Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode

2025-11-19 Thread Jacob Champion
On Tue, Nov 4, 2025 at 5:02 AM Jonathan Gonzalez V. wrote: > * In Kubernetes, even with a network isolation, people use to prefer > having TLS connections, just because it's the standard, but in internal > communications (between namespaces and pods), these domains contain the > format: ..svc..loc

Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode

2025-11-04 Thread Daniel Gustafsson
> On 4 Nov 2025, at 14:00, Jonathan Gonzalez V. > wrote: > Ho! where can I see this list? I'd love to help with something here! There is no documented list as far as I can remember, but look for calls to oauth_unsafe_debugging_enabled() in: https://github.com/postgres/postgres/blob/master/src/

Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode

2025-11-04 Thread Jonathan Gonzalez V.
Hi! On Mon, 2025-11-03 at 08:24 -0800, Jacob Champion wrote: > > But I ran into this annoyance (wanted to override the CA for > temporary > development purposes, got sprayed with debug output) during a demo > just last month, so I'm in favor of doing something to make this > easier. I was creatin

Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode

2025-11-03 Thread Zsolt Parragi
I was thinking about asking something similar. In our case, we have two problematic use cases: quick demo setups and CI. When you start up a simple keycloak instance, you have two easy options: either use http, or self-signed certificates. For a CI setup, I can create disposable containers, gene

Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode

2025-11-03 Thread Jacob Champion
On Mon, Nov 3, 2025 at 6:24 AM Daniel Gustafsson wrote: > If we do allow this (IIRC we did discuss during development to allow this but > erred on the side of caution) Yeah, the replaced comment explains it. The assumption is that whatever device you're using to log in (presumably a browser, not

Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode

2025-11-03 Thread Daniel Gustafsson
> On 29 Oct 2025, at 20:19, Jonathan Gonzalez V. > wrote: > This patch basically remove the need of setting the PGOAUTHDEBUG=UNSAFE > to be able to use PGOAUTHCAFILE. If we do allow this (IIRC we did discuss during development to allow this but erred on the side of caution) it should probably b

Make PGOAUTHCAFILE in libpq-oauth work out of debug mode

2025-10-29 Thread Jonathan Gonzalez V.
Hi, While working on a validator for keycloak[1] with libpq-oauth I find out that to allow a self-signed certificated I had to set the CA on the client but for this was required to also set the PGOAUTHDEBUG=UNSAFE which generated a lot of information on the client side that I didn't need for my te