| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Zsolt Parragi <zsolt(dot)parragi(at)percona(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: OAuth client code doesn't work with Google OAuth |
| Date: | 2025-09-08 09:11:20 |
| Message-ID: | 35D9BDA6-E3B8-471F-9764-51F72822BDB5@yesql.se |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 7 Sep 2025, at 21:02, Zsolt Parragi <zsolt(dot)parragi(at)percona(dot)com> wrote:
> * The device code request only includes the OAuth Client ID in the
> request body if the user doesn't specify a client secret (if the
> secret is specified, the client ID is only sent as part of the basic
> auth header), but Google OAuth always expects it in the body
AFAICT adding this would not violate the RFC but it is "NOT RECOMMENDED".
There is also this comment a few lines up from your change which makes it
problematic.
* client_id is not added to the request body in this case. Not only
* would it be redundant, but some providers in the wild (e.g. Okta)
* refuse to accept it.
We clearly want to be able to support Google as an OAuth provider, but it seems
we need to operate in different modes here?
> * The wait loop for the authorization only expects HTTP 400 and 401,
> but the Google endpoint responds with HTTP 428 (Precondition required)
It doesn't seem in line with the specification, which error are they sending
428 for? Do they use 401 for invalid_client?
--
Daniel Gustafsson
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Rowley | 2025-09-08 09:15:37 | Re: Fix missing EvalPlanQual recheck for TID scans |
| Previous Message | Andrey Borodin | 2025-09-08 09:03:18 | Re: Add xicorr(X, Y): support for the xi (ξ) correlation coefficient by Chatterjee |