Hello Currently when the client sends an empty OAuth token to request the issuer URL, the server logs the attempt with
FATAL: OAuth bearer authentication failed for user Which is quite confusing, as this is an expected part of the OAuth authentication flow and not an error at all, there's also a TODO message saying that this needs improvement. In practice this results in the server spamming the log with these messages, which are difficult to separate from real (OAuth) authentication failures. This patch improves it by handling the situation properly in the SASL/Oauth code, by introducing a new SASL authentication status, PG_SASL_EXCHANGE_RESTART. The expectation is that authentication mechanisms can set this if they request a restart of the authentication flow. Restart currently requires starting with a new connection, so this simply sets STATUS_EOF. Not sure if this is the best way to handle it or not, but it seems the cleanest to me, as the SASL code already had these return codes and this way the patch doesn't introduce anything OAuth specific to the logic.
0001-Improve-OAuth-discovery-logging.patch
Description: Binary data
