Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oxw0A-0002LO-DJ for pgsql-hackers@arkaria.postgresql.org; Wed, 23 Nov 2022 20:05:46 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1oxw09-0005jf-7i for pgsql-hackers@arkaria.postgresql.org; Wed, 23 Nov 2022 20:05:45 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oxw08-0005jV-Og for pgsql-hackers@lists.postgresql.org; Wed, 23 Nov 2022 20:05:44 +0000 Received: from mail-pf1-x430.google.com ([2607:f8b0:4864:20::430]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1oxw03-0000DN-Tq for pgsql-hackers@postgresql.org; Wed, 23 Nov 2022 20:05:43 +0000 Received: by mail-pf1-x430.google.com with SMTP id w79so537149pfc.2 for ; Wed, 23 Nov 2022 12:05:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timescale.com; s=google; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=xcaYQR0DOCM+IX821f64zEQ44EAE28YIb5t6gBBHfLM=; b=Nldbrftye8R2ojVdwYehqe+FwjgdwSRL94AXWwNxSUoq+qSeJ397O/CUN4MFUwg+yp iiFGv6OnkJcDoIgct7Ib94Td6WmvsFJo61D4j194dk+RIwkXQUC1kRo0iqctp3KZ6hPH 1nOjIpLxVdxZcRrs/0M5sXaAOG9iQJKisW4V3DeWm25XrNPd7Z2eHJBy9WW0X+9rhRqs th5wOTiNcYVu7/6Ozj4hOUkdjo/knDb7IGUffg5VJAYInM7tdQXzrkNn1iappa50lq5M EYJ4ipRbCZYhF3G2Hn6hf8z5UJHMbNf3w4l44jVRg3b5JSqIDyI3dQuv+wfXYdGpkE/z U1zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xcaYQR0DOCM+IX821f64zEQ44EAE28YIb5t6gBBHfLM=; b=gZFQQrx5lKz7GBxgMtT113l/VxFhhMVrfSZvUH4beztVRbk3MR4RCioAR0BzyO6baA ApLuEBdJyxnd5eacGzbTfzrTb10h40+CeRb2cSaPfilK2eLUieM7/y+m9S+LMQAJpOLx fTcI7ZMJ0BtoH+MzkbxLlxFa2LJC9pTNUp/3ldpSt6CYCPlZklNIZepzj7ly6/zFZSLv XLvL8j6+KzFPXt8ntqo/iuLgeNsW1geJ+gX1FemqryZoZxWGVZ+vMP3VrNyn4E/M6xyF JLo9Oj7Hrh16PrtOc86CnO7W/drafJFT7utFb8xISdr2opMiP5KuTd0cvEMx/AvBtn5C phYw== X-Gm-Message-State: ANoB5pmBNj7OEURpuSSxuetzK7EXbMUKPBuQSSm6trGzyLF/hfD6cstH +mE/AGYtCtyfZ9dSgtOE37cbGw== X-Google-Smtp-Source: AA0mqf4HNff+CuuZEZLMEpHWvQ16K6dCZcZgV8dUGzOWcY/e7lH8TY7pvCKrc72OBfKaU6Ut/EbFLw== X-Received: by 2002:a62:cf81:0:b0:56b:add7:fe2f with SMTP id b123-20020a62cf81000000b0056badd7fe2fmr11729725pfg.51.1669233938740; Wed, 23 Nov 2022 12:05:38 -0800 (PST) Received: from [192.168.1.21] ([50.53.8.205]) by smtp.gmail.com with ESMTPSA id z6-20020aa79906000000b005613220346asm12944937pff.205.2022.11.23.12.05.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 23 Nov 2022 12:05:38 -0800 (PST) Message-ID: Date: Wed, 23 Nov 2022 12:05:37 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER To: mahendrakar s , Andrey Chudnovsky Cc: "hlinnaka@iki.fi" , "michael@paquier.xyz" , "pgsql-hackers@postgresql.org" , "smilingsamay@gmail.com" References: <2f06a4aef1d5defe4b7aaec01478572e5557d32a.camel@vmware.com> <8a5a35b31c3f25f6b047e77def0445a60399981d.camel@vmware.com> <0e86fe7e3534fb05db02379fed404a2010eb1d62.camel@vmware.com> <4db7d3ea061f47a15fc6d865f53dd327ea2975fb.camel@vmware.com> Content-Language: en-US From: Jacob Champion In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 11/23/22 01:58, mahendrakar s wrote: > We validated on  libpq handling OAuth natively with different flows > with different OIDC certified providers. > > Flows: Device Code, Client Credentials and Refresh Token. > Providers: Microsoft, Google and Okta. Great, thank you! > Also validated with OAuth provider Github. (How did you get discovery working? I tried this and had to give up eventually.) > We propose using OpenID Connect (OIDC) as the protocol, instead of > OAuth, as it is: > - Discovery mechanism to bridge the differences and provide metadata. > - Stricter protocol and certification process to reliably identify > which providers can be supported. > - OIDC is designed for authentication, while the main purpose of OAUTH is to > authorize applications on behalf of the user. How does this differ from the previous proposal? The OAUTHBEARER SASL mechanism already relies on OIDC for discovery. (I think that decision is confusing from an architectural and naming standpoint, but I don't think they really had an alternative...) > Github is not OIDC certified, so won’t be supported with this proposal. > However, it may be supported in the future through the ability for the > extension to provide custom discovery document content. Right. > OpenID configuration has a well-known discovery mechanism > for the provider configuration URI which is > defined in OpenID Connect. It allows libpq to fetch > metadata about provider (i.e endpoints, supported grants, response types, etc). Sure, but this is already how the original PoC works. The test suite implements an OIDC provider, for instance. Is there something different to this that I'm missing? > In the attached patch (based on V2 patch in the thread and does not > contain Samay's changes): > - Provider can configure issuer url and scope through the options hook.) > - Server passes on an open discovery url and scope to libpq. > - Libpq handles OAuth flow based on the flow_type sent in the > connection string [1]. > - Added callbacks to notify a structure to client tools if OAuth flow > requires user interaction. > - Pg backend uses hooks to validate bearer token. Thank you for the sample! > Note that authentication code flow with PKCE for GUI clients is not > implemented yet. > > Proposed next steps: > - Broaden discussion to reach agreement on the approach. High-level thoughts on this particular patch (I assume you're not looking for low-level implementation comments yet): 0) The original hook proposal upthread, I thought, was about allowing libpq's flow implementation to be switched out by the application. I don't see that approach taken here. It's fine if that turned out to be a bad idea, of course, but this patch doesn't seem to match what we were talking about. 1) I'm really concerned about the sudden explosion of flows. We went from one flow (Device Authorization) to six. It's going to be hard enough to validate that *one* flow is useful and can be securely deployed by end users; I don't think we're going to be able to maintain six, especially in combination with my statement that iddawc is not an appropriate dependency for us. I'd much rather give applications the ability to use their own OAuth code, and then maintain within libpq only the flows that are broadly useful. This ties back to (0) above. 2) Breaking the refresh token into its own pseudoflow is, I think, passing the buck onto the user for something that's incredibly security sensitive. The refresh token is powerful; I don't really want it to be printed anywhere, let alone copy-pasted by the user. Imagine the phishing opportunities. If we want to support refresh tokens, I believe we should be developing a plan to cache and secure them within the client. They should be used as an accelerator for other flows, not as their own flow. 3) I don't like the departure from the OAUTHBEARER mechanism that's presented here. For one, since I can't see a sample plugin that makes use of the "flow type" magic numbers that have been added, I don't really understand why the extension to the mechanism is necessary. For two, if we think OAUTHBEARER is insufficient, the people who wrote it would probably like to hear about it. Claiming support for a spec, and then implementing an extension without review from the people who wrote the spec, is not something I'm personally interested in doing. 4) The test suite is still broken, so it's difficult to see these things in practice for review purposes. > - Implement libpq changes without iddawc This in particular will be much easier with a functioning test suite, and with a smaller number of flows. > - Prototype GUI flow with pgAdmin Cool! Thanks, --Jacob