On Mon, Apr 28, 2025 at 6:49 PM Noah Misch wrote:
> > Subject: [PATCH 1/2] oauth: Disallow OAuth connections via
> > postgres_fdw/dblink
> > Subject: [PATCH 2/2] oauth: Classify oauth_client_secret as a password
>
> Both look good.
Committed. Thanks for the review!
--Jacob
On Mon, Apr 21, 2025 at 08:18:58AM -0700, Jacob Champion wrote:
> Attached is my proposed fix. 0001 disables use of the new oauth_*
> options in our FDWs. 0002 changes dispchar.
> Subject: [PATCH 1/2] oauth: Disallow OAuth connections via postgres_fdw/dblink
> Subject: [PATCH 2/2] oauth: Classify
On Tue, Apr 15, 2025 at 11:11 PM Jelte Fennema-Nio wrote:
> On Wed, 16 Apr 2025 at 02:03, Jacob Champion
> wrote:
> > Thank you for saying something; I'd hallucinated that srvoptions was
> > limited to the server owner, and that's not true. It's pg_user_mapping
> > that has the protection.
>
> FW
On Wed, 16 Apr 2025 at 02:03, Jacob Champion
wrote:
> Thank you for saying something; I'd hallucinated that srvoptions was
> limited to the server owner, and that's not true. It's pg_user_mapping
> that has the protection.
FWIW, I have some ideas on being able to store secrets in a server in
a sa
On Tue, Apr 15, 2025 at 3:25 PM Jelte Fennema-Nio wrote:
> I don't understand why it should be a server option instead of a user
> mapping option. Having it be a server option means that *any* Postgres
> user can read its contents.
Thank you for saying something; I'd hallucinated that srvoptions
On Tue, 15 Apr 2025 at 22:48, Noah Misch wrote:
> yet be a
> postgres_fdw server option, postgres_fdw code can make it so. postgres_fdw
> already has explicit code to reclassify the "user" option.
I don't understand why it should be a server option instead of a user
mapping option. Having it be
On Tue, Apr 15, 2025 at 1:48 PM Noah Misch wrote:
> If we think oauth_client_secret should get dispchar="*" UI treatment yet be a
> postgres_fdw server option, postgres_fdw code can make it so. postgres_fdw
> already has explicit code to reclassify the "user" option.
Agreed, I will add an open i
On Tue, Apr 15, 2025 at 01:16:12PM -0700, Jacob Champion wrote:
> On Tue, Apr 15, 2025 at 12:14 PM Noah Misch wrote:
> > I suspect this should use .dispchar="*" to encourage UIs to display
> > oauth_client_secret like a password field. Thoughts?
>
> Hmm, from a UI perspective I agree. (The built
On Tue, Apr 15, 2025 at 12:14 PM Noah Misch wrote:
> I suspect this should use .dispchar="*" to encourage UIs to display
> oauth_client_secret like a password field. Thoughts?
Hmm, from a UI perspective I agree. (The builtin flow targets "public
clients", where secrets are discouraged and/or und
