On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote:
> The immediate reason for dropping that support is that Heimdal doesn't
> have gss_store_cred_into(), without which we can't support delegated
> credentials. AFAICT, Apple's version doesn't have that either.
> We could argue about how important that feature is and whether it'd be
> okay to have an Apple-only build option to not have it. However...
Heimdal in the master branch sure does; I'm the author if
gss_store_cred_into() and gss_store_cred_into2(). Idk when we'll do an
8.0 release though. We've run out of steam. The reality is that the
world needs PostgreSQL to support OAuth w/ JWT more than the world needs
Kerberos or Heimdal's implementation of it.
> ... there's another good reason to shy away from relying on Apple's
> library, which is that they've conspicuously marked all the standard
> Kerberos functions as deprecated. It's not clear if that means
> they're planning to remove them outright, but surely it's an indicator
> that Apple doesn't want outside code calling them.
The krb5 API is horrible. Do not use it if you can avoid it. The
GSS-API is better, mostly.
Nico
--
