WIP: toc builder

[ai-pg] / full-docs / src / sgml / html / oauth-validator-design.html

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>50.1. Safely Designing a Validator Module</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="oauth-validators.html" title="Chapter 50. OAuth Validator Modules" /><link rel="next" href="oauth-validator-init.html" title="50.2. Initialization Functions" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">50.1. Safely Designing a Validator Module</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="oauth-validators.html" title="Chapter 50. OAuth Validator Modules">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="oauth-validators.html" title="Chapter 50. OAuth Validator Modules">Up</a></td><th width="60%" align="center">Chapter 50. OAuth Validator Modules</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="oauth-validator-init.html" title="50.2. Initialization Functions">Next</a></td></tr></table><hr /></div><div class="sect1" id="OAUTH-VALIDATOR-DESIGN"><div class="titlepage"><div><div><h2 class="title" style="clear: both">50.1. Safely Designing a Validator Module <a href="#OAUTH-VALIDATOR-DESIGN" class="id_link">#</a></h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="oauth-validator-design.html#OAUTH-VALIDATOR-DESIGN-RESPONSIBILITIES">50.1.1. Validator Responsibilities</a></span></dt><dt><span class="sect2"><a href="oauth-validator-design.html#OAUTH-VALIDATOR-DESIGN-GUIDELINES">50.1.2. General Coding Guidelines</a></span></dt><dt><span class="sect2"><a href="oauth-validator-design.html#OAUTH-VALIDATOR-DESIGN-USERMAP-DELEGATION">50.1.3. Authorizing Users (Usermap Delegation)</a></span></dt></dl></div><div class="warning"><h3 class="title">Warning</h3><p>
    Read and understand the entirety of this section before implementing a
    validator module. A malfunctioning validator is potentially worse than no
    authentication at all, both because of the false sense of security it
    provides, and because it may contribute to attacks against other pieces of
    an OAuth ecosystem.
   </p></div><div class="sect2" id="OAUTH-VALIDATOR-DESIGN-RESPONSIBILITIES"><div class="titlepage"><div><div><h3 class="title">50.1.1. Validator Responsibilities <a href="#OAUTH-VALIDATOR-DESIGN-RESPONSIBILITIES" class="id_link">#</a></h3></div></div></div><p>
    Although different modules may take very different approaches to token
    validation, implementations generally need to perform three separate
    actions:
   </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Validate the Token</span></dt><dd><p>
       The validator must first ensure that the presented token is in fact a
       valid Bearer token for use in client authentication. The correct way to
       do this depends on the provider, but it generally involves either
       cryptographic operations to prove that the token was created by a trusted
       party (offline validation), or the presentation of the token to that
       trusted party so that it can perform validation for you (online
       validation).
      </p><p>
       Online validation, usually implemented via
       <a class="ulink" href="https://datatracker.ietf.org/doc/html/rfc7662" target="_top">OAuth Token
       Introspection</a>, requires fewer steps of a validator module and
       allows central revocation of a token in the event that it is stolen
       or misissued. However, it does require the module to make at least one
       network call per authentication attempt (all of which must complete
       within the configured <a class="xref" href="runtime-config-connection.html#GUC-AUTHENTICATION-TIMEOUT">authentication_timeout</a>).
       Additionally, your provider may not provide introspection endpoints for
       use by external resource servers.
      </p><p>
       Offline validation is much more involved, typically requiring a validator
       to maintain a list of trusted signing keys for a provider and then
       check the token's cryptographic signature along with its contents.
       Implementations must follow the provider's instructions to the letter,
       including any verification of issuer ("where is this token from?"),
       audience ("who is this token for?"), and validity period ("when can this
       token be used?"). Since there is no communication between the module and
       the provider, tokens cannot be centrally revoked using this method;
       offline validator implementations may wish to place restrictions on the
       maximum length of a token's validity period.
      </p><p>
       If the token cannot be validated, the module should immediately fail.
       Further authentication/authorization is pointless if the bearer token
       wasn't issued by a trusted party.
      </p></dd><dt><span class="term">Authorize the Client</span></dt><dd><p>
       Next the validator must ensure that the end user has given the client
       permission to access the server on their behalf. This generally involves
       checking the scopes that have been assigned to the token, to make sure
       that they cover database access for the current HBA parameters.
      </p><p>
       The purpose of this step is to prevent an OAuth client from obtaining a
       token under false pretenses. If the validator requires all tokens to
       carry scopes that cover database access, the provider should then loudly
       prompt the user to grant that access during the flow. This gives them the
       opportunity to reject the request if the client isn't supposed to be
       using their credentials to connect to databases.
      </p><p>
       While it is possible to establish client authorization without explicit
       scopes by using out-of-band knowledge of the deployed architecture, doing
       so removes the user from the loop, which prevents them from catching
       deployment mistakes and allows any such mistakes to be exploited
       silently. Access to the database must be tightly restricted to only
       trusted clients
       <a href="#ftn.id-1.8.17.6.3.3.2.2.3.1" class="footnote"><sup class="footnote" id="id-1.8.17.6.3.3.2.2.3.1">[17]</sup></a>
       if users are not prompted for additional scopes.
      </p><p>
       Even if authorization fails, a module may choose to continue to pull
       authentication information from the token for use in auditing and
       debugging.
      </p></dd><dt><span class="term">Authenticate the End User</span></dt><dd><p>
       Finally, the validator should determine a user identifier for the token,
       either by asking the provider for this information or by extracting it
       from the token itself, and return that identifier to the server (which
       will then make a final authorization decision using the HBA
       configuration). This identifier will be available within the session via
       <a class="link" href="functions-info.html#FUNCTIONS-INFO-SESSION-TABLE" title="Table 9.71. Session Information Functions"><code class="function">system_user</code></a>
       and recorded in the server logs if <a class="xref" href="runtime-config-logging.html#GUC-LOG-CONNECTIONS">log_connections</a>
       is enabled.
      </p><p>
       Different providers may record a variety of different authentication
       information for an end user, typically referred to as
       <span class="emphasis"><em>claims</em></span>. Providers usually document which of these
       claims are trustworthy enough to use for authorization decisions and
       which are not. (For instance, it would probably not be wise to use an
       end user's full name as the identifier for authentication, since many
       providers allow users to change their display names arbitrarily.)
       Ultimately, the choice of which claim (or combination of claims) to use
       comes down to the provider implementation and application requirements.
      </p><p>
       Note that anonymous/pseudonymous login is possible as well, by enabling
       usermap delegation; see
       <a class="xref" href="oauth-validator-design.html#OAUTH-VALIDATOR-DESIGN-USERMAP-DELEGATION" title="50.1.3. Authorizing Users (Usermap Delegation)">Section 50.1.3</a>.
      </p></dd></dl></div></div><div class="sect2" id="OAUTH-VALIDATOR-DESIGN-GUIDELINES"><div class="titlepage"><div><div><h3 class="title">50.1.2. General Coding Guidelines <a href="#OAUTH-VALIDATOR-DESIGN-GUIDELINES" class="id_link">#</a></h3></div></div></div><p>
    Developers should keep the following in mind when implementing token
    validation:
   </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Token Confidentiality</span></dt><dd><p>
       Modules should not write tokens, or pieces of tokens, into the server
       log. This is true even if the module considers the token invalid; an
       attacker who confuses a client into communicating with the wrong provider
       should not be able to retrieve that (otherwise valid) token from the
       disk.
      </p><p>
       Implementations that send tokens over the network (for example, to
       perform online token validation with a provider) must authenticate the
       peer and ensure that strong transport security is in use.
      </p></dd><dt><span class="term">Logging</span></dt><dd><p>
       Modules may use the same <a class="link" href="error-message-reporting.html" title="55.2. Reporting Errors Within the Server">logging
       facilities</a> as standard extensions; however, the rules for emitting
       log entries to the client are subtly different during the authentication
       phase of the connection. Generally speaking, modules should log
       verification problems at the <code class="symbol">COMMERROR</code> level and return
       normally, instead of using <code class="symbol">ERROR</code>/<code class="symbol">FATAL</code>
       to unwind the stack, to avoid leaking information to unauthenticated
       clients.
      </p></dd><dt><span class="term">Interruptibility</span></dt><dd><p>
       Modules must remain interruptible by signals so that the server can
       correctly handle authentication timeouts and shutdown signals from
       <span class="application">pg_ctl</span>. For example, blocking calls on sockets
       should generally be replaced with code that handles both socket events
       and interrupts without races (see <code class="function">WaitLatchOrSocket()</code>,
       <code class="function">WaitEventSetWait()</code>, et al), and long-running loops
       should periodically call <code class="function">CHECK_FOR_INTERRUPTS()</code>.
       Failure to follow this guidance may result in unresponsive backend
       sessions.
      </p></dd><dt><span class="term">Testing</span></dt><dd><p>
       The breadth of testing an OAuth system is well beyond the scope of this
       documentation, but at minimum, negative testing should be considered
       mandatory. It's trivial to design a module that lets authorized users in;
       the whole point of the system is to keep unauthorized users out.
      </p></dd><dt><span class="term">Documentation</span></dt><dd><p>
       Validator implementations should document the contents and format of the
       authenticated ID that is reported to the server for each end user, since
       DBAs may need to use this information to construct pg_ident maps. (For
       instance, is it an email address? an organizational ID number? a UUID?)
       They should also document whether or not it is safe to use the module in
       <code class="symbol">delegate_ident_mapping=1</code> mode, and what additional
       configuration is required in order to do so.
      </p></dd></dl></div></div><div class="sect2" id="OAUTH-VALIDATOR-DESIGN-USERMAP-DELEGATION"><div class="titlepage"><div><div><h3 class="title">50.1.3. Authorizing Users (Usermap Delegation) <a href="#OAUTH-VALIDATOR-DESIGN-USERMAP-DELEGATION" class="id_link">#</a></h3></div></div></div><p>
    The standard deliverable of a validation module is the user identifier,
    which the server will then compare to any configured
    <a class="link" href="auth-username-maps.html" title="20.2. User Name Maps"><code class="filename">pg_ident.conf</code>
    mappings</a> and determine whether the end user is authorized to connect.
    However, OAuth is itself an authorization framework, and tokens may carry
    information about user privileges. For example, a token may be associated
    with the organizational groups that a user belongs to, or list the roles
    that a user may assume, and duplicating that knowledge into local usermaps
    for every server may not be desirable.
   </p><p>
    To bypass username mapping entirely, and have the validator module assume
    the additional responsibility of authorizing user connections, the HBA may
    be configured with <a class="xref" href="auth-oauth.html#AUTH-OAUTH-DELEGATE-IDENT-MAPPING">delegate_ident_mapping</a>.
    The module may then use token scopes or an equivalent method to decide
    whether the user is allowed to connect under their desired role. The user
    identifier will still be recorded by the server, but it plays no part in
    determining whether to continue the connection.
   </p><p>
    Using this scheme, authentication itself is optional. As long as the module
    reports that the connection is authorized, login will continue even if there
    is no recorded user identifier at all. This makes it possible to implement
    anonymous or pseudonymous access to the database, where the third-party
    provider performs all necessary authentication but does not provide any
    user-identifying information to the server. (Some providers may create an
    anonymized ID number that can be recorded instead, for later auditing.)
   </p><p>
    Usermap delegation provides the most architectural flexibility, but it turns
    the validator module into a single point of failure for connection
    authorization. Use with caution.
   </p></div><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div id="ftn.id-1.8.17.6.3.3.2.2.3.1" class="footnote"><p><a href="#id-1.8.17.6.3.3.2.2.3.1" class="para"><sup class="para">[17] </sup></a>
         That is, "trusted" in the sense that the OAuth client and the
         <span class="productname">PostgreSQL</span> server are controlled by the same
         entity. Notably, the Device Authorization client flow supported by
         libpq does not usually meet this bar, since it's designed for use by
         public/untrusted clients.
        </p></div></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="oauth-validators.html" title="Chapter 50. OAuth Validator Modules">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="oauth-validators.html" title="Chapter 50. OAuth Validator Modules">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="oauth-validator-init.html" title="50.2. Initialization Functions">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 50. OAuth Validator Modules </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 50.2. Initialization Functions</td></tr></table></div></body></html>