| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PoC] Let libpq reject unexpected authentication requests |
| Date: | 2022-03-05 15:12:20 |
| Message-ID: | 4070201.1646493140@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> On 3/4/22 20:19, Tom Lane wrote:
>> Seems reasonable, but I bet that for very little more code you could
>> accept a comma-separated list of allowed methods; libpq already allows
>> comma-separated lists for some other connection options. That seems
>> like it'd be a useful increment of flexibility.
> Just about necessary I guess, since you can specify that a client cert
> is required in addition to some other auth method, so for such cases you
> might want something like "required_auth=cert,scram-sha-256"? Or do we
> need a way of specifying the combination?
I'd view the comma as strictly meaning OR, so that you might need some
notation like "required_auth=cert+scram-sha-256" if you want to demand
ANDed conditions. It might be better to handle TLS-specific
conditions orthogonally to the authentication exchange, though.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Davis | 2022-03-05 17:06:14 | Re: Proposal: Support custom authentication methods using hooks |
| Previous Message | Andrew Dunstan | 2022-03-05 14:39:05 | Re: SQL/JSON: functions |