Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lu9u8-0006Lw-LY for pgsql-hackers@arkaria.postgresql.org; Fri, 18 Jun 2021 08:31:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1lu9u7-0000K5-Kp for pgsql-hackers@arkaria.postgresql.org; Fri, 18 Jun 2021 08:31:07 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lu9u7-0000Jx-A1 for pgsql-hackers@lists.postgresql.org; Fri, 18 Jun 2021 08:31:07 +0000 Received: from meesny.iki.fi ([2001:67c:2b0:1c1::201]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lu9u5-0004Z0-0f for pgsql-hackers@postgresql.org; Fri, 18 Jun 2021 08:31:06 +0000 Received: from [192.168.1.113] (dsl-hkibng22-54faa4-119.dhcp.inet.fi [84.250.164.119]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by meesny.iki.fi (Postfix) with ESMTPSA id 096DD20072; Fri, 18 Jun 2021 11:31:01 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1624005061; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L/B/m94YZ60enxcEUos2YnaVt8bc6QNalgr4eInpEUA=; b=PFlk6NUQaWRDYuSZ1hRLxoTxAv/wm5BKL9/LhBIuwClTdijjGCHhJcdZ7hujp8OPZgsyK1 RYRk4KTN4aUQ5DsbjSxf3msfaT9L+iIaFxCQLun1IJeVv1Ag8Fd0c8VqojHDnbQLXmbfR7 EyL1omPDWHCe3nAzkkxKKYI3CJ8ofUs= Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER To: Jacob Champion , "pgsql-hackers@postgresql.org" References: From: Heikki Linnakangas Message-ID: Date: Fri, 18 Jun 2021 11:31:00 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi ARC-Seal: i=1; s=meesny; d=iki.fi; t=1624005061; a=rsa-sha256; cv=none; b=Od3hvhyq5e5Ib4npAY4sUfuXFdNEKaCJAdO6Ovkz3iSUt3eKBTilAA3jlc74Nhz6Q6n5pr FIPoYeW8FUOz6iH482Eyn90Qzqoj014dT0Hgiz/zvsdVLQo2ZBWqcXalxfkxomDRSDiyQ3 6QHe26BhzeDTe1qx7BEOC8anoRjFS3A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1624005061; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L/B/m94YZ60enxcEUos2YnaVt8bc6QNalgr4eInpEUA=; b=Rq9Rl8YjV3JYnUWoWTyWdmYnfGjb0U7c/f9Zy6YlXISjmRbXwo0JoUt0esczaLZH95Z2I9 VIvluOrMqRG8PCPEJz9LkfLAi12OKOD3H9md4D+L2Y0TiINyNvvomPs5t8iLr5ksNsUZd9 T0DKqwbhbET0CEy4vMregbcGXuD5y/8= List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 08/06/2021 19:37, Jacob Champion wrote: > We've been working on ways to expand the list of third-party auth > methods that Postgres provides. Some example use cases might be "I want > to let anyone with a Google account read this table" or "let anyone who > belongs to this GitHub organization connect as a superuser". Cool! > The iddawc dependency for client-side OAuth was extremely helpful to > develop this proof of concept quickly, but I don't think it would be an > appropriate component to build a real feature on. It's extremely > heavyweight -- it incorporates a huge stack of dependencies, including > a logging framework and a web server, to implement features we would > probably never use -- and it's fairly difficult to debug in practice. > If a device authorization flow were the only thing that libpq needed to > support natively, I think we should just depend on a widely used HTTP > client, like libcurl or neon, and implement the minimum spec directly > against the existing test suite. You could punt and let the application implement that stuff. I'm imagining that the application code would look something like this: conn = PQconnectStartParams(...); for (;;) { status = PQconnectPoll(conn) switch (status) { case CONNECTION_SASL_TOKEN_REQUIRED: /* open a browser for the user, get token */ token = open_browser() PQauthResponse(token); break; ... } } It would be nice to have a simple default implementation, though, for psql and all the other client applications that come with PostgreSQL itself. > If you've read this far, thank you for your interest, and I hope you > enjoy playing with it! A few small things caught my eye in the backend oauth_exchange function: > + /* Handle the client's initial message. */ > + p = strdup(input); this strdup() should be pstrdup(). In the same function, there are a bunch of reports like this: > ereport(ERROR, > + (errcode(ERRCODE_PROTOCOL_VIOLATION), > + errmsg("malformed OAUTHBEARER message"), > + errdetail("Comma expected, but found character \"%s\".", > + sanitize_char(*p)))); I don't think the double quotes are needed here, because sanitize_char will return quotes if it's a single character. So it would end up looking like this: ... found character "'x'". - Heikki