On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote: > The immediate reason for dropping that support is that Heimdal doesn't > have gss_store_cred_into(), without which we can't support delegated > credentials. AFAICT, Apple's version doesn't have that either. > We could argue about how important that feature is and whether it'd be > okay to have an Apple-only build option to not have it. However...
Heimdal in the master branch sure does; I'm the author if gss_store_cred_into() and gss_store_cred_into2(). Idk when we'll do an 8.0 release though. We've run out of steam. The reality is that the world needs PostgreSQL to support OAuth w/ JWT more than the world needs Kerberos or Heimdal's implementation of it. > ... there's another good reason to shy away from relying on Apple's > library, which is that they've conspicuously marked all the standard > Kerberos functions as deprecated. It's not clear if that means > they're planning to remove them outright, but surely it's an indicator > that Apple doesn't want outside code calling them. The krb5 API is horrible. Do not use it if you can avoid it. The GSS-API is better, mostly. Nico --