On Fri, Mar 04, 2022 at 08:19:26PM -0500, Tom Lane wrote:
> Jacob Champion <pchampion@vmware.com> writes:
>> Here is my take on option 2, then: you get to choose exactly one method
>> that the client will accept. If you want to use client certificates,
>> use require_auth=cert. If you want to force SCRAM, use
>> require_auth=scram-sha-256. If the server asks for something different,
>> libpq will fail. If the server tries to get away without asking you for
>> authentication, libpq will fail. There is no negotiation.
Fine by me to put all the control on the client-side, that makes the
whole much simpler to reason about.
> Seems reasonable, but I bet that for very little more code you could
> accept a comma-separated list of allowed methods; libpq already allows
> comma-separated lists for some other connection options. That seems
> like it'd be a useful increment of flexibility.
Same impression here, so +1 for supporting a comma-separated list of
values here. This is already handled in parse_comma_separated_list(),
now used for multiple hosts and hostaddrs.
--
Michael
