Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tvMr5-003zeO-H1 for pgsql-hackers@arkaria.postgresql.org; Thu, 20 Mar 2025 20:51:07 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tvMr3-008uoR-AS for pgsql-hackers@arkaria.postgresql.org; Thu, 20 Mar 2025 20:51:05 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tvMr3-008ulk-0e for pgsql-hackers@lists.postgresql.org; Thu, 20 Mar 2025 20:51:05 +0000 Received: from momjian.us ([72.94.173.45]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tvMqz-000CgI-0o for pgsql-hackers@postgresql.org; Thu, 20 Mar 2025 20:51:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2025010100; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description; bh=TdChxQKgoXodYuE2a0iZ6dIwxYj5G5s57hgS1tB2pFY=; b=r8673 yp98eLahq+ZpTc/U71zG2BlP88Spc/OW6orYxvvnKkVrgOtefyNatZ2iE8w2KMStwkxDv9H/vW5Dd tAOpH9huUwui571RX0BP3r0mEhXV2j/d0QDOFvG+LwQfYoxk9GLr8m96lW6pAavUKGSWZPFe5Sy73 5QgbyrH0plM+M81oB4iI+1/VVjjKIeybIFQS9aOKNMQRpD0PtgKQ+RzyBsb1Q/jW6p7YZa9nDbv39 v/0hzqQ/zA4lEy2Z7/hj5o0IR84B+fgPfC8bjN+FUS+kWKKS2iThWXlWv8rnUHYtEwYCZvkoIjQY4 4yY/xm4Kx8b7/U4mnCfMXv1Ab+Xow==; Received: from bruce by momjian.us with local (Exim 4.96) (envelope-from ) id 1tvMqv-00ACYY-2P; Thu, 20 Mar 2025 16:50:57 -0400 Date: Thu, 20 Mar 2025 16:50:57 -0400 From: Bruce Momjian To: Jacob Champion Cc: PostgreSQL Hackers , Tom Lane , Daniel Gustafsson , Thomas Munro , Nazir Bilal Yavuz , Andres Freund , Peter Eisentraut , Antonin Houska Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Message-ID: References: <636879.1742357835@sss.pgh.pa.us> <641687.1742360249@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, Mar 20, 2025 at 01:33:26PM -0700, Jacob Champion wrote: > That's more than I'd like, to be perfectly honest. I'm least happy > about libssh, because we're not using SFTP but we have to pay for it. > And the Deb-alikes add librtmp, which I'm not thrilled about either. > > The rest are, IMO, natural dependencies of a mature HTTP client: the > HTTP/1 and HTTP/2 engines, Punycode, the Public Suffix List, UTF > handling, and common response compression types. Those are kind of > part and parcel of communicating on the web. (If we find an HTTP > client that does all those things itself, awesome, but then we have to > ask how well they did it.) > > So one question for the collective is -- putting Curl itself aside -- > is having a basic-but-usable OAuth flow, out of the box, worth the > costs of a generic HTTP client? A non-trivial footprint *will* be > there, whether it's one library or several, whether we delay-load it > or not, whether we have the unused SFTP/RTMP dependencies or not. But > we could still find ways to reduce that cost for people who aren't > using it, if necessary. One observation is that security scanning tools are going to see the curl dependency and look at any CSVs related to them and ask us, whether they are using OAUTH or not. -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.