On Thu, 2022-02-17 at 11:25 -0800, samay sharma wrote:
> To enable this, I've proposed adding a new authentication method
> "custom" which can be specified in pg_hba.conf and takes a mandatory
> argument "provider" specifying which authentication provider to use.
> I've also moved a couple static functions to headers so that
> extensions can call them.
>
> Sample pg_hba.conf line to use a custom provider:
>
> host all all ::1/128
> custom provider=test
One caveat is that this only works given information available from
existing authentication methods, because that's all the client
supports. In practice, it seems to only be useful with plaintext
password authentication over an SSL connection.
I still like the approach though. There's a lot of useful stuff you can
do at authentication time with only the connection information and a
password. It could be useful to authenticate against different
services, or some kind of attack detection, etc.
Regards,
Jeff Davis