Re: [PoC] Federated Authn/z with OAUTHBEARER - Mailing list pgsql-hackers
| From | Stephen Frost |
|---|---|
| Subject | Re: [PoC] Federated Authn/z with OAUTHBEARER |
| Date | |
| Msg-id | Y/P1uITaEcLGGB0Z@tamriel.snowman.net Whole thread Raw |
| In response to | Re: [PoC] Federated Authn/z with OAUTHBEARER (mahendrakar s <mahendrakarforpg@gmail.com>) |
| Responses |
Re: [PoC] Federated Authn/z with OAUTHBEARER
|
| List | pgsql-hackers |
Greetings, * mahendrakar s (mahendrakarforpg@gmail.com) wrote: > The "issuer" field has been removed to align with the RFC > implementation - https://www.rfc-editor.org/rfc/rfc7628. > This patch "v6" is a single patch to support the OAUTH BEARER token > through psql connection string. > Below flow is supported. Added the documentation in the commit messages. > > +----------------------+ +----------+ > | +-------+ | Postgres | > | PQconnect ->| | | | > | | | | +-----------+ > | | | ---------- Empty Token---------> | > | | > | | libpq | <-- Error(Discovery + Scope ) -- | < | Pre-Auth | > | +------+ | | | Hook | > | +- < | Hook | | | +-----------+ > | | +------+ | | | > | v | | | | > | [get token]| | | | > | | | | | | > | + | | | +-----------+ > | PQconnect > | | --------- Access Token --------> | > | Validator | > | | | <---------- Auth Result -------- | < | Hook | > | | | | +-----------+ > | +-------+ | | > +----------------------+ +----------+ > > Please note that we are working on modifying/adding new tests (from > Jacob's Patch) with the latest changes. Will add a patch with tests > soon. Having skimmed back through this thread again, I still feel that the direction that was originally being taken (actually support something in libpq and the backend, be it with libiddawc or something else or even our own code, and not just throw hooks in various places) makes a lot more sense and is a lot closer to how Kerberos and client-side certs and even LDAP auth work today. That also seems like a much better answer for our users when it comes to new authentication methods than having extensions and making libpq developers have to write their own custom code, not to mention that we'd still need to implement something in psql to provide such a hook if we are to have psql actually usefully exercise this, no? In the Kerberos test suite we have today, we actually bring up a proper Kerberos server, set things up, and then test end-to-end installing a keytab for the server, getting a TGT, getting a service ticket, testing authentication and encryption, etc. Looking around, it seems like the equivilant would perhaps be to use Glewlwyd and libiddawc or libcurl and our own code to really be able to test this and show that it works and that we're doing it correctly, and to let us know if we break something. Thanks, Stephen
Attachment
pgsql-hackers by date: