Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode

Hi!

On Mon, 2026-01-05 at 10:37 -0800, Jacob Champion wrote:
>
> See https://wiki.postgresql.org/wiki/Category:OAuth_Working_Group for
> a current list of tagged [oauth] proposals. Or is that not what
> you're
> asking about?

Not specifically, but that will work more than fine for sure! Thank
you!

>
> Right, and I'm not. I guess that's the main disconnect here: I'm only
> talking about enabling and disabling the features exposed by
> PGOAUTHDEBUG. I don't think a debug level helps with that, which is
> why I proposed a bitmap.
>
> But that's a feature for a different thread name. I think we should
> continue this one by adding an oauth_ca_file connection parameter and
> documentation, including the default behavior (which defers to Curl).
>
>

Ok, promoting this to something external to the debug makes a lot of
sense to me, that will help a lot to increase the possible usage of
this parameter.

I will for sure still allow an environment variable too like OAUTH_CA
or OAUTH_CA_FILE, just because environment variable for these
parameters is widely used, just like in curl[1] has cacert_file and
support for CURL_CA_BUNDLE, both options make sure that users may not
be limited.

I already worked a patch (before this one) to add an option to pass the
CA but I discarded that because I didn't thought it was going to be
accepted, I can rework that with all the ideas, but, what do you think
about creating a wiki page with all the ideas to manage the
certificates? probably the CA will require to also add some skip or
insecure options, full bundles and how to build them, etc.

Regards!

[1] https://curl.se/docs/sslcerts.html
--
Jonathan Gonzalez V. <jonathan(dot)abdiel(at)gmail(dot)com>
EnterpriseDB