oauth: Let validators provide failure DETAILs
At the moment, the only way for a validator module to report error
details on failure is to log them separately before returning from
validate_cb. Independently of that problem, the ereport() calls that we
make during validation failure partially duplicate some of the work of
auth_failed().
The end result is overly verbose and confusing for readers of the logs:
[768233] LOG: [my_validator] bad signature in bearer token
[768233] LOG: OAuth bearer authentication failed for user "jacob"
[768233] DETAIL: Validator failed to authorize the provided token.
[768233] FATAL: OAuth bearer authentication failed for user "jacob"
[768233] DETAIL: Connection matched file ".../pg_hba.conf" line ...
Solve both problems by making use of the existing logdetail pointer
that's provided by ClientAuthentication. Validator modules may set
ValidatorModuleResult->error_detail to override our default generic
message.
The end result looks something like
[242284] FATAL: OAuth bearer authentication failed for user "jacob"
[242284] DETAIL: [my_validator] bad signature in bearer token
Connection matched file ".../pg_hba.conf" line ...
Reported-by: Álvaro Herrera <[email protected]>
Reported-by: Zsolt Parragi <[email protected]>
Reviewed-by: Chao Li <[email protected]>
Reviewed-by: Daniel Gustafsson <[email protected]>
Reviewed-by: Zsolt Parragi <[email protected]>
Discussion: https://postgr.es/m/202601241015.y5uvxd7oxnfs%40alvherre.pgsql
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/d438a36591c58f60e0748b341855ec5519e1e3b4
Modified Files
--------------
doc/src/sgml/oauth-validators.sgml | 23 ++++++++++++--
src/backend/libpq/auth-oauth.c | 24 +++++++-------
src/backend/libpq/auth.c | 2 +-
src/include/libpq/oauth.h | 14 +++++++++
src/test/modules/oauth_validator/t/001_server.pl | 40 +++++++++++++++++++++++-
src/test/modules/oauth_validator/validator.c | 29 +++++++++++++++++
6 files changed, 116 insertions(+), 16 deletions(-)
