19:59:28 -0400 From: Bruce Momjian To: Daniel Gustafsson Cc: Tom Lane , Thomas Munro , Jacob Champion , Nazir Bilal Yavuz , Andres Freund , Peter Eisentraut , Antonin Houska , PostgreSQL Hackers Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Message-ID: References: <636879.1742357835@sss.pgh.pa.us> <641687.1742360249@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, Mar 19, 2025 at 02:38:08PM +0100, Daniel Gustafsson wrote: > > On 19 Mar 2025, at 05:57, Tom Lane wrote: > > > > BTW, I was pretty seriously disheartened just now to realize that > > this feature was implemented by making libpq depend on libcurl. > > I'd misread the relevant commit messages to say that libcurl was > > just being used as test infrastructure; but nope, it's a genuine > > build and runtime dependency. I wonder how much big-picture > > thinking went into that. > > A considerable amount. > > libcurl is not a dependency for OAuth support in libpq, the support was > designed to be exensible such that clients can hook in their own flow > implementations. This part does not require libcurl. It is however a > dependency for the RFC 8628 implementation which is included when building with > --with-libcurl, this in order to ship something which can be used out of the > box (for actual connections *and* testing) without clients being forced to > provide their own implementation. > > This obviously means that the RFC8628 part could be moved to contrib/, but I > fear we wouldn't make life easier for packagers by doing that. I see it now ---- without having RFC 8628 built into the server, clients have to implement it. Do we know what percentage would need to do that? The spec: https://datatracker.ietf.org/doc/html/rfc8628 Do we think packagers will use the --with-libcurl configure option? It does kind of make sense for curl to handle OAUTH since curl has to simulate a browser. I assume we can't call a shell to invoke curl from the command line. -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.