On Tue, Nov 25, 2025 at 09:19:29AM -0800, Jacob Champion wrote:
> On Mon, Nov 24, 2025 at 10:54 AM Nico Williams wrote:
> > OAuth comes with batteries not included, unlike Kerberos.
>
> Yes. :/
It's very sad and annoying. Mangement wants off Kerberos, but the
amount of work to do for that is en
On Mon, Nov 24, 2025 at 10:54 AM Nico Williams wrote:
> OAuth comes with batteries not included, unlike Kerberos.
Yes. :/
> > OAuth validators can also be Postgres extensions, so this is at least
> > technically feasible to retrieve, though I'm not yet understanding why
> > you need set_config()
On Mon, Nov 24, 2025 at 09:33:01AM -0800, Jacob Champion wrote:
> On Fri, Nov 21, 2025 at 9:24 PM Nico Williams wrote:
> > I've not looked in detail yet, but I got the impression that the user
> > has to fetch the token on their own and provide it to the PG client --
> > if so that is monumentally
On Fri, Nov 21, 2025 at 9:24 PM Nico Williams wrote:
> I've not looked in detail yet, but I got the impression that the user
> has to fetch the token on their own and provide it to the PG client --
> if so that is monumentally unfriendly by comparison to, e.g., Kerberos.
You provide a client ID a
Also, we do have custom claims (we should publish a spec and register
them at IANA...) for very coarse-grained authorization that amounts to
an application-level firewall logic that lets us isolate workloads by
type (think prod vs QA vs dev, but also other things).
No OAuth library on the server s
On Fri, Nov 21, 2025 at 03:46:12PM -0800, Jacob Champion wrote:
> On Fri, Nov 21, 2025 at 3:15 PM Nico Williams wrote:
> > For apps like PG I'm much more interested in real OAuth support. But
> > that's because I use PG in a corporate environment where we use
> > Kerberos, PKIX, and OAuth for aut
(shamelessly splitting this into its own thread, but also to avoid
further derailment of Neustradamus' tls-exporter conversation)
On Fri, Nov 21, 2025 at 3:15 PM Nico Williams wrote:
> For apps like PG I'm much more interested in real OAuth support. But
> that's because I use PG in a corporate e
