Hello I implemented a simple patch based on the above suggestion (PGOAUTHDEBUG=UNSAFE:http...). I did not update the documentation yet, let's see what everyone thinks about it before that, and I also have some concerns/questions.
I added the new functions into a common source file which gets included in both the oauth module and libpq. I'm not entirely happy about this, but I didn't see a better way without duplicating the code. My concern, which is also there with the current version: is an environment variable the best way to control these settings in a library included into many applications? Wouldn't it be better to make these settings in libpq (or the oauth module), and only add the environment variables to psql? This can be used to inject a CA into an application without the user noticing it, or without the application developer being aware of the possibility. With the current single-value variable, it is already possible, and in an application without a visible standard output, it is already hidden. But by splitting the setting into multiple flags, this can go unnoticed even in a console application. Another question is what to do with the CA file - currently it remains a separate (environment) variable, but maybe it could be included in the option string instead: PGOAUTHDEBUG=UNSAFE:custom-ca=/path/to/the/file What do you think about it?
0001-Split-PGOAUTHDEBUG-UNSAFE-into-multiple-options.patch
Description: Binary data
