This draft proposes that the PGOAUTHDEBUG setting be broken up into independently selectable features, rather than the current all-on/all-off implementation.

Motivation

The PGOAUTHDEBUG envvar allows users to enable the following features when the oauth auth method is in use for a connection:

• allow the use of unencrypted http:// in addition to standard https://
• dump an extremely verbose representation of all HTTP requests used throughout the client flow, including secrets in plaintext
• allow zero-second intervals for the device token endpoint
• count and print the number of times the flow callback has been invoked at the end of the flow
• use a nonstandard certificate authority, via the PGOAUTHCAFILE envvar
• print OS-specific error details if the libpq-oauth plugin cannot be loaded

The PG18 version of PGOAUTHDEBUG allows only two possible settings: on, with PGOAUTHDEBUG=UNSAFE, and off. But not all of the abilities listed above are necessarily unsafe, and in order to make use of one you must opt into all of them. The debug spray in particular is annoying if all you want to do is switch CAs.

Rationale

to be filled in as solutions are discussed

Implementation

to be filled in when a solution is chosen

Security Considerations

Many debug options, by design, relax software restrictions in ways that make them dangerous for production use. For example, the ability to switch to unencrypted HTTP can be useful for a developer in a debugging session, but it completely breaks OAuth security. No matter what solution is picked here, it needs to be obvious to the end user that any unsafe settings are, in fact, unsafe.

Rejected Ideas

• TODO

Open Issues

• TODO

Discussion Links

• Initial implementation of PGOAUTHDEBUG
• User request on -hackers