| From: | Zsolt Parragi <zsolt(dot)parragi(at)percona(dot)com> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
| Subject: | Improve OAuth discovery logging |
| Date: | 2026-02-11 19:24:14 |
| Message-ID: | CAN4CZFPim7hUiyb7daNKQPSZ8CvQRBGkVhbvED7yZi8VktSn4Q@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello
Currently when the client sends an empty OAuth token to request the
issuer URL, the server logs the attempt with
FATAL: OAuth bearer authentication failed for user
Which is quite confusing, as this is an expected part of the OAuth
authentication flow and not an error at all, there's also a TODO
message saying that this needs improvement.
In practice this results in the server spamming the log with these
messages, which are difficult to separate from real (OAuth)
authentication failures.
This patch improves it by handling the situation properly in the
SASL/Oauth code, by introducing a new SASL authentication status,
PG_SASL_EXCHANGE_RESTART. The expectation is that authentication
mechanisms can set this if they request a restart of the
authentication flow. Restart currently requires starting with a new
connection, so this simply sets STATUS_EOF.
Not sure if this is the best way to handle it or not, but it seems the
cleanest to me, as the SASL code already had these return codes and
this way the patch doesn't introduce anything OAuth specific to the
logic.
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Improve-OAuth-discovery-logging.patch | application/octet-stream | 5.7 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fabrízio de Royes Mello | 2026-02-11 19:29:33 | Re: make ExecInsertIndexTuples arguments less bad |
| Previous Message | Álvaro Herrera | 2026-02-11 19:07:39 | make ExecInsertIndexTuples arguments less bad |