Re: [JDBC] Channel binding support for SCRAM-SHA-256

On 9/10/17 22:37, Michael Paquier wrote:
> On Mon, Aug 21, 2017 at 9:51 PM, Michael Paquier
> <michael(dot)paquier(at)gmail(dot)com> wrote:
>> On Tue, Jun 20, 2017 at 1:11 PM, Michael Paquier
>> <michael(dot)paquier(at)gmail(dot)com> wrote:
>>> With the tests directly in the patch, things are easy to run. WIth
>>> PG10 stabilization work, of course I don't expect much feedback :)
>>> But this set of patches looks like the direction we want to go so as
>>> JDBC and libpq users can take advantage of channel binding with SCRAM.
>>
>> Attached is a new patch set, rebased as of c6293249.
>
> And again a new set to fix the rotten bits caused by 85f4d63.

It seems we should start by sorting out the mechanism by which the
client can control what authentication mechanisms it accepts. In your
patch set you introduce a connection parameter saslname. I think we
should expand that to non-SASL mechanisms and have it be some kind of
whitelist or blacklist. It might be reasonable for a client to require
"gssapi" or "cert" for example or do an exclusion like "!password !md5
!ldap".

Thoughts?

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services