Re: Improve OAuth discovery logging

On Thu, Mar 5, 2026 at 12:11 PM Zsolt Parragi <zsolt(dot)parragi(at)percona(dot)com> wrote:
> Attached v6 with the problematic log expectation removed.

Okay, I was doing some final pre-commit review today and...
unfortunately, using STATUS_EOF like my "TODO" suggested breaks our de
facto SASL profile. The server hasn't completed its side of the
exchange until it sends either
[AuthenticationSASLFinal+]AuthenticationOk or ErrorResponse. Since
STATUS_EOF suppresses not only the log message but the entire
ereport(FATAL), we'll never send that last packet, so a more polite
client can't tell whether the server finished the exchange or just
crashed.

v6 doesn't fail any tests because of a shortcut I took in
PQconnectPoll() in libpq, which skips reading the final message from a
known-doomed OAuth discovery connection. But you can see it if you
apply the attached patch. (It's not a correct patch; it just shows the
problem.)

I'm experimenting with an ereport(FATAL_CLIENT_ONLY) option, in the
same vein as WARNING_CLIENT_ONLY, to try to cover this.

--Jacob

P.S. I would eventually like to record our undocumented SASL profile
in a test suite (he said, staring at pg-pytest)...