Quick Links

pgsql: oauth: Let validators provide failure DETAILs

From:	Jacob Champion <jchampion(at)postgresql(dot)org>
To:	pgsql-committers(at)lists(dot)postgresql(dot)org
Subject:	pgsql: oauth: Let validators provide failure DETAILs
Date:	2026-04-03 23:25:58
Message-ID:	E1w8ntl-002pEV-1k@gemulon.postgresql.org
Views:	Whole Thread \| Raw Message \| Download mbox \| Resend email
Thread:
Lists:	pgsql-committers

oauth: Let validators provide failure DETAILs

At the moment, the only way for a validator module to report error
details on failure is to log them separately before returning from
validate_cb. Independently of that problem, the ereport() calls that we
make during validation failure partially duplicate some of the work of
auth_failed().

The end result is overly verbose and confusing for readers of the logs:

[768233] LOG: [my_validator] bad signature in bearer token
[768233] LOG: OAuth bearer authentication failed for user "jacob"
[768233] DETAIL: Validator failed to authorize the provided token.
[768233] FATAL: OAuth bearer authentication failed for user "jacob"
[768233] DETAIL: Connection matched file ".../pg_hba.conf" line ...

Solve both problems by making use of the existing logdetail pointer
that's provided by ClientAuthentication. Validator modules may set
ValidatorModuleResult->error_detail to override our default generic
message.

The end result looks something like

[242284] FATAL: OAuth bearer authentication failed for user "jacob"
[242284] DETAIL: [my_validator] bad signature in bearer token
Connection matched file ".../pg_hba.conf" line ...

Reported-by: Álvaro Herrera <alvherre(at)kurilemu(dot)de>
Reported-by: Zsolt Parragi <zsolt(dot)parragi(at)percona(dot)com>
Reviewed-by: Chao Li <li(dot)evan(dot)chao(at)gmail(dot)com>
Reviewed-by: Daniel Gustafsson <daniel(at)yesql(dot)se>
Reviewed-by: Zsolt Parragi <zsolt(dot)parragi(at)percona(dot)com>
Discussion: https://postgr.es/m/202601241015.y5uvxd7oxnfs%40alvherre.pgsql

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/d438a36591c58f60e0748b341855ec5519e1e3b4

Modified Files
--------------
doc/src/sgml/oauth-validators.sgml | 23 ++++++++++++--
src/backend/libpq/auth-oauth.c | 24 +++++++-------
src/backend/libpq/auth.c | 2 +-
src/include/libpq/oauth.h | 14 +++++++++
src/test/modules/oauth_validator/t/001_server.pl | 40 +++++++++++++++++++++++-
src/test/modules/oauth_validator/validator.c | 29 +++++++++++++++++
6 files changed, 116 insertions(+), 16 deletions(-)

Browse pgsql-committers by date

	From	Date	Subject
Next Message	Heikki Linnakangas	2026-04-03 23:57:54	pgsql: Remove HASH_DIRSIZE, always use the default algorithm to select
Previous Message	Daniel Gustafsson	2026-04-03 22:25:54	pgsql: Make data checksum tests more resilient for slow machines