Request a Demo
Home   >   mailing lists

Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode
Date
Msg-id CAOYmi+nQawWHzC4mRhJnzZzzqjnUDg-yxN3f3ZqPX=+jpKU+zg@mail.gmail.com
Whole thread Raw
In response to Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode  ("Jonathan Gonzalez V." <jonathan.abdiel@gmail.com>)
Responses Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode
List pgsql-hackers
Tree view 
On Sat, Dec 20, 2025 at 9:53 AM Jonathan Gonzalez V.
<jonathan.abdiel@gmail.com> wrote:
> > > > https://wiki.postgresql.org/wiki/Proposal:_Promote_PGOAUTHCAFILE_to_feature
> > >
> > > How can we work on that? because of the above it may be required to
> > > add
> > > even more possibilities.
> >
> > Not sure what you mean. I think we're working on it now, in this
> > thread?
>
> Yes, but having a list of ideas listed, that we all can read may make
> sense, that's because following the threads with all the ideas at once
> it's a big difficult some times!

See https://wiki.postgresql.org/wiki/Category:OAuth_Working_Group for
a current list of tagged [oauth] proposals. Or is that not what you're
asking about?

> In my opinion, "debug" it's not just developers, [...]
> since all the systems now days can run on hundreds
> of servers or containers, no one looks into the logs manually, you have
> automated system for it, that will read, parse, collect and distribute
> your logs into different storage, databases(even PostgreSQL database
> can be used for it) or display system. It is for theses cases that
> having something that can be parsed is always useful.

Sure, but that's not the use case for PGOAUTHDEBUG. It's fine to
develop a feature that handles production logging for client
authentication details -- it's just emphatically not what that envvar
was designed to do. This is a developer feature which turns out to be
hiding another feature that people want to use in production today.

I know the most visible aspect of PGOAUTHDEBUG=UNSAFE is the logging
spray, so that might have contributed to the confusion.

> Well, I think I was misunderstood here, when I was talking about "debug
> levels" I was talking about logs debug levels

Right, and I'm not. I guess that's the main disconnect here: I'm only
talking about enabling and disabling the features exposed by
PGOAUTHDEBUG. I don't think a debug level helps with that, which is
why I proposed a bitmap.

But that's a feature for a different thread name. I think we should
continue this one by adding an oauth_ca_file connection parameter and
documentation, including the default behavior (which defers to Curl).

--Jacob

pgsql-hackers by date:

Previous
From: Andres Freund
Date:
Subject: Re: Adding NetBSD and OpenBSD to Postgres CI
Next
From: Masahiko Sawada
Date:
Subject: Re: Fix incorrect buffer lock description in pg_visibility comment