| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Shlok Kyal <shlok(dot)kyal(dot)oss(at)gmail(dot)com>, mahendrakar s <mahendrakarforpg(at)gmail(dot)com>, Andrey Chudnovsky <achudnovskij(at)gmail(dot)com>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "smilingsamay(at)gmail(dot)com" <smilingsamay(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Subject: | Re: [PoC] Federated Authn/z with OAUTHBEARER |
| Date: | 2024-03-11 22:51:24 |
| Message-ID: | CAOYmi+kKNZCL7uz-LHyBggM+fEcf4285pFWwm7spkUb8irY7mQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Mar 1, 2024 at 9:46 AM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> v19 gets us a bit closer by adding a missed import for Windows. I've
> also removed iddawc support, so the client patch is lighter.
v20 fixes a bunch more TODOs:
1) the client initial response is validated more closely
2) the server's invalid_token parameters are properly escaped into the
containing JSON (though, eventually, we probably want to just reject
invalid HBA settings instead of passing them through to the client)
3) Windows-specific responses have been recorded in the test suite
While poking at item 2, I was reminded that there's an alternative way
to get OAuth parameters from the server, and it's subtly incompatible
with the OpenID spec because OpenID didn't follow the rules for
.well-known URI construction [1]. :( Some sort of knob will be
required to switch the behaviors.
I renamed the API for the validator module from res->authenticated to
res->authorized. Authentication is optional, but a validator *must*
check that the client it's talking to was authorized by the user to
access the server, whether or not the user is authenticated. (It may
additionally verify that the user is authorized to access the
database, or it may simply authenticate the user and defer to the
usermap.) Documenting that particular subtlety is going to be
interesting...
The tests now exercise different issuers for different users, which
will also be a good way to signal the server to respond in different
ways during the validator tests. It does raise the question: if a
third party provides an issuer-specific module, how do we switch
between that and some other module for a different user?
Andrew asked over at [2] if we could perhaps get 0001 in as well. I
think the main thing to figure out there is, is requiring linkage
against libpq (see 0008) going to be okay for the frontend binaries
that need JSON support? Or do we need to do something like moving
PQExpBuffer into src/common to simplify the dependency tree?
--Jacob
[1] https://www.rfc-editor.org/rfc/rfc8414.html#section-5
[2] https://www.postgresql.org/message-id/682c8fff-355c-a04f-57ac-81055c4ccda8%40dunslane.net
| Attachment | Content-Type | Size |
|---|---|---|
| since-v19.diff.txt | text/plain | 35.3 KB |
| v20-0003-Explicitly-require-password-for-SCRAM-exchange.patch | application/octet-stream | 3.2 KB |
| v20-0002-Refactor-SASL-exchange-to-return-tri-state-statu.patch | application/octet-stream | 9.9 KB |
| v20-0005-backend-add-OAUTHBEARER-SASL-mechanism.patch | application/octet-stream | 41.7 KB |
| v20-0001-common-jsonapi-support-FRONTEND-clients.patch | application/octet-stream | 20.4 KB |
| v20-0004-libpq-add-OAUTHBEARER-SASL-mechanism.patch | application/octet-stream | 106.3 KB |
| v20-0006-Introduce-OAuth-validator-libraries.patch | application/octet-stream | 34.0 KB |
| v20-0007-Add-pytest-suite-for-OAuth.patch | application/octet-stream | 176.9 KB |
| v20-0009-WIP-Python-OAuth-provider-implementation.patch | application/octet-stream | 10.8 KB |
| v20-0008-XXX-temporary-patches-to-build-and-test.patch | application/octet-stream | 3.8 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2024-03-11 23:20:24 | Re: Infinite loop in XLogPageRead() on standby |
| Previous Message | Heikki Linnakangas | 2024-03-11 22:38:45 | Re: Combine Prune and Freeze records emitted by vacuum |