Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNP0W-0007Bd-KC for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 01:02:52 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nNP0V-0006kT-7g for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 01:02:51 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNP0U-0006kJ-SJ for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 01:02:50 +0000 Received: from mail-pj1-x1035.google.com ([2607:f8b0:4864:20::1035]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1nNP0S-0005Sl-Je for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 01:02:49 +0000 Received: by mail-pj1-x1035.google.com with SMTP id bx9-20020a17090af48900b001bc64ee7d3cso3426099pjb.4 for ; Thu, 24 Feb 2022 17:02:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-davis-com.20210112.gappssmtp.com; s=20210112; h=message-id:subject:from:to:date:in-reply-to:references:mime-version :content-transfer-encoding; bh=FPygGtR27jPNU4u9zsHtKNUHBkuqaN5DBjaS0afVqQo=; b=INZEoADULsUesUj25IfUQOGXbFYAIwfFjr6XQadbkyH5v3wZY2C6HNEYL2Jxi/bztn /rsP9kphmSxk+F702GaYfGGaB+bEGfw2+wNTciysQZCmZZWoZuISueb5B6HhP2IJq7BA WyKrJvMxEWsAXhQ6MnXxvQTn78Oqn+4Rf9gOeGBK+b/GQ44Y3vr7XeuYuIkRMqEridm4 9mqdEzIltlHa6msKcBOP4U0CXmcF62Cb0+DlGiB9Fts6EzaLUAgU7dMndWSMc+DjAJCA N1cXzQML8q+th+ZZArURtIvz02QlR4QmBQp4mSzVQ/XsdKPIV1JLRx+SccTIoJrsD76Y s0+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=FPygGtR27jPNU4u9zsHtKNUHBkuqaN5DBjaS0afVqQo=; b=Q6isIl/mKLIt+QYwVio2EFdtkNfCy7P9+a/X4ryvQWTmXy5OedE7ouH8H1VtCxn9/o 1y0H3Zv+6EsIrS0ub5ejLgS1WzIIo0wQEP7LUJgfIBAh1IyxtU1NgwbwH3y+kNJ7uddM r/hHzEQR63mQDY3jWcCgT1n3ISyl766DXA6WMorlo2Jr7aBD0Ijd+bDMQ8TqwdhXmxtu HwImFinJ2TckGBRKm7wWN2wGu1JvLuT4WbznOFiQDQUpBtyuqIJASYjeiKrjXE8KWAZg UPFvvs8Y0kCX0so8NIsUlft78oA1O7omxttgx7RoY43CFo6bJ8qS+a/h7t6j7oFzhoEl Hp3A== X-Gm-Message-State: AOAM533I8okYLnq2RhQpaFqKfIfjI2uUrsXK/NE7zFvSMWlEXzV2ew0L x/XstxwZwPr38PpMgz16CC7FLw== X-Google-Smtp-Source: ABdhPJzviB5uTFvB4DfLBXo+1QXnymbgGBeCdiy1EbE8PWnz4icYwQ/ffRyxqM6v7FdNhqJNs9I4mQ== X-Received: by 2002:a17:90a:9517:b0:1bc:81ef:79cd with SMTP id t23-20020a17090a951700b001bc81ef79cdmr723386pjo.164.1645750967543; Thu, 24 Feb 2022 17:02:47 -0800 (PST) Received: from jdavis.lan (c-73-231-146-4.hsd1.ca.comcast.net. [73.231.146.4]) by smtp.gmail.com with ESMTPSA id rm8-20020a17090b3ec800b001bb82a67816sm483653pjb.52.2022.02.24.17.02.46 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 24 Feb 2022 17:02:46 -0800 (PST) Message-ID: Subject: Re: Proposal: Support custom authentication methods using hooks From: Jeff Davis To: samay sharma , pgsql-hackers@lists.postgresql.org Date: Thu, 24 Feb 2022 17:02:45 -0800 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, 2022-02-17 at 11:25 -0800, samay sharma wrote: > To enable this, I've proposed adding a new authentication method > "custom" which can be specified in pg_hba.conf and takes a mandatory > argument "provider" specifying which authentication provider to use. > I've also moved a couple static functions to headers so that > extensions can call them. > > Sample pg_hba.conf line to use a custom provider: > > host all all ::1/128 > custom provider=test One caveat is that this only works given information available from existing authentication methods, because that's all the client supports. In practice, it seems to only be useful with plaintext password authentication over an SSL connection. I still like the approach though. There's a lot of useful stuff you can do at authentication time with only the connection information and a password. It could be useful to authenticate against different services, or some kind of attack detection, etc. Regards, Jeff Davis