Greetings,
* Craig Ringer (craig@2ndquadrant.com) wrote:
> On 26 March 2018 at 21:05, Damir Simunic <damir.simunic@wa-research.ch>
> wrote:
> > The same goes for the ‘authorization’ header. Postgres does not support
> > Bearer token authorization today. But maybe you’ll be able to define a
> > function that knows how to deal with the token, and somehow signal to
> > Postgres that you want it to call this function when it sees such a header.
> > Or maybe someone wrote a plugin that does that, and you configure your
> > server to use it.
>
> You've consistently ignored my comments re authentication and authorization.
>
> How would a multi-step handshake authentication like GSSAPI or SSPI be
> implemented with HTTP2? Efficiently?
I've been trying to avoid this thread, but I'll throw in that the way
GSSAPI is handled on the web today is through SPNEGO:
https://en.wikipedia.org/wiki/SPNEGO
Would be great to get pgAdmin4 to work under a webserver which is
performing SPNEGO and Kerberos delegation to allow user who are
authenticated to the web server to let the web server proxy those
credentials to allow connecting to PG, and, independently, for
credentials to be able to be delegated to PG which can be used for
connections to other services via FDWs.
All of that is largely independent of http2, of course.
Thanks!
Stephen