On Thu, Jun 03, 2021 at 11:02:56AM -0700, Jeff Davis wrote: > My feeling after all of that discussion is that the next step would be > to move to some kind of negotiation between client and server about > which methods are mutually acceptable. Right now, the protocol is > structured around the server driving the authentication process, and > the most the client can do is abort.
FWIW, this sounds very similar to what SASL solves when we try to select a mechanism name, plus some filtering applied in the backend with some HBA rule or some filtering in the frontend with a connection parameter doing the restriction, like channel_binding here. Introducing a new libpq parameter that allows the user to select which authentication methods are allowed has been discussed in the past, I remember vaguely writing/reviewing a patch doing that actually.. -- Michael
signature.asc
Description: PGP signature
