From 475fc04a7b9d3d388c089126a95686c867b0768e Mon Sep 17 00:00:00 2001 From: "Chao Li (Evan)" Date: Thu, 4 Jun 2026 19:23:59 +0800 Subject: [PATCH v2] doc: clarify OAuth validator authn_id logging on auth failure OAuth validators can return an authenticated identity in ValidatorModuleResult.authn_id. The server records this value before checking whether the connection is authorized, so it may appear in connection-authentication logs even when the connection is later rejected. Also remove outdated wording saying that all result parameters are ignored when a validator returns false. Validators may still provide error_detail for both validation failures and internal errors, as described in the following paragraph. Author: Chao Li Reported-by: Daniel Gustafsson Discussion: https://postgr.es/m/0281836A-F5FF-41A5-9EE1-656C1FAAC6B2@gmail.com --- doc/src/sgml/oauth-validators.sgml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/doc/src/sgml/oauth-validators.sgml b/doc/src/sgml/oauth-validators.sgml index 8aad470a464..245f3ebb95e 100644 --- a/doc/src/sgml/oauth-validators.sgml +++ b/doc/src/sgml/oauth-validators.sgml @@ -395,13 +395,18 @@ typedef struct ValidatorModuleResult token) shall be palloc'd and returned in the result->authn_id field. Alternatively, result->authn_id may be set to NULL if the token is valid but the associated user identity cannot be - determined. + determined. If the validator returns true and + result->authn_id is set, the server records it + before checking whether the connection is authorized, so it may appear in + the server log when includes + authentication, even when the connection is later + rejected. A validator may return false to signal an internal error, - in which case any result parameters are ignored and the connection fails. - Otherwise the validator should return true to indicate - that it has processed the token and made an authorization decision. + in which case the connection fails. Otherwise the validator should return + true to indicate that it has processed the token and made + an authorization decision. In either failure case (validation error or internal error) the module may -- 2.50.1 (Apple Git-155)