upstream/postgresql
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-06-15 19:49:03 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

doc: Clarify OAuth validator authn_id logging

Browse source 
Document that OAuth validators can return an authenticated identity
in the authn_id member.  The server records the identity value before
checking if the connection is authorized, so it may appear in
connection-authentication logs (even if the connection later fails
authorization).

Also remove outdated wording saying that all result parameters are
ignored when a validator returns false since validators may provide
error_detail.

Patch by Chao Li with some additional wordsmithing by me.

Author: Chao Li <lic@highgo.com>
Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>
Reported-by: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://postgr.es/m/0281836A-F5FF-41A5-9EE1-656C1FAAC6B2@gmail.com
This commit is contained in:
Daniel Gustafsson 2026-06-06 00:18:30 +02:00
parent 55136e378c
commit 4cb2e2fe0a
1 changed files with 9 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
doc/src/sgml/oauth-validators.sgml
View file

@ -395,13 +395,18 @@ typedef struct ValidatorModuleResult
token) shall be palloc'd and returned in the <structfield>result->authn_id</structfield>
field. Alternatively, <structfield>result->authn_id</structfield> may be set to
NULL if the token is valid but the associated user identity cannot be
determined.
determined. If the validator returns <literal>true</literal> and
set <structfield>result->authn_id</structfield> then the identity appears
in the server log when <xref linkend="guc-log-connections"/> includes
<literal>authentication</literal>. This happens before authorization and
will log authentication even if the connection is later rejected due to
authorization.
</para>
<para>
A validator may return <literal>false</literal> to signal an internal error,
in which case any result parameters are ignored and the connection fails.
Otherwise the validator should return <literal>true</literal> to indicate
that it has processed the token and made an authorization decision.
in which case the connection fails. Otherwise the validator should return
<literal>true</literal> to indicate that it has processed the token and made
an authorization decision.
</para>
<para>
In either failure case (validation error or internal error) the module may