Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p081O-0002xM-QW for pgsql-hackers@arkaria.postgresql.org; Tue, 29 Nov 2022 21:20:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1p081N-00085M-Nm for pgsql-hackers@arkaria.postgresql.org; Tue, 29 Nov 2022 21:20:05 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p081N-00085B-E3 for pgsql-hackers@lists.postgresql.org; Tue, 29 Nov 2022 21:20:05 +0000 Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1p081L-0006zv-6i for pgsql-hackers@postgresql.org; Tue, 29 Nov 2022 21:20:04 +0000 Received: by mail-pl1-x634.google.com with SMTP id y17so6799662plp.3 for ; Tue, 29 Nov 2022 13:20:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timescale.com; s=google; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=XUC4yXLB/SCJGZ89O7eUxV8z9p0/j7lHoAySp2OMtYE=; b=JwJr6dGAVCjeTezw/fIO0rCD/iXvZmkmBM1Y0La8EPB0Sj4aGtVhamhX75P2pmB/ho R+Ky7MRoWYAS1Y5ujuNYnL7kKnXpht9/BUfeBpl/c1jnrX680gGV+sh/FGhb4dbTpLF1 BT10ynQBnt94zbga2VIxnuH8aowxJNW8L30OHPENIeYnk7oksCUoskOUDuvO/Cq43Tfk IJc0NhBOIPJy5akOMGRLiweMGzOzX+NXoA93wSsmEnOT1MyOn+0szZKmR7rNV+eUNR6R FjAVtcnLhS/gZagLnqWo7eug6/SN5SttKEehypRE6HCUmSdBT+cAAShM0yKfm5GxkEXB 7C3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XUC4yXLB/SCJGZ89O7eUxV8z9p0/j7lHoAySp2OMtYE=; b=CHiJjDtYcHBOE4sVKdWb8ZcKAuf+n4gEThkLenLp5KYVT6tRR/ceOFX2JAkTfGUQSa 3FTgPip8RzSsxiJoxsAZdKfbHiT3AduBdw0oppkTsoWfWXFOCsldy6hbgLO2KT4eRJQj CFF9wCl1fktltysT3Ol3ZGYHh9+s/87FpzAkBoZ7sCCN8jw3VqjRpP58TvGlilbnmob6 3b3Yb6mJOCgX6vn03nDAOjKlf4o6Vbgdw0/WYLEyMJT2/8+/uNo1z79BsatYsn18OAlr BRwRuFs/lAzcFvIADLVIjsecC1l1Os2aMBX51GsLF0r5aO468ppfPEU3W7Bs72WiCusx 56aw== X-Gm-Message-State: ANoB5pkP/3hHqAum+5AwvH1JwlzXlBmd5W5TegdMLZrwi7FOaCCeVqLG /Zya00W3ib/dIMEmfC+eH2HILQ== X-Google-Smtp-Source: AA0mqf5kYB+CDGmPEouqYEL+TTtjFObIRj6x62BjRf5gXx6qO2OXeY+9qMeuZ2zQRluKzBFJogM7tg== X-Received: by 2002:a17:903:240b:b0:186:9fc5:6c2c with SMTP id e11-20020a170903240b00b001869fc56c2cmr38901859plo.174.1669756800976; Tue, 29 Nov 2022 13:20:00 -0800 (PST) Received: from [192.168.1.21] ([50.53.8.205]) by smtp.gmail.com with ESMTPSA id z5-20020aa79f85000000b0056bbebbcafbsm10386007pfr.100.2022.11.29.13.20.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 29 Nov 2022 13:20:00 -0800 (PST) Message-ID: Date: Tue, 29 Nov 2022 13:19:59 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Content-Language: en-US To: mahendrakar s , Andrey Chudnovsky Cc: "hlinnaka@iki.fi" , "michael@paquier.xyz" , "pgsql-hackers@postgresql.org" , "smilingsamay@gmail.com" References: <2f06a4aef1d5defe4b7aaec01478572e5557d32a.camel@vmware.com> <8a5a35b31c3f25f6b047e77def0445a60399981d.camel@vmware.com> <0e86fe7e3534fb05db02379fed404a2010eb1d62.camel@vmware.com> <4db7d3ea061f47a15fc6d865f53dd327ea2975fb.camel@vmware.com> From: Jacob Champion In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 11/24/22 00:20, mahendrakar s wrote: > I had validated Github by skipping the discovery mechanism and letting > the provider extension pass on the endpoints. This is just for > validation purposes. > If it needs to be supported, then need a way to send the discovery > document from extension. Yeah. I had originally bounced around the idea that we could send a data:// URL, but I think that opens up problems. You're supposed to be able to link the issuer URI with the URI you got the configuration from, and if they're different, you bail out. If a server makes up its own OpenID configuration, we'd have to bypass that safety check, and decide what the risks and mitigations are... Not sure it's worth it. Especially if you could just lobby GitHub to, say, provide an OpenID config. (Maybe there's a security-related reason they don't.) --Jacob