Hello PostgreSQL Hackers, I’d like to open the discussion about adding support for URI Subject Alternative Names (URI SAN) in PostgreSQL certificate authentication. Today, PostgreSQL only supports extracting identity from the certificate Subject (CN or full DN). This limits interoperability with modern workload identity systems that rely on URI-based identities: * Cockroach Labs added URI SAN support for SPIFFE/SPIRE: https://www.cockroachlabs.com/blog/zero-trust-database-authentication-spiffe-spire * The IETF WIMSE Working Group is standardizing URI-based workload identities: https://datatracker.ietf.org/group/wimse/about
Proposal: Allow certificate authentication to use URI SAN entries as the client identity (e.g. via a clientname=uri option in pg_hba.conf), in addition to the existing CN/DN options. Questions: * Is there interest in this feature from the community? * Are there known objections or prior discussions around using SAN (and specifically URI SAN) for identity in PostgreSQL auth? * How should multiple URI SAN entries be handled (first match, require uniqueness, mapping rules, etc.)? Thanks, Olivier Cano
