On Wed, Dec 17, 2025 at 1:28 AM Zsolt Parragi <zsolt.parragi@percona.com> wrote: > Instead we decided to let everyone configure which claim they want to > use for user mapping. But because of that, this is a GUC, and they can > only configure it once pre server.
We're getting closer; I agree that this needs to be more flexible than it is, and I'm on board with a change, but I'm still missing the "killer app". What's the case where a user has multiple HBA lines that all want to use unrelated claims for authentication to one Postgres cluster? Is this multi-tenancy, or...?
Beyond multitenancy,per -HBA OAuth cases where options are needed for safe provider migration[blue/green],per-database security policies,mixed Human/machine authentication[JWT/Introspection] and incident-response scenarios -all global GUCs are too coarse.
See also the old conversation regarding LDAP hba/ident [1]
