[PoC] Federated Authn/z with OAUTHBEARER

From 8c4b82940efb7e0f0f33ac915d5f7969a36e3644 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Mon, 3 May 2021 15:38:26 -0700
Subject: [PATCH v2 1/5] common/jsonapi: support FRONTEND clients

Based on a patch by Michael Paquier.

For frontend code, use PQExpBuffer instead of StringInfo. This requires
us to track allocation failures so that we can return JSON_OUT_OF_MEMORY
as needed. json_errdetail() now allocates its error message inside
memory owned by the JsonLexContext, so clients don't need to worry about
freeing it.

For convenience, the backend now has destroyJsonLexContext() to mirror
other create/destroy APIs. The frontend has init/term versions of the
API to handle stack-allocated JsonLexContexts.

We can now partially revert b44669b2ca, now that json_errdetail() works
correctly.
---
 src/backend/utils/adt/jsonfuncs.c             |   4 +-
 src/bin/pg_verifybackup/parse_manifest.c      |  13 +-
 src/bin/pg_verifybackup/t/005_bad_manifest.pl |   2 +-
 src/common/Makefile                           |   2 +-
 src/common/jsonapi.c                          | 290 +++++++++++++-----
 src/include/common/jsonapi.h                  |  47 ++-
 6 files changed, 270 insertions(+), 88 deletions(-)

diff --git a/src/backend/utils/adt/jsonfuncs.c b/src/backend/utils/adt/jsonfuncs.c
index 5fd54b64b5..fa39751188 100644
--- a/src/backend/utils/adt/jsonfuncs.c
+++ b/src/backend/utils/adt/jsonfuncs.c
@@ -723,9 +723,7 @@ json_object_keys(PG_FUNCTION_ARGS)
 		pg_parse_json_or_ereport(lex, sem);
 		/* keys are now in state->result */
 
-		pfree(lex->strval->data);
-		pfree(lex->strval);
-		pfree(lex);
+		destroyJsonLexContext(lex);
 		pfree(sem);
 
 		MemoryContextSwitchTo(oldcontext);
diff --git a/src/bin/pg_verifybackup/parse_manifest.c b/src/bin/pg_verifybackup/parse_manifest.c
index c7ccc78c70..6cedb7435f 100644
--- a/src/bin/pg_verifybackup/parse_manifest.c
+++ b/src/bin/pg_verifybackup/parse_manifest.c
@@ -119,7 +119,7 @@ void
 json_parse_manifest(JsonManifestParseContext *context, char *buffer,
 					size_t size)
 {
-	JsonLexContext *lex;
+	JsonLexContext lex = {0};
 	JsonParseErrorType json_error;
 	JsonSemAction sem;
 	JsonManifestParseState parse;
@@ -129,8 +129,8 @@ json_parse_manifest(JsonManifestParseContext *context, char *buffer,
 	parse.state = JM_EXPECT_TOPLEVEL_START;
 	parse.saw_version_field = false;
 
-	/* Create a JSON lexing context. */
-	lex = makeJsonLexContextCstringLen(buffer, size, PG_UTF8, true);
+	/* Initialize a JSON lexing context. */
+	initJsonLexContextCstringLen(&lex, buffer, size, PG_UTF8, true);
 
 	/* Set up semantic actions. */
 	sem.semstate = &parse;
@@ -145,14 +145,17 @@ json_parse_manifest(JsonManifestParseContext *context, char *buffer,
 	sem.scalar = json_manifest_scalar;
 
 	/* Run the actual JSON parser. */
-	json_error = pg_parse_json(lex, &sem);
+	json_error = pg_parse_json(&lex, &sem);
 	if (json_error != JSON_SUCCESS)
-		json_manifest_parse_failure(context, "parsing failed");
+		json_manifest_parse_failure(context, json_errdetail(json_error, &lex));
 	if (parse.state != JM_EXPECT_EOF)
 		json_manifest_parse_failure(context, "manifest ended unexpectedly");
 
 	/* Verify the manifest checksum. */
 	verify_manifest_checksum(&parse, buffer, size);
+
+	/* Clean up. */
+	termJsonLexContext(&lex);
 }
 
 /*
diff --git a/src/bin/pg_verifybackup/t/005_bad_manifest.pl b/src/bin/pg_verifybackup/t/005_bad_manifest.pl
index 4f5b8f5a49..9f8a100a71 100644
--- a/src/bin/pg_verifybackup/t/005_bad_manifest.pl
+++ b/src/bin/pg_verifybackup/t/005_bad_manifest.pl
@@ -16,7 +16,7 @@ my $tempdir = TestLib::tempdir;
 
 test_bad_manifest(
 	'input string ended unexpectedly',
-	qr/could not parse backup manifest: parsing failed/,
+	qr/could not parse backup manifest: The input string ended unexpectedly/,
 	<<EOM);
 {
 EOM
diff --git a/src/common/Makefile b/src/common/Makefile
index 880722fcf5..5ecb09a8c4 100644
--- a/src/common/Makefile
+++ b/src/common/Makefile
@@ -40,7 +40,7 @@ override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\""
 override CPPFLAGS += -DVAL_LDFLAGS_SL="\"$(LDFLAGS_SL)\""
 override CPPFLAGS += -DVAL_LIBS="\"$(LIBS)\""
 
-override CPPFLAGS := -DFRONTEND -I. -I$(top_srcdir)/src/common $(CPPFLAGS)
+override CPPFLAGS := -DFRONTEND -I. -I$(top_srcdir)/src/common -I$(libpq_srcdir) $(CPPFLAGS)
 LIBS += $(PTHREAD_LIBS)
 
 # If you add objects here, see also src/tools/msvc/Mkvcbuild.pm
diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 5504072b4f..3a9620f739 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -20,10 +20,39 @@
 #include "common/jsonapi.h"
 #include "mb/pg_wchar.h"
 
-#ifndef FRONTEND
+#ifdef FRONTEND
+#include "pqexpbuffer.h"
+#else
+#include "lib/stringinfo.h"
 #include "miscadmin.h"
 #endif
 
+/*
+ * In backend, we will use palloc/pfree along with StringInfo.  In frontend, use
+ * malloc and PQExpBuffer, and return JSON_OUT_OF_MEMORY on out-of-memory.
+ */
+#ifdef FRONTEND
+
+#define STRDUP(s) strdup(s)
+#define ALLOC(size) malloc(size)
+
+#define appendStrVal		appendPQExpBuffer
+#define appendStrValChar	appendPQExpBufferChar
+#define createStrVal		createPQExpBuffer
+#define resetStrVal			resetPQExpBuffer
+
+#else /* !FRONTEND */
+
+#define STRDUP(s) pstrdup(s)
+#define ALLOC(size) palloc(size)
+
+#define appendStrVal		appendStringInfo
+#define appendStrValChar	appendStringInfoChar
+#define createStrVal		makeStringInfo
+#define resetStrVal			resetStringInfo
+
+#endif
+
 /*
  * The context of the parser is maintained by the recursive descent
  * mechanism, but is passed explicitly to the error reporting routine
@@ -132,10 +161,12 @@ IsValidJsonNumber(const char *str, int len)
 	return (!numeric_error) && (total_len == dummy_lex.input_length);
 }
 
+#ifndef FRONTEND
+
 /*
  * makeJsonLexContextCstringLen
  *
- * lex constructor, with or without StringInfo object for de-escaped lexemes.
+ * lex constructor, with or without a string object for de-escaped lexemes.
  *
  * Without is better as it makes the processing faster, so only make one
  * if really required.
@@ -145,13 +176,66 @@ makeJsonLexContextCstringLen(char *json, int len, int encoding, bool need_escape
 {
 	JsonLexContext *lex = palloc0(sizeof(JsonLexContext));
 
+	initJsonLexContextCstringLen(lex, json, len, encoding, need_escapes);
+
+	return lex;
+}
+
+void
+destroyJsonLexContext(JsonLexContext *lex)
+{
+	termJsonLexContext(lex);
+	pfree(lex);
+}
+
+#endif /* !FRONTEND */
+
+void
+initJsonLexContextCstringLen(JsonLexContext *lex, char *json, int len, int encoding, bool need_escapes)
+{
 	lex->input = lex->token_terminator = lex->line_start = json;
 	lex->line_number = 1;
 	lex->input_length = len;
 	lex->input_encoding = encoding;
-	if (need_escapes)
-		lex->strval = makeStringInfo();
-	return lex;
+	lex->parse_strval = need_escapes;
+	if (lex->parse_strval)
+	{
+		/*
+		 * This call can fail in FRONTEND code. We defer error handling to time
+		 * of use (json_lex_string()) since there's no way to signal failure
+		 * here, and we might not need to parse any strings anyway.
+		 */
+		lex->strval = createStrVal();
+	}
+	lex->errormsg = NULL;
+}
+
+void
+termJsonLexContext(JsonLexContext *lex)
+{
+	static const JsonLexContext empty = {0};
+
+	if (lex->strval)
+	{
+#ifdef FRONTEND
+		destroyPQExpBuffer(lex->strval);
+#else
+		pfree(lex->strval->data);
+		pfree(lex->strval);
+#endif
+	}
+
+	if (lex->errormsg)
+	{
+#ifdef FRONTEND
+		destroyPQExpBuffer(lex->errormsg);
+#else
+		pfree(lex->errormsg->data);
+		pfree(lex->errormsg);
+#endif
+	}
+
+	*lex = empty;
 }
 
 /*
@@ -217,7 +301,7 @@ json_count_array_elements(JsonLexContext *lex, int *elements)
 	 * etc, so doing this with a copy makes that safe.
 	 */
 	memcpy(&copylex, lex, sizeof(JsonLexContext));
-	copylex.strval = NULL;		/* not interested in values here */
+	copylex.parse_strval = false;		/* not interested in values here */
 	copylex.lex_level++;
 
 	count = 0;
@@ -279,14 +363,21 @@ parse_scalar(JsonLexContext *lex, JsonSemAction *sem)
 	/* extract the de-escaped string value, or the raw lexeme */
 	if (lex_peek(lex) == JSON_TOKEN_STRING)
 	{
-		if (lex->strval != NULL)
-			val = pstrdup(lex->strval->data);
+		if (lex->parse_strval)
+		{
+			val = STRDUP(lex->strval->data);
+			if (val == NULL)
+				return JSON_OUT_OF_MEMORY;
+		}
 	}
 	else
 	{
 		int			len = (lex->token_terminator - lex->token_start);
 
-		val = palloc(len + 1);
+		val = ALLOC(len + 1);
+		if (val == NULL)
+			return JSON_OUT_OF_MEMORY;
+
 		memcpy(val, lex->token_start, len);
 		val[len] = '\0';
 	}
@@ -320,8 +411,12 @@ parse_object_field(JsonLexContext *lex, JsonSemAction *sem)
 
 	if (lex_peek(lex) != JSON_TOKEN_STRING)
 		return report_parse_error(JSON_PARSE_STRING, lex);
-	if ((ostart != NULL || oend != NULL) && lex->strval != NULL)
-		fname = pstrdup(lex->strval->data);
+	if ((ostart != NULL || oend != NULL) && lex->parse_strval)
+	{
+		fname = STRDUP(lex->strval->data);
+		if (fname == NULL)
+			return JSON_OUT_OF_MEMORY;
+	}
 	result = json_lex(lex);
 	if (result != JSON_SUCCESS)
 		return result;
@@ -368,6 +463,10 @@ parse_object(JsonLexContext *lex, JsonSemAction *sem)
 	JsonParseErrorType result;
 
 #ifndef FRONTEND
+	/*
+	 * TODO: clients need some way to put a bound on stack growth. Parse level
+	 * limits maybe?
+	 */
 	check_stack_depth();
 #endif
 
@@ -676,8 +775,15 @@ json_lex_string(JsonLexContext *lex)
 	int			len;
 	int			hi_surrogate = -1;
 
-	if (lex->strval != NULL)
-		resetStringInfo(lex->strval);
+	if (lex->parse_strval)
+	{
+#ifdef FRONTEND
+		/* make sure initialization succeeded */
+		if (lex->strval == NULL)
+			return JSON_OUT_OF_MEMORY;
+#endif
+		resetStrVal(lex->strval);
+	}
 
 	Assert(lex->input_length > 0);
 	s = lex->token_start;
@@ -737,7 +843,7 @@ json_lex_string(JsonLexContext *lex)
 						return JSON_UNICODE_ESCAPE_FORMAT;
 					}
 				}
-				if (lex->strval != NULL)
+				if (lex->parse_strval)
 				{
 					/*
 					 * Combine surrogate pairs.
@@ -797,19 +903,19 @@ json_lex_string(JsonLexContext *lex)
 
 						unicode_to_utf8(ch, (unsigned char *) utf8str);
 						utf8len = pg_utf_mblen((unsigned char *) utf8str);
-						appendBinaryStringInfo(lex->strval, utf8str, utf8len);
+						appendBinaryPQExpBuffer(lex->strval, utf8str, utf8len);
 					}
 					else if (ch <= 0x007f)
 					{
 						/* The ASCII range is the same in all encodings */
-						appendStringInfoChar(lex->strval, (char) ch);
+						appendPQExpBufferChar(lex->strval, (char) ch);
 					}
 					else
 						return JSON_UNICODE_HIGH_ESCAPE;
 #endif							/* FRONTEND */
 				}
 			}
-			else if (lex->strval != NULL)
+			else if (lex->parse_strval)
 			{
 				if (hi_surrogate != -1)
 					return JSON_UNICODE_LOW_SURROGATE;
@@ -819,22 +925,22 @@ json_lex_string(JsonLexContext *lex)
 					case '"':
 					case '\\':
 					case '/':
-						appendStringInfoChar(lex->strval, *s);
+						appendStrValChar(lex->strval, *s);
 						break;
 					case 'b':
-						appendStringInfoChar(lex->strval, '\b');
+						appendStrValChar(lex->strval, '\b');
 						break;
 					case 'f':
-						appendStringInfoChar(lex->strval, '\f');
+						appendStrValChar(lex->strval, '\f');
 						break;
 					case 'n':
-						appendStringInfoChar(lex->strval, '\n');
+						appendStrValChar(lex->strval, '\n');
 						break;
 					case 'r':
-						appendStringInfoChar(lex->strval, '\r');
+						appendStrValChar(lex->strval, '\r');
 						break;
 					case 't':
-						appendStringInfoChar(lex->strval, '\t');
+						appendStrValChar(lex->strval, '\t');
 						break;
 					default:
 						/* Not a valid string escape, so signal error. */
@@ -858,12 +964,12 @@ json_lex_string(JsonLexContext *lex)
 			}
 
 		}
-		else if (lex->strval != NULL)
+		else if (lex->parse_strval)
 		{
 			if (hi_surrogate != -1)
 				return JSON_UNICODE_LOW_SURROGATE;
 
-			appendStringInfoChar(lex->strval, *s);
+			appendStrValChar(lex->strval, *s);
 		}
 
 	}
@@ -871,6 +977,11 @@ json_lex_string(JsonLexContext *lex)
 	if (hi_surrogate != -1)
 		return JSON_UNICODE_LOW_SURROGATE;
 
+#ifdef FRONTEND
+	if (lex->parse_strval && PQExpBufferBroken(lex->strval))
+		return JSON_OUT_OF_MEMORY;
+#endif
+
 	/* Hooray, we found the end of the string! */
 	lex->prev_token_terminator = lex->token_terminator;
 	lex->token_terminator = s + 1;
@@ -1043,72 +1154,93 @@ report_parse_error(JsonParseContext ctx, JsonLexContext *lex)
 	return JSON_SUCCESS;		/* silence stupider compilers */
 }
 
-
-#ifndef FRONTEND
-/*
- * Extract the current token from a lexing context, for error reporting.
- */
-static char *
-extract_token(JsonLexContext *lex)
-{
-	int			toklen = lex->token_terminator - lex->token_start;
-	char	   *token = palloc(toklen + 1);
-
-	memcpy(token, lex->token_start, toklen);
-	token[toklen] = '\0';
-	return token;
-}
-
 /*
  * Construct a detail message for a JSON error.
  *
- * Note that the error message generated by this routine may not be
- * palloc'd, making it unsafe for frontend code as there is no way to
- * know if this can be safery pfree'd or not.
+ * The returned allocation is either static or owned by the JsonLexContext and
+ * should not be freed.
  */
 char *
 json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
 {
+	int		toklen = lex->token_terminator - lex->token_start;
+
+	if (error == JSON_OUT_OF_MEMORY)
+	{
+		/* Short circuit. Allocating anything for this case is unhelpful. */
+		return _("out of memory");
+	}
+
+	if (lex->errormsg)
+		resetStrVal(lex->errormsg);
+	else
+		lex->errormsg = createStrVal();
+
 	switch (error)
 	{
 		case JSON_SUCCESS:
 			/* fall through to the error code after switch */
 			break;
 		case JSON_ESCAPING_INVALID:
-			return psprintf(_("Escape sequence \"\\%s\" is invalid."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Escape sequence \"\\%.*s\" is invalid."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_ESCAPING_REQUIRED:
-			return psprintf(_("Character with value 0x%02x must be escaped."),
-							(unsigned char) *(lex->token_terminator));
+			appendStrVal(lex->errormsg,
+						 _("Character with value 0x%02x must be escaped."),
+						 (unsigned char) *(lex->token_terminator));
+			break;
 		case JSON_EXPECTED_END:
-			return psprintf(_("Expected end of input, but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected end of input, but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_ARRAY_FIRST:
-			return psprintf(_("Expected array element or \"]\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected array element or \"]\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_ARRAY_NEXT:
-			return psprintf(_("Expected \",\" or \"]\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected \",\" or \"]\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_COLON:
-			return psprintf(_("Expected \":\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected \":\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_JSON:
-			return psprintf(_("Expected JSON value, but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected JSON value, but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_MORE:
 			return _("The input string ended unexpectedly.");
 		case JSON_EXPECTED_OBJECT_FIRST:
-			return psprintf(_("Expected string or \"}\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected string or \"}\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_OBJECT_NEXT:
-			return psprintf(_("Expected \",\" or \"}\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected \",\" or \"}\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_STRING:
-			return psprintf(_("Expected string, but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected string, but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_INVALID_TOKEN:
-			return psprintf(_("Token \"%s\" is invalid."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Token \"%.*s\" is invalid."),
+						 toklen, lex->token_start);
+			break;
+		case JSON_OUT_OF_MEMORY:
+			/* should have been handled above; use the error path */
+			break;
 		case JSON_UNICODE_CODE_POINT_ZERO:
 			return _("\\u0000 cannot be converted to text.");
 		case JSON_UNICODE_ESCAPE_FORMAT:
@@ -1122,12 +1254,22 @@ json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
 			return _("Unicode low surrogate must follow a high surrogate.");
 	}
 
-	/*
-	 * We don't use a default: case, so that the compiler will warn about
-	 * unhandled enum values.  But this needs to be here anyway to cover the
-	 * possibility of an incorrect input.
-	 */
-	elog(ERROR, "unexpected json parse error type: %d", (int) error);
-	return NULL;
-}
+	/* Note that lex->errormsg can be NULL in FRONTEND code. */
+	if (lex->errormsg && !lex->errormsg->data[0])
+	{
+		/*
+		 * We don't use a default: case, so that the compiler will warn about
+		 * unhandled enum values.  But this needs to be here anyway to cover the
+		 * possibility of an incorrect input.
+		 */
+		appendStrVal(lex->errormsg,
+					 "unexpected json parse error type: %d", (int) error);
+	}
+
+#ifdef FRONTEND
+	if (PQExpBufferBroken(lex->errormsg))
+		return _("out of memory while constructing error description");
 #endif
+
+	return lex->errormsg->data;
+}
diff --git a/src/include/common/jsonapi.h b/src/include/common/jsonapi.h
index ec3dfce9c3..dc71ab2cd3 100644
--- a/src/include/common/jsonapi.h
+++ b/src/include/common/jsonapi.h
@@ -14,8 +14,6 @@
 #ifndef JSONAPI_H
 #define JSONAPI_H
 
-#include "lib/stringinfo.h"
-
 typedef enum
 {
 	JSON_TOKEN_INVALID,
@@ -48,6 +46,7 @@ typedef enum
 	JSON_EXPECTED_OBJECT_NEXT,
 	JSON_EXPECTED_STRING,
 	JSON_INVALID_TOKEN,
+	JSON_OUT_OF_MEMORY,
 	JSON_UNICODE_CODE_POINT_ZERO,
 	JSON_UNICODE_ESCAPE_FORMAT,
 	JSON_UNICODE_HIGH_ESCAPE,
@@ -55,6 +54,17 @@ typedef enum
 	JSON_UNICODE_LOW_SURROGATE
 } JsonParseErrorType;
 
+/*
+ * Don't depend on the internal type header for strval; if callers need access
+ * then they can include the appropriate header themselves.
+ */
+#ifdef FRONTEND
+#define StrValType PQExpBufferData
+#else
+#define StrValType StringInfoData
+#endif
+
+typedef struct StrValType StrValType;
 
 /*
  * All the fields in this structure should be treated as read-only.
@@ -81,7 +91,9 @@ typedef struct JsonLexContext
 	int			lex_level;
 	int			line_number;	/* line number, starting from 1 */
 	char	   *line_start;		/* where that line starts within input */
-	StringInfo	strval;
+	bool		parse_strval;
+	StrValType *strval;			/* only used if parse_strval == true */
+	StrValType *errormsg;
 } JsonLexContext;
 
 typedef void (*json_struct_action) (void *state);
@@ -141,9 +153,10 @@ extern JsonSemAction nullSemAction;
  */
 extern JsonParseErrorType json_count_array_elements(JsonLexContext *lex,
 													int *elements);
+#ifndef FRONTEND
 
 /*
- * constructor for JsonLexContext, with or without strval element.
+ * allocating constructor for JsonLexContext, with or without strval element.
  * If supplied, the strval element will contain a de-escaped version of
  * the lexeme. However, doing this imposes a performance penalty, so
  * it should be avoided if the de-escaped lexeme is not required.
@@ -153,6 +166,32 @@ extern JsonLexContext *makeJsonLexContextCstringLen(char *json,
 													int encoding,
 													bool need_escapes);
 
+/*
+ * Counterpart to makeJsonLexContextCstringLen(): clears and deallocates lex.
+ * The context pointer should not be used after this call.
+ */
+extern void destroyJsonLexContext(JsonLexContext *lex);
+
+#endif /* !FRONTEND */
+
+/*
+ * stack constructor for JsonLexContext, with or without strval element.
+ * If supplied, the strval element will contain a de-escaped version of
+ * the lexeme. However, doing this imposes a performance penalty, so
+ * it should be avoided if the de-escaped lexeme is not required.
+ */
+extern void initJsonLexContextCstringLen(JsonLexContext *lex,
+										 char *json,
+										 int len,
+										 int encoding,
+										 bool need_escapes);
+
+/*
+ * Counterpart to initJsonLexContextCstringLen(): clears the contents of lex,
+ * but does not deallocate lex itself.
+ */
+extern void termJsonLexContext(JsonLexContext *lex);
+
 /* lex one token */
 extern JsonParseErrorType json_lex(JsonLexContext *lex);
 
-- 
2.25.1

From 52ac4bd25ca19735eb2bd863e8b1549ccbe6560a Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Tue, 13 Apr 2021 10:27:27 -0700
Subject: [PATCH v2 2/5] libpq: add OAUTHBEARER SASL mechanism

DO NOT USE THIS PROOF OF CONCEPT IN PRODUCTION.

Implement OAUTHBEARER (RFC 7628) and OAuth 2.0 Device Authorization
Grants (RFC 8628) on the client side. When speaking to a OAuth-enabled
server, it looks a bit like this:

    $ psql 'host=example.org oauth_client_id=f02c6361-0635-...'
    Visit https://oauth.example.org/login and enter the code: FPQ2-M4BG

The OAuth issuer must support device authorization. No other OAuth flows
are currently implemented.

The client implementation requires libiddawc and its development
headers. Configure --with-oauth (and --with-includes/--with-libraries to
point at the iddawc installation, if it's in a custom location).

Several TODOs:
- don't retry forever if the server won't accept our token
- perform several sanity checks on the OAuth issuer's responses
- handle cases where the client has been set up with an issuer and
  scope, but the Postgres server wants to use something different
- improve error debuggability during the OAuth handshake
- ...and more.
---
 configure                            | 100 ++++
 configure.ac                         |  19 +
 src/Makefile.global.in               |   1 +
 src/include/common/oauth-common.h    |  19 +
 src/include/pg_config.h.in           |   6 +
 src/interfaces/libpq/Makefile        |   7 +-
 src/interfaces/libpq/fe-auth-oauth.c | 745 +++++++++++++++++++++++++++
 src/interfaces/libpq/fe-auth-sasl.h  |   5 +-
 src/interfaces/libpq/fe-auth-scram.c |   6 +-
 src/interfaces/libpq/fe-auth.c       |  42 +-
 src/interfaces/libpq/fe-auth.h       |   3 +
 src/interfaces/libpq/fe-connect.c    |  38 ++
 src/interfaces/libpq/libpq-int.h     |   8 +
 13 files changed, 980 insertions(+), 19 deletions(-)
 create mode 100644 src/include/common/oauth-common.h
 create mode 100644 src/interfaces/libpq/fe-auth-oauth.c

diff --git a/configure b/configure
index 7542fe30a1..2ddbe9a1d9 100755
--- a/configure
+++ b/configure
@@ -713,6 +713,7 @@ with_uuid
 with_readline
 with_systemd
 with_selinux
+with_oauth
 with_ldap
 with_krb_srvnam
 krb_srvtab
@@ -856,6 +857,7 @@ with_krb_srvnam
 with_pam
 with_bsd_auth
 with_ldap
+with_oauth
 with_bonjour
 with_selinux
 with_systemd
@@ -1562,6 +1564,7 @@ Optional Packages:
   --with-pam              build with PAM support
   --with-bsd-auth         build with BSD Authentication support
   --with-ldap             build with LDAP support
+  --with-oauth            build with OAuth 2.0 support
   --with-bonjour          build with Bonjour support
   --with-selinux          build with SELinux support
   --with-systemd          build with systemd support
@@ -8144,6 +8147,42 @@ $as_echo "$with_ldap" >&6; }
 
 
 
+#
+# OAuth 2.0
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with OAuth support" >&5
+$as_echo_n "checking whether to build with OAuth support... " >&6; }
+
+
+
+# Check whether --with-oauth was given.
+if test "${with_oauth+set}" = set; then :
+  withval=$with_oauth;
+  case $withval in
+    yes)
+
+$as_echo "#define USE_OAUTH 1" >>confdefs.h
+
+      ;;
+    no)
+      :
+      ;;
+    *)
+      as_fn_error $? "no argument expected for --with-oauth option" "$LINENO" 5
+      ;;
+  esac
+
+else
+  with_oauth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_oauth" >&5
+$as_echo "$with_oauth" >&6; }
+
+
+
 #
 # Bonjour
 #
@@ -13084,6 +13123,56 @@ fi
 
 
 
+if test "$with_oauth" = yes ; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for i_init_session in -liddawc" >&5
+$as_echo_n "checking for i_init_session in -liddawc... " >&6; }
+if ${ac_cv_lib_iddawc_i_init_session+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-liddawc  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char i_init_session ();
+int
+main ()
+{
+return i_init_session ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_iddawc_i_init_session=yes
+else
+  ac_cv_lib_iddawc_i_init_session=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_iddawc_i_init_session" >&5
+$as_echo "$ac_cv_lib_iddawc_i_init_session" >&6; }
+if test "x$ac_cv_lib_iddawc_i_init_session" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBIDDAWC 1
+_ACEOF
+
+  LIBS="-liddawc $LIBS"
+
+else
+  as_fn_error $? "library 'iddawc' is required for OAuth support" "$LINENO" 5
+fi
+
+fi
+
 # for contrib/sepgsql
 if test "$with_selinux" = yes; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for security_compute_create_name in -lselinux" >&5
@@ -13978,6 +14067,17 @@ fi
 
 done
 
+fi
+
+if test "$with_oauth" != no; then
+  ac_fn_c_check_header_mongrel "$LINENO" "iddawc.h" "ac_cv_header_iddawc_h" "$ac_includes_default"
+if test "x$ac_cv_header_iddawc_h" = xyes; then :
+
+else
+  as_fn_error $? "header file <iddawc.h> is required for OAuth" "$LINENO" 5
+fi
+
+
 fi
 
 if test "$PORTNAME" = "win32" ; then
diff --git a/configure.ac b/configure.ac
index ed3cdb9a8e..22026476d9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -851,6 +851,17 @@ AC_MSG_RESULT([$with_ldap])
 AC_SUBST(with_ldap)
 
 
+#
+# OAuth 2.0
+#
+AC_MSG_CHECKING([whether to build with OAuth support])
+PGAC_ARG_BOOL(with, oauth, no,
+              [build with OAuth 2.0 support],
+              [AC_DEFINE([USE_OAUTH], 1, [Define to 1 to build with OAuth 2.0 support. (--with-oauth)])])
+AC_MSG_RESULT([$with_oauth])
+AC_SUBST(with_oauth)
+
+
 #
 # Bonjour
 #
@@ -1321,6 +1332,10 @@ fi
 AC_SUBST(LDAP_LIBS_FE)
 AC_SUBST(LDAP_LIBS_BE)
 
+if test "$with_oauth" = yes ; then
+  AC_CHECK_LIB(iddawc, i_init_session, [], [AC_MSG_ERROR([library 'iddawc' is required for OAuth support])])
+fi
+
 # for contrib/sepgsql
 if test "$with_selinux" = yes; then
   AC_CHECK_LIB(selinux, security_compute_create_name, [],
@@ -1531,6 +1546,10 @@ elif test "$with_uuid" = ossp ; then
       [AC_MSG_ERROR([header file <ossp/uuid.h> or <uuid.h> is required for OSSP UUID])])])
 fi
 
+if test "$with_oauth" != no; then
+  AC_CHECK_HEADER(iddawc.h, [], [AC_MSG_ERROR([header file <iddawc.h> is required for OAuth])])
+fi
+
 if test "$PORTNAME" = "win32" ; then
    AC_CHECK_HEADERS(crtdefs.h)
 fi
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 6e2f224cc4..d67912711e 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -193,6 +193,7 @@ with_ldap	= @with_ldap@
 with_libxml	= @with_libxml@
 with_libxslt	= @with_libxslt@
 with_llvm	= @with_llvm@
+with_oauth	= @with_oauth@
 with_system_tzdata = @with_system_tzdata@
 with_uuid	= @with_uuid@
 with_zlib	= @with_zlib@
diff --git a/src/include/common/oauth-common.h b/src/include/common/oauth-common.h
new file mode 100644
index 0000000000..3fa95ac7e8
--- /dev/null
+++ b/src/include/common/oauth-common.h
@@ -0,0 +1,19 @@
+/*-------------------------------------------------------------------------
+ *
+ * oauth-common.h
+ *		Declarations for helper functions used for OAuth/OIDC authentication
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/include/common/oauth-common.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef OAUTH_COMMON_H
+#define OAUTH_COMMON_H
+
+/* Name of SASL mechanism per IANA */
+#define OAUTHBEARER_NAME "OAUTHBEARER"
+
+#endif /* OAUTH_COMMON_H */
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 15ffdd895a..f82ab38536 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -331,6 +331,9 @@
 /* Define to 1 if you have the `crypto' library (-lcrypto). */
 #undef HAVE_LIBCRYPTO
 
+/* Define to 1 if you have the `iddawc' library (-liddawc). */
+#undef HAVE_LIBIDDAWC
+
 /* Define to 1 if you have the `ldap' library (-lldap). */
 #undef HAVE_LIBLDAP
 
@@ -926,6 +929,9 @@
 /* Define to select named POSIX semaphores. */
 #undef USE_NAMED_POSIX_SEMAPHORES
 
+/* Define to 1 to build with OAuth 2.0 support. (--with-oauth) */
+#undef USE_OAUTH
+
 /* Define to 1 to build with OpenSSL support. (--with-ssl=openssl) */
 #undef USE_OPENSSL
 
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index 7cbdeb589b..3cdf19294b 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -62,6 +62,11 @@ OBJS += \
 	fe-secure-gssapi.o
 endif
 
+ifeq ($(with_oauth),yes)
+OBJS += \
+	fe-auth-oauth.o
+endif
+
 ifeq ($(PORTNAME), cygwin)
 override shlib = cyg$(NAME)$(DLSUFFIX)
 endif
@@ -83,7 +88,7 @@ endif
 # that are built correctly for use in a shlib.
 SHLIB_LINK_INTERNAL = -lpgcommon_shlib -lpgport_shlib
 ifneq ($(PORTNAME), win32)
-SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lgssapi_krb5 -lgss -lgssapi -lssl -lsocket -lnsl -lresolv -lintl -lm, $(LIBS)) $(LDAP_LIBS_FE) $(PTHREAD_LIBS)
+SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lgssapi_krb5 -lgss -lgssapi -lssl -liddawc -lsocket -lnsl -lresolv -lintl -lm, $(LIBS)) $(LDAP_LIBS_FE) $(PTHREAD_LIBS)
 else
 SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lgssapi32 -lssl -lsocket -lnsl -lresolv -lintl -lm $(PTHREAD_LIBS), $(LIBS)) $(LDAP_LIBS_FE)
 endif
diff --git a/src/interfaces/libpq/fe-auth-oauth.c b/src/interfaces/libpq/fe-auth-oauth.c
new file mode 100644
index 0000000000..91d2c69f16
--- /dev/null
+++ b/src/interfaces/libpq/fe-auth-oauth.c
@@ -0,0 +1,745 @@
+/*-------------------------------------------------------------------------
+ *
+ * fe-auth-oauth.c
+ *	   The front-end (client) implementation of OAuth/OIDC authentication.
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * IDENTIFICATION
+ *	  src/interfaces/libpq/fe-auth-oauth.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include <iddawc.h>
+
+#include "postgres_fe.h"
+
+#include "common/base64.h"
+#include "common/hmac.h"
+#include "common/jsonapi.h"
+#include "common/oauth-common.h"
+#include "fe-auth.h"
+#include "mb/pg_wchar.h"
+
+/* The exported OAuth callback mechanism. */
+static void *oauth_init(PGconn *conn, const char *password,
+						const char *sasl_mechanism);
+static void oauth_exchange(void *opaq, bool final,
+						   char *input, int inputlen,
+						   char **output, int *outputlen,
+						   bool *done, bool *success);
+static bool oauth_channel_bound(void *opaq);
+static void oauth_free(void *opaq);
+
+const pg_fe_sasl_mech pg_oauth_mech = {
+	oauth_init,
+	oauth_exchange,
+	oauth_channel_bound,
+	oauth_free,
+};
+
+typedef enum
+{
+	FE_OAUTH_INIT,
+	FE_OAUTH_BEARER_SENT,
+	FE_OAUTH_SERVER_ERROR,
+} fe_oauth_state_enum;
+
+typedef struct
+{
+	fe_oauth_state_enum state;
+
+	PGconn	   *conn;
+} fe_oauth_state;
+
+static void *
+oauth_init(PGconn *conn, const char *password,
+		   const char *sasl_mechanism)
+{
+	fe_oauth_state *state;
+
+	/*
+	 * We only support one SASL mechanism here; anything else is programmer
+	 * error.
+	 */
+	Assert(sasl_mechanism != NULL);
+	Assert(!strcmp(sasl_mechanism, OAUTHBEARER_NAME));
+
+	state = malloc(sizeof(*state));
+	if (!state)
+		return NULL;
+
+	state->state = FE_OAUTH_INIT;
+	state->conn = conn;
+
+	return state;
+}
+
+static const char *
+iddawc_error_string(int errcode)
+{
+	switch (errcode)
+	{
+		case I_OK:
+			return "I_OK";
+
+		case I_ERROR:
+			return "I_ERROR";
+
+		case I_ERROR_PARAM:
+			return "I_ERROR_PARAM";
+
+		case I_ERROR_MEMORY:
+			return "I_ERROR_MEMORY";
+
+		case I_ERROR_UNAUTHORIZED:
+			return "I_ERROR_UNAUTHORIZED";
+
+		case I_ERROR_SERVER:
+			return "I_ERROR_SERVER";
+	}
+
+	return "<unknown>";
+}
+
+static void
+iddawc_error(PGconn *conn, int errcode, const char *msg)
+{
+	appendPQExpBufferStr(&conn->errorMessage, libpq_gettext(msg));
+	appendPQExpBuffer(&conn->errorMessage,
+					  libpq_gettext(" (iddawc error %s)\n"),
+					  iddawc_error_string(errcode));
+}
+
+static void
+iddawc_request_error(PGconn *conn, struct _i_session *i, int err, const char *msg)
+{
+	const char *error_code;
+	const char *desc;
+
+	appendPQExpBuffer(&conn->errorMessage, "%s: ", libpq_gettext(msg));
+
+	error_code = i_get_str_parameter(i, I_OPT_ERROR);
+	if (!error_code)
+	{
+		/*
+		 * The server didn't give us any useful information, so just print the
+		 * error code.
+		 */
+		appendPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("(iddawc error %s)\n"),
+						  iddawc_error_string(err));
+		return;
+	}
+
+	/* If the server gave a string description, print that too. */
+	desc = i_get_str_parameter(i, I_OPT_ERROR_DESCRIPTION);
+	if (desc)
+		appendPQExpBuffer(&conn->errorMessage, "%s ", desc);
+
+	appendPQExpBuffer(&conn->errorMessage, "(%s)\n", error_code);
+}
+
+static char *
+get_auth_token(PGconn *conn)
+{
+	PQExpBuffer	token_buf = NULL;
+	struct _i_session session;
+	int			err;
+	int			auth_method;
+	bool		user_prompted = false;
+	const char *verification_uri;
+	const char *user_code;
+	const char *access_token;
+	const char *token_type;
+	char	   *token = NULL;
+
+	if (!conn->oauth_discovery_uri)
+		return strdup(""); /* ask the server for one */
+
+	i_init_session(&session);
+
+	if (!conn->oauth_client_id)
+	{
+		/* We can't talk to a server without a client identifier. */
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("no oauth_client_id is set for the connection"));
+		goto cleanup;
+	}
+
+	token_buf = createPQExpBuffer();
+
+	if (!token_buf)
+		goto cleanup;
+
+	err = i_set_str_parameter(&session, I_OPT_OPENID_CONFIG_ENDPOINT, conn->oauth_discovery_uri);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to set OpenID config endpoint");
+		goto cleanup;
+	}
+
+	err = i_get_openid_config(&session);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to fetch OpenID discovery document");
+		goto cleanup;
+	}
+
+	if (!i_get_str_parameter(&session, I_OPT_TOKEN_ENDPOINT))
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer has no token endpoint"));
+		goto cleanup;
+	}
+
+	if (!i_get_str_parameter(&session, I_OPT_DEVICE_AUTHORIZATION_ENDPOINT))
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer does not support device authorization"));
+		goto cleanup;
+	}
+
+	err = i_set_response_type(&session, I_RESPONSE_TYPE_DEVICE_CODE);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to set device code response type");
+		goto cleanup;
+	}
+
+	auth_method = I_TOKEN_AUTH_METHOD_NONE;
+	if (conn->oauth_client_secret && *conn->oauth_client_secret)
+		auth_method = I_TOKEN_AUTH_METHOD_SECRET_BASIC;
+
+	err = i_set_parameter_list(&session,
+		I_OPT_CLIENT_ID, conn->oauth_client_id,
+		I_OPT_CLIENT_SECRET, conn->oauth_client_secret,
+		I_OPT_TOKEN_METHOD, auth_method,
+		I_OPT_SCOPE, conn->oauth_scope,
+		I_OPT_NONE
+	);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to set client identifier");
+		goto cleanup;
+	}
+
+	err = i_run_device_auth_request(&session);
+	if (err)
+	{
+		iddawc_request_error(conn, &session, err,
+							"failed to obtain device authorization");
+		goto cleanup;
+	}
+
+	verification_uri = i_get_str_parameter(&session, I_OPT_DEVICE_AUTH_VERIFICATION_URI);
+	if (!verification_uri)
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer did not provide a verification URI"));
+		goto cleanup;
+	}
+
+	user_code = i_get_str_parameter(&session, I_OPT_DEVICE_AUTH_USER_CODE);
+	if (!user_code)
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer did not provide a user code"));
+		goto cleanup;
+	}
+
+	/*
+	 * Poll the token endpoint until either the user logs in and authorizes the
+	 * use of a token, or a hard failure occurs. We perform one ping _before_
+	 * prompting the user, so that we don't make them do the work of logging in
+	 * only to find that the token endpoint is completely unreachable.
+	 */
+	err = i_run_token_request(&session);
+	while (err)
+	{
+		const char *error_code;
+		uint		interval;
+
+		error_code = i_get_str_parameter(&session, I_OPT_ERROR);
+
+		/*
+		 * authorization_pending and slow_down are the only acceptable errors;
+		 * anything else and we bail.
+		 */
+		if (!error_code || (strcmp(error_code, "authorization_pending")
+							&& strcmp(error_code, "slow_down")))
+		{
+			iddawc_request_error(conn, &session, err,
+								"OAuth token retrieval failed");
+			goto cleanup;
+		}
+
+		if (!user_prompted)
+		{
+			/*
+			 * Now that we know the token endpoint isn't broken, give the user
+			 * the login instructions.
+			 */
+			pqInternalNotice(&conn->noticeHooks,
+							 "Visit %s and enter the code: %s",
+							 verification_uri, user_code);
+
+			user_prompted = true;
+		}
+
+		/*
+		 * We are required to wait between polls; the server tells us how long.
+		 * TODO: if interval's not set, we need to default to five seconds
+		 * TODO: sanity check the interval
+		 */
+		interval = i_get_int_parameter(&session, I_OPT_DEVICE_AUTH_INTERVAL);
+
+		/*
+		 * A slow_down error requires us to permanently increase our retry
+		 * interval by five seconds. RFC 8628, Sec. 3.5.
+		 */
+		if (!strcmp(error_code, "slow_down"))
+		{
+			interval += 5;
+			i_set_int_parameter(&session, I_OPT_DEVICE_AUTH_INTERVAL, interval);
+		}
+
+		sleep(interval);
+
+		/*
+		 * XXX Reset the error code before every call, because iddawc won't do
+		 * that for us. This matters if the server first sends a "pending" error
+		 * code, then later hard-fails without sending an error code to
+		 * overwrite the first one.
+		 *
+		 * That we have to do this at all seems like a bug in iddawc.
+		 */
+		i_set_str_parameter(&session, I_OPT_ERROR, NULL);
+
+		err = i_run_token_request(&session);
+	}
+
+	access_token = i_get_str_parameter(&session, I_OPT_ACCESS_TOKEN);
+	token_type = i_get_str_parameter(&session, I_OPT_TOKEN_TYPE);
+
+	if (!access_token || !token_type || strcasecmp(token_type, "Bearer"))
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer did not provide a bearer token"));
+		goto cleanup;
+	}
+
+	appendPQExpBufferStr(token_buf, "Bearer ");
+	appendPQExpBufferStr(token_buf, access_token);
+
+	if (PQExpBufferBroken(token_buf))
+		goto cleanup;
+
+	token = strdup(token_buf->data);
+
+cleanup:
+	if (token_buf)
+		destroyPQExpBuffer(token_buf);
+	i_clean_session(&session);
+
+	return token;
+}
+
+#define kvsep "\x01"
+
+static char *
+client_initial_response(PGconn *conn)
+{
+	static const char * const resp_format = "n,," kvsep "auth=%s" kvsep kvsep;
+
+	PQExpBuffer	token_buf;
+	PQExpBuffer	discovery_buf = NULL;
+	char	   *token = NULL;
+	char	   *response = NULL;
+
+	token_buf = createPQExpBuffer();
+	if (!token_buf)
+		goto cleanup;
+
+	/*
+	 * If we don't yet have a discovery URI, but the user gave us an explicit
+	 * issuer, use the .well-known discovery URI for that issuer.
+	 */
+	if (!conn->oauth_discovery_uri && conn->oauth_issuer)
+	{
+		discovery_buf = createPQExpBuffer();
+		if (!discovery_buf)
+			goto cleanup;
+
+		appendPQExpBufferStr(discovery_buf, conn->oauth_issuer);
+		appendPQExpBufferStr(discovery_buf, "/.well-known/openid-configuration");
+
+		if (PQExpBufferBroken(discovery_buf))
+			goto cleanup;
+
+		conn->oauth_discovery_uri = strdup(discovery_buf->data);
+	}
+
+	token = get_auth_token(conn);
+	if (!token)
+		goto cleanup;
+
+	appendPQExpBuffer(token_buf, resp_format, token);
+	if (PQExpBufferBroken(token_buf))
+		goto cleanup;
+
+	response = strdup(token_buf->data);
+
+cleanup:
+	if (token)
+		free(token);
+	if (discovery_buf)
+		destroyPQExpBuffer(discovery_buf);
+	if (token_buf)
+		destroyPQExpBuffer(token_buf);
+
+	return response;
+}
+
+#define ERROR_STATUS_FIELD "status"
+#define ERROR_SCOPE_FIELD "scope"
+#define ERROR_OPENID_CONFIGURATION_FIELD "openid-configuration"
+
+struct json_ctx
+{
+	char		   *errmsg; /* any non-NULL value stops all processing */
+	PQExpBufferData errbuf; /* backing memory for errmsg */
+	int				nested; /* nesting level (zero is the top) */
+
+	const char	   *target_field_name; /* points to a static allocation */
+	char		  **target_field;      /* see below */
+
+	/* target_field, if set, points to one of the following: */
+	char		   *status;
+	char		   *scope;
+	char		   *discovery_uri;
+};
+
+#define oauth_json_has_error(ctx) \
+	(PQExpBufferDataBroken((ctx)->errbuf) || (ctx)->errmsg)
+
+#define oauth_json_set_error(ctx, ...) \
+	do { \
+		appendPQExpBuffer(&(ctx)->errbuf, __VA_ARGS__); \
+		(ctx)->errmsg = (ctx)->errbuf.data; \
+	} while (0)
+
+static void
+oauth_json_object_start(void *state)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+		return; /* short-circuit */
+
+	if (ctx->target_field)
+	{
+		Assert(ctx->nested == 1);
+
+		oauth_json_set_error(ctx,
+							 libpq_gettext("field \"%s\" must be a string"),
+							 ctx->target_field_name);
+	}
+
+	++ctx->nested;
+}
+
+static void
+oauth_json_object_end(void *state)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+		return; /* short-circuit */
+
+	--ctx->nested;
+}
+
+static void
+oauth_json_object_field_start(void *state, char *name, bool isnull)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+	{
+		/* short-circuit */
+		free(name);
+		return;
+	}
+
+	if (ctx->nested == 1)
+	{
+		if (!strcmp(name, ERROR_STATUS_FIELD))
+		{
+			ctx->target_field_name = ERROR_STATUS_FIELD;
+			ctx->target_field = &ctx->status;
+		}
+		else if (!strcmp(name, ERROR_SCOPE_FIELD))
+		{
+			ctx->target_field_name = ERROR_SCOPE_FIELD;
+			ctx->target_field = &ctx->scope;
+		}
+		else if (!strcmp(name, ERROR_OPENID_CONFIGURATION_FIELD))
+		{
+			ctx->target_field_name = ERROR_OPENID_CONFIGURATION_FIELD;
+			ctx->target_field = &ctx->discovery_uri;
+		}
+	}
+
+	free(name);
+}
+
+static void
+oauth_json_array_start(void *state)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+		return; /* short-circuit */
+
+	if (!ctx->nested)
+	{
+		ctx->errmsg = libpq_gettext("top-level element must be an object");
+	}
+	else if (ctx->target_field)
+	{
+		Assert(ctx->nested == 1);
+
+		oauth_json_set_error(ctx,
+							 libpq_gettext("field \"%s\" must be a string"),
+							 ctx->target_field_name);
+	}
+}
+
+static void
+oauth_json_scalar(void *state, char *token, JsonTokenType type)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+	{
+		/* short-circuit */
+		free(token);
+		return;
+	}
+
+	if (!ctx->nested)
+	{
+		ctx->errmsg = libpq_gettext("top-level element must be an object");
+	}
+	else if (ctx->target_field)
+	{
+		Assert(ctx->nested == 1);
+
+		if (type == JSON_TOKEN_STRING)
+		{
+			*ctx->target_field = token;
+
+			ctx->target_field = NULL;
+			ctx->target_field_name = NULL;
+
+			return; /* don't free the token we're using */
+		}
+
+		oauth_json_set_error(ctx,
+							 libpq_gettext("field \"%s\" must be a string"),
+							 ctx->target_field_name);
+	}
+
+	free(token);
+}
+
+static bool
+handle_oauth_sasl_error(PGconn *conn, char *msg, int msglen)
+{
+	JsonLexContext		lex = {0};
+	JsonSemAction		sem = {0};
+	JsonParseErrorType	err;
+	struct json_ctx		ctx = {0};
+	char			   *errmsg = NULL;
+
+	/* Sanity check. */
+	if (strlen(msg) != msglen)
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("server's error message contained an embedded NULL"));
+		return false;
+	}
+
+	initJsonLexContextCstringLen(&lex, msg, msglen, PG_UTF8, true);
+
+	initPQExpBuffer(&ctx.errbuf);
+	sem.semstate = &ctx;
+
+	sem.object_start = oauth_json_object_start;
+	sem.object_end = oauth_json_object_end;
+	sem.object_field_start = oauth_json_object_field_start;
+	sem.array_start = oauth_json_array_start;
+	sem.scalar = oauth_json_scalar;
+
+	err = pg_parse_json(&lex, &sem);
+
+	if (err != JSON_SUCCESS)
+	{
+		errmsg = json_errdetail(err, &lex);
+	}
+	else if (PQExpBufferDataBroken(ctx.errbuf))
+	{
+		errmsg = libpq_gettext("out of memory");
+	}
+	else if (ctx.errmsg)
+	{
+		errmsg = ctx.errmsg;
+	}
+
+	if (errmsg)
+		appendPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("failed to parse server's error response: %s"),
+						  errmsg);
+
+	/* Don't need the error buffer or the JSON lexer anymore. */
+	termPQExpBuffer(&ctx.errbuf);
+	termJsonLexContext(&lex);
+
+	if (errmsg)
+		return false;
+
+	/* TODO: what if these override what the user already specified? */
+	if (ctx.discovery_uri)
+	{
+		if (conn->oauth_discovery_uri)
+			free(conn->oauth_discovery_uri);
+
+		conn->oauth_discovery_uri = ctx.discovery_uri;
+	}
+
+	if (ctx.scope)
+	{
+		if (conn->oauth_scope)
+			free(conn->oauth_scope);
+
+		conn->oauth_scope = ctx.scope;
+	}
+	/* TODO: missing error scope should clear any existing connection scope */
+
+	if (!ctx.status)
+	{
+		appendPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("server sent error response without a status"));
+		return false;
+	}
+
+	if (!strcmp(ctx.status, "invalid_token"))
+	{
+		/*
+		 * invalid_token is the only error code we'll automatically retry for,
+		 * but only if we have enough information to do so.
+		 */
+		if (conn->oauth_discovery_uri)
+			conn->oauth_want_retry = true;
+	}
+	/* TODO: include status in hard failure message */
+
+	return true;
+}
+
+static void
+oauth_exchange(void *opaq, bool final,
+			   char *input, int inputlen,
+			   char **output, int *outputlen,
+			   bool *done, bool *success)
+{
+	fe_oauth_state *state = opaq;
+	PGconn	   *conn = state->conn;
+
+	*done = false;
+	*success = false;
+	*output = NULL;
+	*outputlen = 0;
+
+	switch (state->state)
+	{
+		case FE_OAUTH_INIT:
+			Assert(inputlen == -1);
+
+			*output = client_initial_response(conn);
+			if (!*output)
+				goto error;
+
+			*outputlen = strlen(*output);
+			state->state = FE_OAUTH_BEARER_SENT;
+
+			break;
+
+		case FE_OAUTH_BEARER_SENT:
+			if (final)
+			{
+				/* TODO: ensure there is no message content here. */
+				*done = true;
+				*success = true;
+
+				break;
+			}
+
+			/*
+			 * Error message sent by the server.
+			 */
+			if (!handle_oauth_sasl_error(conn, input, inputlen))
+				goto error;
+
+			/*
+			 * Respond with the required dummy message (RFC 7628, sec. 3.2.3).
+			 */
+			*output = strdup(kvsep);
+			*outputlen = strlen(*output); /* == 1 */
+
+			state->state = FE_OAUTH_SERVER_ERROR;
+			break;
+
+		case FE_OAUTH_SERVER_ERROR:
+			/*
+			 * After an error, the server should send an error response to fail
+			 * the SASL handshake, which is handled in higher layers.
+			 *
+			 * If we get here, the server either sent *another* challenge which
+			 * isn't defined in the RFC, or completed the handshake successfully
+			 * after telling us it was going to fail. Neither is acceptable.
+			 */
+			appendPQExpBufferStr(&conn->errorMessage,
+								 libpq_gettext("server sent additional OAuth data after error\n"));
+			goto error;
+
+		default:
+			appendPQExpBufferStr(&conn->errorMessage,
+								 libpq_gettext("invalid OAuth exchange state\n"));
+			goto error;
+	}
+
+	return;
+
+error:
+	*done = true;
+	*success = false;
+}
+
+static bool
+oauth_channel_bound(void *opaq)
+{
+	/* This mechanism does not support channel binding. */
+	return false;
+}
+
+static void
+oauth_free(void *opaq)
+{
+	fe_oauth_state *state = opaq;
+
+	free(state);
+}
diff --git a/src/interfaces/libpq/fe-auth-sasl.h b/src/interfaces/libpq/fe-auth-sasl.h
index 3d7ee576f2..0920102908 100644
--- a/src/interfaces/libpq/fe-auth-sasl.h
+++ b/src/interfaces/libpq/fe-auth-sasl.h
@@ -65,6 +65,8 @@ typedef struct pg_fe_sasl_mech
 	 *
 	 *	state:	   The opaque mechanism state returned by init()
 	 *
+	 *	final:	   true if the server has sent a final exchange outcome
+	 *
 	 *	input:	   The challenge data sent by the server, or NULL when
 	 *			   generating a client-first initial response (that is, when
 	 *			   the server expects the client to send a message to start
@@ -92,7 +94,8 @@ typedef struct pg_fe_sasl_mech
 	 *			   Ignored if *done is false.
 	 *--------
 	 */
-	void		(*exchange) (void *state, char *input, int inputlen,
+	void		(*exchange) (void *state, bool final,
+							 char *input, int inputlen,
 							 char **output, int *outputlen,
 							 bool *done, bool *success);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 4337e89ce9..489cbeda50 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -24,7 +24,8 @@
 /* The exported SCRAM callback mechanism. */
 static void *scram_init(PGconn *conn, const char *password,
 						const char *sasl_mechanism);
-static void scram_exchange(void *opaq, char *input, int inputlen,
+static void scram_exchange(void *opaq, bool final,
+						   char *input, int inputlen,
 						   char **output, int *outputlen,
 						   bool *done, bool *success);
 static bool scram_channel_bound(void *opaq);
@@ -205,7 +206,8 @@ scram_free(void *opaq)
  * Exchange a SCRAM message with backend.
  */
 static void
-scram_exchange(void *opaq, char *input, int inputlen,
+scram_exchange(void *opaq, bool final,
+			   char *input, int inputlen,
 			   char **output, int *outputlen,
 			   bool *done, bool *success)
 {
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 3421ed4685..0b5b91962a 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -39,6 +39,7 @@
 #endif
 
 #include "common/md5.h"
+#include "common/oauth-common.h"
 #include "common/scram-common.h"
 #include "fe-auth.h"
 #include "fe-auth-sasl.h"
@@ -423,7 +424,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		success;
 	const char *selected_mechanism;
 	PQExpBufferData mechanism_buf;
-	char	   *password;
+	char	   *password = NULL;
 
 	initPQExpBuffer(&mechanism_buf);
 
@@ -445,8 +446,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	/*
 	 * Parse the list of SASL authentication mechanisms in the
 	 * AuthenticationSASL message, and select the best mechanism that we
-	 * support.  SCRAM-SHA-256-PLUS and SCRAM-SHA-256 are the only ones
-	 * supported at the moment, listed by order of decreasing importance.
+	 * support.  Mechanisms are listed by order of decreasing importance.
 	 */
 	selected_mechanism = NULL;
 	for (;;)
@@ -486,6 +486,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 				{
 					selected_mechanism = SCRAM_SHA_256_PLUS_NAME;
 					conn->sasl = &pg_scram_mech;
+					conn->password_needed = true;
 				}
 #else
 				/*
@@ -523,7 +524,17 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		{
 			selected_mechanism = SCRAM_SHA_256_NAME;
 			conn->sasl = &pg_scram_mech;
+			conn->password_needed = true;
 		}
+#ifdef USE_OAUTH
+		else if (strcmp(mechanism_buf.data, OAUTHBEARER_NAME) == 0 &&
+				!selected_mechanism)
+		{
+			selected_mechanism = OAUTHBEARER_NAME;
+			conn->sasl = &pg_oauth_mech;
+			conn->password_needed = false;
+		}
+#endif
 	}
 
 	if (!selected_mechanism)
@@ -548,18 +559,19 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 
 	/*
 	 * First, select the password to use for the exchange, complaining if
-	 * there isn't one.  Currently, all supported SASL mechanisms require a
-	 * password, so we can just go ahead here without further distinction.
+	 * there isn't one and the SASL mechanism needs it.
 	 */
-	conn->password_needed = true;
-	password = conn->connhost[conn->whichhost].password;
-	if (password == NULL)
-		password = conn->pgpass;
-	if (password == NULL || password[0] == '\0')
+	if (conn->password_needed)
 	{
-		appendPQExpBufferStr(&conn->errorMessage,
-							 PQnoPasswordSupplied);
-		goto error;
+		password = conn->connhost[conn->whichhost].password;
+		if (password == NULL)
+			password = conn->pgpass;
+		if (password == NULL || password[0] == '\0')
+		{
+			appendPQExpBufferStr(&conn->errorMessage,
+								 PQnoPasswordSupplied);
+			goto error;
+		}
 	}
 
 	Assert(conn->sasl);
@@ -577,7 +589,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		goto oom_error;
 
 	/* Get the mechanism-specific Initial Client Response, if any */
-	conn->sasl->exchange(conn->sasl_state,
+	conn->sasl->exchange(conn->sasl_state, false,
 						 NULL, -1,
 						 &initialresponse, &initialresponselen,
 						 &done, &success);
@@ -658,7 +670,7 @@ pg_SASL_continue(PGconn *conn, int payloadlen, bool final)
 	/* For safety and convenience, ensure the buffer is NULL-terminated. */
 	challenge[payloadlen] = '\0';
 
-	conn->sasl->exchange(conn->sasl_state,
+	conn->sasl->exchange(conn->sasl_state, final,
 						 challenge, payloadlen,
 						 &output, &outputlen,
 						 &done, &success);
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 63927480ee..03bea124a6 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -26,4 +26,7 @@ extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 extern const pg_fe_sasl_mech pg_scram_mech;
 extern char *pg_fe_scram_build_secret(const char *password);
 
+/* Mechanisms in fe-auth-oauth.c */
+extern const pg_fe_sasl_mech pg_oauth_mech;
+
 #endif							/* FE_AUTH_H */
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 49eec3e835..ba9c097060 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -344,6 +344,23 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"Target-Session-Attrs", "", 15, /* sizeof("prefer-standby") = 15 */
 	offsetof(struct pg_conn, target_session_attrs)},
 
+	/* OAuth v2 */
+	{"oauth_issuer", NULL, NULL, NULL,
+		"OAuth-Issuer", "", 40,
+	offsetof(struct pg_conn, oauth_issuer)},
+
+	{"oauth_client_id", NULL, NULL, NULL,
+		"OAuth-Client-ID", "", 40,
+	offsetof(struct pg_conn, oauth_client_id)},
+
+	{"oauth_client_secret", NULL, NULL, NULL,
+		"OAuth-Client-Secret", "", 40,
+	offsetof(struct pg_conn, oauth_client_secret)},
+
+	{"oauth_scope", NULL, NULL, NULL,
+		"OAuth-Scope", "", 15,
+	offsetof(struct pg_conn, oauth_scope)},
+
 	/* Terminating entry --- MUST BE LAST */
 	{NULL, NULL, NULL, NULL,
 	NULL, NULL, 0}
@@ -606,6 +623,7 @@ pqDropServerData(PGconn *conn)
 	conn->write_err_msg = NULL;
 	conn->be_pid = 0;
 	conn->be_key = 0;
+	/* conn->oauth_want_retry = false; TODO */
 }
 
 
@@ -3355,6 +3373,16 @@ keep_going:						/* We will come back to here until there is
 					/* Check to see if we should mention pgpassfile */
 					pgpassfileWarning(conn);
 
+#ifdef USE_OAUTH
+					if (conn->sasl == &pg_oauth_mech
+						&& conn->oauth_want_retry)
+					{
+						/* TODO: only allow retry once */
+						need_new_connection = true;
+						goto keep_going;
+					}
+#endif
+
 #ifdef ENABLE_GSS
 
 					/*
@@ -4129,6 +4157,16 @@ freePGconn(PGconn *conn)
 		free(conn->rowBuf);
 	if (conn->target_session_attrs)
 		free(conn->target_session_attrs);
+	if (conn->oauth_issuer)
+		free(conn->oauth_issuer);
+	if (conn->oauth_discovery_uri)
+		free(conn->oauth_discovery_uri);
+	if (conn->oauth_client_id)
+		free(conn->oauth_client_id);
+	if (conn->oauth_client_secret)
+		free(conn->oauth_client_secret);
+	if (conn->oauth_scope)
+		free(conn->oauth_scope);
 	termPQExpBuffer(&conn->errorMessage);
 	termPQExpBuffer(&conn->workBuffer);
 
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 490458adef..3d20482550 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -394,6 +394,14 @@ struct pg_conn
 	char	   *ssl_max_protocol_version;	/* maximum TLS protocol version */
 	char	   *target_session_attrs;	/* desired session properties */
 
+	/* OAuth v2 */
+	char	   *oauth_issuer;			/* token issuer URL */
+	char	   *oauth_discovery_uri;	/* URI of the issuer's discovery document */
+	char	   *oauth_client_id;		/* client identifier */
+	char	   *oauth_client_secret;	/* client secret */
+	char	   *oauth_scope;			/* access token scope */
+	bool		oauth_want_retry;		/* should we retry on failure? */
+
 	/* Optional file to write trace info to */
 	FILE	   *Pfdebug;
 	int			traceFlags;
-- 
2.25.1

From d09a00b4d52a5ed578ee5cd7623108ebdd12f202 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Tue, 4 May 2021 16:21:11 -0700
Subject: [PATCH v2 3/5] backend: add OAUTHBEARER SASL mechanism

DO NOT USE THIS PROOF OF CONCEPT IN PRODUCTION.

Implement OAUTHBEARER (RFC 7628) on the server side. This adds a new
auth method, oauth, to pg_hba.

Because OAuth implementations vary so wildly, and bearer token
validation is heavily dependent on the issuing party, authn/z is done by
communicating with an external program: the oauth_validator_command.
This command must do the following:

1. Receive the bearer token by reading its contents from a file
   descriptor passed from the server. (The numeric value of this
   descriptor may be inserted into the oauth_validator_command using the
   %f specifier.)

   This MUST be the first action the command performs. The server will
   not begin reading stdout from the command until the token has been
   read in full, so if the command tries to print anything and hits a
   buffer limit, the backend will deadlock and time out.

2. Validate the bearer token. The correct way to do this depends on the
   issuer, but it generally involves either cryptographic operations to
   prove that the token was issued by a trusted party, or the
   presentation of the bearer token to some other party so that _it_ can
   perform validation.

   The command MUST maintain confidentiality of the bearer token, since
   in most cases it can be used just like a password. (There are ways to
   cryptographically bind tokens to client certificates, but they are
   way beyond the scope of this commit message.)

   If the token cannot be validated, the command must exit with a
   non-zero status. Further authentication/authorization is pointless if
   the bearer token wasn't issued by someone you trust.

3. Authenticate the user, authorize the user, or both:

   a. To authenticate the user, use the bearer token to retrieve some
      trusted identifier string for the end user. The exact process for
      this is, again, issuer-dependent. The command should print the
      authenticated identity string to stdout, followed by a newline.

      If the user cannot be authenticated, the validator should not
      print anything to stdout. It should also exit with a non-zero
      status, unless the token may be used to authorize the connection
      through some other means (see below).

      On a success, the command may then exit with a zero success code.
      By default, the server will then check to make sure the identity
      string matches the role that is being used (or matches a usermap
      entry, if one is in use).

   b. To optionally authorize the user, in combination with the HBA
      option trust_validator_authz=1 (see below), the validator simply
      returns a zero exit code if the client should be allowed to
      connect with its presented role (which can be passed to the
      command using the %r specifier), or a non-zero code otherwise.

      The hard part is in determining whether the given token truly
      authorizes the client to use the given role, which must
      unfortunately be left as an exercise to the reader.

      This obviously requires some care, as a poorly implemented token
      validator may silently open the entire database to anyone with a
      bearer token. But it may be a more portable approach, since OAuth
      is designed as an authorization framework, not an authentication
      framework. For example, the user's bearer token could carry an
      "allow_superuser_access" claim, which would authorize pseudonymous
      database access as any role. It's then up to the OAuth system
      administrators to ensure that allow_superuser_access is doled out
      only to the proper users.

   c. It's possible that the user can be successfully authenticated but
      isn't authorized to connect. In this case, the command may print
      the authenticated ID and then fail with a non-zero exit code.
      (This makes it easier to see what's going on in the Postgres
      logs.)

4. Token validators may optionally log to stderr. This will be printed
   verbatim into the Postgres server logs.

The oauth method supports the following HBA options (but note that two
of them are not optional, since we have no way of choosing sensible
defaults):

  issuer: Required. The URL of the OAuth issuing party, which the client
          must contact to receive a bearer token.

          Some real-world examples as of time of writing:
          - https://accounts.google.com
          - https://login.microsoft.com/[tenant-id]/v2.0

  scope:  Required. The OAuth scope(s) required for the server to
          authenticate and/or authorize the user. This is heavily
          deployment-specific, but a simple example is "openid email".

  map:    Optional. Specify a standard PostgreSQL user map; this works
          the same as with other auth methods such as peer. If a map is
          not specified, the user ID returned by the token validator
          must exactly match the role that's being requested (but see
          trust_validator_authz, below).

  trust_validator_authz:
          Optional. When set to 1, this allows the token validator to
          take full control of the authorization process. Standard user
          mapping is skipped: if the validator command succeeds, the
          client is allowed to connect under its desired role and no
          further checks are done.

Unlike the client, servers support OAuth without needing to be built
against libiddawc (since the responsibility for "speaking" OAuth/OIDC
correctly is delegated entirely to the oauth_validator_command).

Several TODOs:
- port to platforms other than "modern Linux"
- overhaul the communication with oauth_validator_command, which is
  currently a bad hack on OpenPipeStream()
- implement more sanity checks on the OAUTHBEARER message format and
  tokens sent by the client
- implement more helpful handling of HBA misconfigurations
- properly interpolate JSON when generating error responses
- use logdetail during auth failures
- deal with role names that can't be safely passed to system() without
  shell-escaping
- allow passing the configured issuer to the oauth_validator_command, to
  deal with multi-issuer setups
- ...and more.
---
 src/backend/libpq/Makefile     |   1 +
 src/backend/libpq/auth-oauth.c | 797 +++++++++++++++++++++++++++++++++
 src/backend/libpq/auth-sasl.c  |  10 +-
 src/backend/libpq/auth-scram.c |   4 +-
 src/backend/libpq/auth.c       |  26 +-
 src/backend/libpq/hba.c        |  29 +-
 src/backend/utils/misc/guc.c   |  12 +
 src/include/libpq/auth.h       |  17 +
 src/include/libpq/hba.h        |   8 +-
 src/include/libpq/oauth.h      |  24 +
 src/include/libpq/sasl.h       |  11 +
 11 files changed, 907 insertions(+), 32 deletions(-)
 create mode 100644 src/backend/libpq/auth-oauth.c
 create mode 100644 src/include/libpq/oauth.h

diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile
index 6d385fd6a4..98eb2a8242 100644
--- a/src/backend/libpq/Makefile
+++ b/src/backend/libpq/Makefile
@@ -15,6 +15,7 @@ include $(top_builddir)/src/Makefile.global
 # be-fsstubs is here for historical reasons, probably belongs elsewhere
 
 OBJS = \
+	auth-oauth.o \
 	auth-sasl.o \
 	auth-scram.o \
 	auth.o \
diff --git a/src/backend/libpq/auth-oauth.c b/src/backend/libpq/auth-oauth.c
new file mode 100644
index 0000000000..c47211132c
--- /dev/null
+++ b/src/backend/libpq/auth-oauth.c
@@ -0,0 +1,797 @@
+/*-------------------------------------------------------------------------
+ *
+ * auth-oauth.c
+ *	  Server-side implementation of the SASL OAUTHBEARER mechanism.
+ *
+ * See the following RFC for more details:
+ * - RFC 7628: https://tools.ietf.org/html/rfc7628
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/backend/libpq/auth-oauth.c
+ *
+ *-------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include <unistd.h>
+#include <fcntl.h>
+
+#include "common/oauth-common.h"
+#include "lib/stringinfo.h"
+#include "libpq/auth.h"
+#include "libpq/hba.h"
+#include "libpq/oauth.h"
+#include "libpq/sasl.h"
+#include "storage/fd.h"
+
+/* GUC */
+char *oauth_validator_command;
+
+static void  oauth_get_mechanisms(Port *port, StringInfo buf);
+static void *oauth_init(Port *port, const char *selected_mech, const char *shadow_pass);
+static int   oauth_exchange(void *opaq, const char *input, int inputlen,
+							char **output, int *outputlen, char **logdetail);
+
+/* Mechanism declaration */
+const pg_be_sasl_mech pg_be_oauth_mech = {
+	oauth_get_mechanisms,
+	oauth_init,
+	oauth_exchange,
+
+	PG_MAX_AUTH_TOKEN_LENGTH,
+};
+
+
+typedef enum
+{
+	OAUTH_STATE_INIT = 0,
+	OAUTH_STATE_ERROR,
+	OAUTH_STATE_FINISHED,
+} oauth_state;
+
+struct oauth_ctx
+{
+	oauth_state	state;
+	Port	   *port;
+	const char *issuer;
+	const char *scope;
+};
+
+static char *sanitize_char(char c);
+static char *parse_kvpairs_for_auth(char **input);
+static void generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen);
+static bool validate(Port *port, const char *auth, char **logdetail);
+static bool run_validator_command(Port *port, const char *token);
+static bool check_exit(FILE **fh, const char *command);
+static bool unset_cloexec(int fd);
+static bool username_ok_for_shell(const char *username);
+
+#define KVSEP 0x01
+#define AUTH_KEY "auth"
+#define BEARER_SCHEME "Bearer "
+
+static void
+oauth_get_mechanisms(Port *port, StringInfo buf)
+{
+	/* Only OAUTHBEARER is supported. */
+	appendStringInfoString(buf, OAUTHBEARER_NAME);
+	appendStringInfoChar(buf, '\0');
+}
+
+static void *
+oauth_init(Port *port, const char *selected_mech, const char *shadow_pass)
+{
+	struct oauth_ctx *ctx;
+
+	if (strcmp(selected_mech, OAUTHBEARER_NAME))
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("client selected an invalid SASL authentication mechanism")));
+
+	ctx = palloc0(sizeof(*ctx));
+
+	ctx->state = OAUTH_STATE_INIT;
+	ctx->port = port;
+
+	Assert(port->hba);
+	ctx->issuer = port->hba->oauth_issuer;
+	ctx->scope = port->hba->oauth_scope;
+
+	return ctx;
+}
+
+static int
+oauth_exchange(void *opaq, const char *input, int inputlen,
+			   char **output, int *outputlen, char **logdetail)
+{
+	char   *p;
+	char	cbind_flag;
+	char   *auth;
+
+	struct oauth_ctx *ctx = opaq;
+
+	*output = NULL;
+	*outputlen = -1;
+
+	/*
+	 * If the client didn't include an "Initial Client Response" in the
+	 * SASLInitialResponse message, send an empty challenge, to which the
+	 * client will respond with the same data that usually comes in the
+	 * Initial Client Response.
+	 */
+	if (input == NULL)
+	{
+		Assert(ctx->state == OAUTH_STATE_INIT);
+
+		*output = pstrdup("");
+		*outputlen = 0;
+		return PG_SASL_EXCHANGE_CONTINUE;
+	}
+
+	/*
+	 * Check that the input length agrees with the string length of the input.
+	 */
+	if (inputlen == 0)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("The message is empty.")));
+	if (inputlen != strlen(input))
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Message length does not match input length.")));
+
+	switch (ctx->state)
+	{
+		case OAUTH_STATE_INIT:
+			/* Handle this case below. */
+			break;
+
+		case OAUTH_STATE_ERROR:
+			/*
+			 * Only one response is valid for the client during authentication
+			 * failure: a single kvsep.
+			 */
+			if (inputlen != 1 || *input != KVSEP)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed OAUTHBEARER message"),
+						 errdetail("Client did not send a kvsep response.")));
+
+			/* The (failed) handshake is now complete. */
+			ctx->state = OAUTH_STATE_FINISHED;
+			return PG_SASL_EXCHANGE_FAILURE;
+
+		default:
+			elog(ERROR, "invalid OAUTHBEARER exchange state");
+			return PG_SASL_EXCHANGE_FAILURE;
+	}
+
+	/* Handle the client's initial message. */
+	p = pstrdup(input);
+
+	/*
+	 * OAUTHBEARER does not currently define a channel binding (so there is no
+	 * OAUTHBEARER-PLUS, and we do not accept a 'p' specifier). We accept a 'y'
+	 * specifier purely for the remote chance that a future specification could
+	 * define one; then future clients can still interoperate with this server
+	 * implementation. 'n' is the expected case.
+	 */
+	cbind_flag = *p;
+	switch (cbind_flag)
+	{
+		case 'p':
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("The server does not support channel binding for OAuth, but the client message includes channel binding data.")));
+			break;
+
+		case 'y': /* fall through */
+		case 'n':
+			p++;
+			if (*p != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed OAUTHBEARER message"),
+						 errdetail("Comma expected, but found character %s.",
+								   sanitize_char(*p))));
+			p++;
+			break;
+
+		default:
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("Unexpected channel-binding flag %s.",
+							   sanitize_char(cbind_flag))));
+	}
+
+	/*
+	 * Forbid optional authzid (authorization identity).  We don't support it.
+	 */
+	if (*p == 'a')
+		ereport(ERROR,
+				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+				 errmsg("client uses authorization identity, but it is not supported")));
+	if (*p != ',')
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Unexpected attribute %s in client-first-message.",
+						   sanitize_char(*p))));
+	p++;
+
+	/* All remaining fields are separated by the RFC's kvsep (\x01). */
+	if (*p != KVSEP)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Key-value separator expected, but found character %s.",
+						   sanitize_char(*p))));
+	p++;
+
+	auth = parse_kvpairs_for_auth(&p);
+	if (!auth)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Message does not contain an auth value.")));
+
+	/* We should be at the end of our message. */
+	if (*p)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Message contains additional data after the final terminator.")));
+
+	if (!validate(ctx->port, auth, logdetail))
+	{
+		generate_error_response(ctx, output, outputlen);
+
+		ctx->state = OAUTH_STATE_ERROR;
+		return PG_SASL_EXCHANGE_CONTINUE;
+	}
+
+	ctx->state = OAUTH_STATE_FINISHED;
+	return PG_SASL_EXCHANGE_SUCCESS;
+}
+
+/*
+ * Convert an arbitrary byte to printable form.  For error messages.
+ *
+ * If it's a printable ASCII character, print it as a single character.
+ * otherwise, print it in hex.
+ *
+ * The returned pointer points to a static buffer.
+ */
+static char *
+sanitize_char(char c)
+{
+	static char buf[5];
+
+	if (c >= 0x21 && c <= 0x7E)
+		snprintf(buf, sizeof(buf), "'%c'", c);
+	else
+		snprintf(buf, sizeof(buf), "0x%02x", (unsigned char) c);
+	return buf;
+}
+
+/*
+ * Consumes all kvpairs in an OAUTHBEARER exchange message. If the "auth" key is
+ * found, its value is returned.
+ */
+static char *
+parse_kvpairs_for_auth(char **input)
+{
+	char   *pos = *input;
+	char   *auth = NULL;
+
+	/*
+	 * The relevant ABNF, from Sec. 3.1:
+	 *
+	 *     kvsep          = %x01
+	 *     key            = 1*(ALPHA)
+	 *     value          = *(VCHAR / SP / HTAB / CR / LF )
+	 *     kvpair         = key "=" value kvsep
+	 *   ;;gs2-header     = See RFC 5801
+	 *     client-resp    = (gs2-header kvsep *kvpair kvsep) / kvsep
+	 *
+	 * By the time we reach this code, the gs2-header and initial kvsep have
+	 * already been validated. We start at the beginning of the first kvpair.
+	 */
+
+	while (*pos)
+	{
+		char   *end;
+		char   *sep;
+		char   *key;
+		char   *value;
+
+		/*
+		 * Find the end of this kvpair. Note that input is null-terminated by
+		 * the SASL code, so the strchr() is bounded.
+		 */
+		end = strchr(pos, KVSEP);
+		if (!end)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("Message contains an unterminated key/value pair.")));
+		*end = '\0';
+
+		if (pos == end)
+		{
+			/* Empty kvpair, signifying the end of the list. */
+			*input = pos + 1;
+			return auth;
+		}
+
+		/*
+		 * Find the end of the key name.
+		 *
+		 * TODO further validate the key/value grammar? empty keys, bad chars...
+		 */
+		sep = strchr(pos, '=');
+		if (!sep)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("Message contains a key without a value.")));
+		*sep = '\0';
+
+		/* Both key and value are now safely terminated. */
+		key = pos;
+		value = sep + 1;
+
+		if (!strcmp(key, AUTH_KEY))
+		{
+			if (auth)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed OAUTHBEARER message"),
+						 errdetail("Message contains multiple auth values.")));
+
+			auth = value;
+		}
+		else
+		{
+			/*
+			 * The RFC also defines the host and port keys, but they are not
+			 * required for OAUTHBEARER and we do not use them. Also, per
+			 * Sec. 3.1, any key/value pairs we don't recognize must be ignored.
+			 */
+		}
+
+		/* Move to the next pair. */
+		pos = end + 1;
+	}
+
+	ereport(ERROR,
+			(errcode(ERRCODE_PROTOCOL_VIOLATION),
+			 errmsg("malformed OAUTHBEARER message"),
+			 errdetail("Message did not contain a final terminator.")));
+
+	return NULL; /* unreachable */
+}
+
+static void
+generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen)
+{
+	StringInfoData	buf;
+
+	/*
+	 * The admin needs to set an issuer and scope for OAuth to work. There's not
+	 * really a way to hide this from the user, either, because we can't choose
+	 * a "default" issuer, so be honest in the failure message.
+	 *
+	 * TODO: see if there's a better place to fail, earlier than this.
+	 */
+	if (!ctx->issuer || !ctx->scope)
+		ereport(FATAL,
+				(errcode(ERRCODE_INTERNAL_ERROR),
+				 errmsg("OAuth is not properly configured for this user"),
+				 errdetail_log("The issuer and scope parameters must be set in pg_hba.conf.")));
+
+
+	initStringInfo(&buf);
+
+	/*
+	 * TODO: JSON escaping
+	 */
+	appendStringInfo(&buf,
+		"{ "
+			"\"status\": \"invalid_token\", "
+			"\"openid-configuration\": \"%s/.well-known/openid-configuration\","
+			"\"scope\": \"%s\" "
+		"}",
+		ctx->issuer, ctx->scope);
+
+	*output = buf.data;
+	*outputlen = buf.len;
+}
+
+static bool
+validate(Port *port, const char *auth, char **logdetail)
+{
+	static const char * const b64_set = "abcdefghijklmnopqrstuvwxyz"
+										"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+										"0123456789-._~+/";
+
+	const char *token;
+	size_t		span;
+	int			ret;
+
+	/* TODO: handle logdetail when the test framework can check it */
+
+	/*
+	 * Only Bearer tokens are accepted. The ABNF is defined in RFC 6750, Sec.
+	 * 2.1:
+	 *
+	 *      b64token    = 1*( ALPHA / DIGIT /
+	 *                        "-" / "." / "_" / "~" / "+" / "/" ) *"="
+	 *      credentials = "Bearer" 1*SP b64token
+	 *
+	 * The "credentials" construction is what we receive in our auth value.
+	 *
+	 * Since that spec is subordinate to HTTP (i.e. the HTTP Authorization
+	 * header format; RFC 7235 Sec. 2), the "Bearer" scheme string must be
+	 * compared case-insensitively. (This is not mentioned in RFC 6750, but it's
+	 * pointed out in RFC 7628 Sec. 4.)
+	 *
+	 * TODO: handle the Authorization spec, RFC 7235 Sec. 2.1.
+	 */
+	if (strncasecmp(auth, BEARER_SCHEME, strlen(BEARER_SCHEME)))
+		return false;
+
+	/* Pull the bearer token out of the auth value. */
+	token = auth + strlen(BEARER_SCHEME);
+
+	/* Swallow any additional spaces. */
+	while (*token == ' ')
+		token++;
+
+	/*
+	 * Before invoking the validator command, sanity-check the token format to
+	 * avoid any injection attacks later in the chain. Invalid formats are
+	 * technically a protocol violation, but don't reflect any information about
+	 * the sensitive Bearer token back to the client; log at COMMERROR instead.
+	 */
+
+	/* Tokens must not be empty. */
+	if (!*token)
+	{
+		ereport(COMMERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Bearer token is empty.")));
+		return false;
+	}
+
+	/*
+	 * Make sure the token contains only allowed characters. Tokens may end with
+	 * any number of '=' characters.
+	 */
+	span = strspn(token, b64_set);
+	while (token[span] == '=')
+		span++;
+
+	if (token[span] != '\0')
+	{
+		/*
+		 * This error message could be more helpful by printing the problematic
+		 * character(s), but that'd be a bit like printing a piece of someone's
+		 * password into the logs.
+		 */
+		ereport(COMMERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Bearer token is not in the correct format.")));
+		return false;
+	}
+
+	/* Have the validator check the token. */
+	if (!run_validator_command(port, token))
+		return false;
+
+	if (port->hba->oauth_skip_usermap)
+	{
+		/*
+		 * If the validator is our authorization authority, we're done.
+		 * Authentication may or may not have been performed depending on the
+		 * validator implementation; all that matters is that the validator says
+		 * the user can log in with the target role.
+		 */
+		return true;
+	}
+
+	/* Make sure the validator authenticated the user. */
+	if (!port->authn_id)
+	{
+		/* TODO: use logdetail; reduce message duplication */
+		ereport(LOG,
+				(errmsg("OAuth bearer authentication failed for user \"%s\": validator provided no identity",
+						port->user_name)));
+		return false;
+	}
+
+	/* Finally, check the user map. */
+	ret = check_usermap(port->hba->usermap, port->user_name, port->authn_id,
+						false);
+	return (ret == STATUS_OK);
+}
+
+static bool
+run_validator_command(Port *port, const char *token)
+{
+	bool		success = false;
+	int			rc;
+	int			pipefd[2];
+	int			rfd = -1;
+	int			wfd = -1;
+
+	StringInfoData command = { 0 };
+	char	   *p;
+	FILE	   *fh = NULL;
+
+	ssize_t		written;
+	char	   *line = NULL;
+	size_t		size = 0;
+	ssize_t		len;
+
+	Assert(oauth_validator_command);
+
+	if (!oauth_validator_command[0])
+	{
+		ereport(COMMERROR,
+				(errmsg("oauth_validator_command is not set"),
+				 errhint("To allow OAuth authenticated connections, set "
+						 "oauth_validator_command in postgresql.conf.")));
+		return false;
+	}
+
+	/*
+	 * Since popen() is unidirectional, open up a pipe for the other direction.
+	 * Use CLOEXEC to ensure that our write end doesn't accidentally get copied
+	 * into child processes, which would prevent us from closing it cleanly.
+	 *
+	 * XXX this is ugly. We should just read from the child process's stdout,
+	 * but that's a lot more code.
+	 * XXX by bypassing the popen API, we open the potential of process
+	 * deadlock. Clearly document child process requirements (i.e. the child
+	 * MUST read all data off of the pipe before writing anything).
+	 * TODO: port to Windows using _pipe().
+	 */
+	rc = pipe2(pipefd, O_CLOEXEC);
+	if (rc < 0)
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not create child pipe: %m")));
+		return false;
+	}
+
+	rfd = pipefd[0];
+	wfd = pipefd[1];
+
+	/* Allow the read pipe be passed to the child. */
+	if (!unset_cloexec(rfd))
+	{
+		/* error message was already logged */
+		goto cleanup;
+	}
+
+	/*
+	 * Construct the command, substituting any recognized %-specifiers:
+	 *
+	 *   %f: the file descriptor of the input pipe
+	 *   %r: the role that the client wants to assume (port->user_name)
+	 *   %%: a literal '%'
+	 */
+	initStringInfo(&command);
+
+	for (p = oauth_validator_command; *p; p++)
+	{
+		if (p[0] == '%')
+		{
+			switch (p[1])
+			{
+				case 'f':
+					appendStringInfo(&command, "%d", rfd);
+					p++;
+					break;
+				case 'r':
+					/*
+					 * TODO: decide how this string should be escaped. The role
+					 * is controlled by the client, so if we don't escape it,
+					 * command injections are inevitable.
+					 *
+					 * This is probably an indication that the role name needs
+					 * to be communicated to the validator process in some other
+					 * way. For this proof of concept, just be incredibly strict
+					 * about the characters that are allowed in user names.
+					 */
+					if (!username_ok_for_shell(port->user_name))
+						goto cleanup;
+
+					appendStringInfoString(&command, port->user_name);
+					p++;
+					break;
+				case '%':
+					appendStringInfoChar(&command, '%');
+					p++;
+					break;
+				default:
+					appendStringInfoChar(&command, p[0]);
+			}
+		}
+		else
+			appendStringInfoChar(&command, p[0]);
+	}
+
+	/* Execute the command. */
+	fh = OpenPipeStream(command.data, "re");
+	/* TODO: handle failures */
+
+	/* We don't need the read end of the pipe anymore. */
+	close(rfd);
+	rfd = -1;
+
+	/* Give the command the token to validate. */
+	written = write(wfd, token, strlen(token));
+	if (written != strlen(token))
+	{
+		/* TODO must loop for short writes, EINTR et al */
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not write token to child pipe: %m")));
+		goto cleanup;
+	}
+
+	close(wfd);
+	wfd = -1;
+
+	/*
+	 * Read the command's response.
+	 *
+	 * TODO: getline() is probably too new to use, unfortunately.
+	 * TODO: loop over all lines
+	 */
+	if ((len = getline(&line, &size, fh)) >= 0)
+	{
+		/* TODO: fail if the authn_id doesn't end with a newline */
+		if (len > 0)
+			line[len - 1] = '\0';
+
+		set_authn_id(port, line);
+	}
+	else if (ferror(fh))
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not read from command \"%s\": %m",
+						command.data)));
+		goto cleanup;
+	}
+
+	/* Make sure the command exits cleanly. */
+	if (!check_exit(&fh, command.data))
+	{
+		/* error message already logged */
+		goto cleanup;
+	}
+
+	/* Done. */
+	success = true;
+
+cleanup:
+	if (line)
+		free(line);
+
+	/*
+	 * In the successful case, the pipe fds are already closed. For the error
+	 * case, always close out the pipe before waiting for the command, to
+	 * prevent deadlock.
+	 */
+	if (rfd >= 0)
+		close(rfd);
+	if (wfd >= 0)
+		close(wfd);
+
+	if (fh)
+	{
+		Assert(!success);
+		check_exit(&fh, command.data);
+	}
+
+	if (command.data)
+		pfree(command.data);
+
+	return success;
+}
+
+static bool
+check_exit(FILE **fh, const char *command)
+{
+	int rc;
+
+	rc = ClosePipeStream(*fh);
+	*fh = NULL;
+
+	if (rc == -1)
+	{
+		/* pclose() itself failed. */
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not close pipe to command \"%s\": %m",
+						command)));
+	}
+	else if (rc != 0)
+	{
+		char *reason = wait_result_to_str(rc);
+
+		ereport(COMMERROR,
+				(errmsg("failed to execute command \"%s\": %s",
+						command, reason)));
+
+		pfree(reason);
+	}
+
+	return (rc == 0);
+}
+
+static bool
+unset_cloexec(int fd)
+{
+	int			flags;
+	int			rc;
+
+	flags = fcntl(fd, F_GETFD);
+	if (flags == -1)
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not get fd flags for child pipe: %m")));
+		return false;
+	}
+
+	rc = fcntl(fd, F_SETFD, flags & ~FD_CLOEXEC);
+	if (rc < 0)
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not unset FD_CLOEXEC for child pipe: %m")));
+		return false;
+	}
+
+	return true;
+}
+
+/*
+ * XXX This should go away eventually and be replaced with either a proper
+ * escape or a different strategy for communication with the validator command.
+ */
+static bool
+username_ok_for_shell(const char *username)
+{
+	/* This set is borrowed from fe_utils' appendShellStringNoError(). */
+	static const char * const allowed = "abcdefghijklmnopqrstuvwxyz"
+										"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+										"0123456789-_./:";
+	size_t	span;
+
+	Assert(username && username[0]); /* should have already been checked */
+
+	span = strspn(username, allowed);
+	if (username[span] != '\0')
+	{
+		ereport(COMMERROR,
+				(errmsg("PostgreSQL user name contains unsafe characters and cannot be passed to the OAuth validator")));
+		return false;
+	}
+
+	return true;
+}
diff --git a/src/backend/libpq/auth-sasl.c b/src/backend/libpq/auth-sasl.c
index 6cfd90fa21..f6c49a4de5 100644
--- a/src/backend/libpq/auth-sasl.c
+++ b/src/backend/libpq/auth-sasl.c
@@ -20,14 +20,6 @@
 #include "libpq/pqformat.h"
 #include "libpq/sasl.h"
 
-/*
- * Maximum accepted size of SASL messages.
- *
- * The messages that the server or libpq generate are much smaller than this,
- * but have some headroom.
- */
-#define PG_MAX_SASL_MESSAGE_LENGTH	1024
-
 /*
  * Perform a SASL exchange with a libpq client, using a specific mechanism
  * implementation.
@@ -103,7 +95,7 @@ CheckSASLAuth(const pg_be_sasl_mech *mech, Port *port, char *shadow_pass,
 
 		/* Get the actual SASL message */
 		initStringInfo(&buf);
-		if (pq_getmessage(&buf, PG_MAX_SASL_MESSAGE_LENGTH))
+		if (pq_getmessage(&buf, mech->max_message_length))
 		{
 			/* EOF - pq_getmessage already logged error */
 			pfree(buf.data);
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 9df8f17837..5bb0388c01 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -117,7 +117,9 @@ static int	scram_exchange(void *opaq, const char *input, int inputlen,
 const pg_be_sasl_mech pg_be_scram_mech = {
 	scram_get_mechanisms,
 	scram_init,
-	scram_exchange
+	scram_exchange,
+
+	PG_MAX_SASL_MESSAGE_LENGTH
 };
 
 /*
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 8cc23ef7fb..fbcc2c55b4 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -29,6 +29,7 @@
 #include "libpq/auth.h"
 #include "libpq/crypt.h"
 #include "libpq/libpq.h"
+#include "libpq/oauth.h"
 #include "libpq/pqformat.h"
 #include "libpq/sasl.h"
 #include "libpq/scram.h"
@@ -47,7 +48,6 @@
  */
 static void auth_failed(Port *port, int status, char *logdetail);
 static char *recv_password_packet(Port *port);
-static void set_authn_id(Port *port, const char *id);
 
 
 /*----------------------------------------------------------------
@@ -205,22 +205,6 @@ static int	CheckRADIUSAuth(Port *port);
 static int	PerformRadiusTransaction(const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd);
 
 
-/*
- * Maximum accepted size of GSS and SSPI authentication tokens.
- * We also use this as a limit on ordinary password packet lengths.
- *
- * Kerberos tickets are usually quite small, but the TGTs issued by Windows
- * domain controllers include an authorization field known as the Privilege
- * Attribute Certificate (PAC), which contains the user's Windows permissions
- * (group memberships etc.). The PAC is copied into all tickets obtained on
- * the basis of this TGT (even those issued by Unix realms which the Windows
- * realm trusts), and can be several kB in size. The maximum token size
- * accepted by Windows systems is determined by the MaxAuthToken Windows
- * registry setting. Microsoft recommends that it is not set higher than
- * 65535 bytes, so that seems like a reasonable limit for us as well.
- */
-#define PG_MAX_AUTH_TOKEN_LENGTH	65535
-
 /*----------------------------------------------------------------
  * Global authentication functions
  *----------------------------------------------------------------
@@ -309,6 +293,9 @@ auth_failed(Port *port, int status, char *logdetail)
 		case uaRADIUS:
 			errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
 			break;
+		case uaOAuth:
+			errstr = gettext_noop("OAuth bearer authentication failed for user \"%s\"");
+			break;
 		default:
 			errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
 			break;
@@ -343,7 +330,7 @@ auth_failed(Port *port, int status, char *logdetail)
  * lifetime of the Port, so it is safe to pass a string that is managed by an
  * external library.
  */
-static void
+void
 set_authn_id(Port *port, const char *id)
 {
 	Assert(id);
@@ -628,6 +615,9 @@ ClientAuthentication(Port *port)
 		case uaTrust:
 			status = STATUS_OK;
 			break;
+		case uaOAuth:
+			status = CheckSASLAuth(&pg_be_oauth_mech, port, NULL, NULL);
+			break;
 	}
 
 	if ((status == STATUS_OK && port->hba->clientcert == clientCertFull)
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 3be8778d21..98147700dd 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -134,7 +134,8 @@ static const char *const UserAuthName[] =
 	"ldap",
 	"cert",
 	"radius",
-	"peer"
+	"peer",
+	"oauth",
 };
 
 
@@ -1399,6 +1400,8 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 #endif
 	else if (strcmp(token->string, "radius") == 0)
 		parsedline->auth_method = uaRADIUS;
+	else if (strcmp(token->string, "oauth") == 0)
+		parsedline->auth_method = uaOAuth;
 	else
 	{
 		ereport(elevel,
@@ -1713,8 +1716,9 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 			hbaline->auth_method != uaPeer &&
 			hbaline->auth_method != uaGSS &&
 			hbaline->auth_method != uaSSPI &&
+			hbaline->auth_method != uaOAuth &&
 			hbaline->auth_method != uaCert)
-			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert"));
+			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, oauth, and cert"));
 		hbaline->usermap = pstrdup(val);
 	}
 	else if (strcmp(name, "clientcert") == 0)
@@ -2098,6 +2102,27 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 		hbaline->radiusidentifiers = parsed_identifiers;
 		hbaline->radiusidentifiers_s = pstrdup(val);
 	}
+	else if (strcmp(name, "issuer") == 0)
+	{
+		if (hbaline->auth_method != uaOAuth)
+			INVALID_AUTH_OPTION("issuer", gettext_noop("oauth"));
+		hbaline->oauth_issuer = pstrdup(val);
+	}
+	else if (strcmp(name, "scope") == 0)
+	{
+		if (hbaline->auth_method != uaOAuth)
+			INVALID_AUTH_OPTION("scope", gettext_noop("oauth"));
+		hbaline->oauth_scope = pstrdup(val);
+	}
+	else if (strcmp(name, "trust_validator_authz") == 0)
+	{
+		if (hbaline->auth_method != uaOAuth)
+			INVALID_AUTH_OPTION("trust_validator_authz", gettext_noop("oauth"));
+		if (strcmp(val, "1") == 0)
+			hbaline->oauth_skip_usermap = true;
+		else
+			hbaline->oauth_skip_usermap = false;
+	}
 	else
 	{
 		ereport(elevel,
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 467b0fd6fe..2b42862f71 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -56,6 +56,7 @@
 #include "libpq/auth.h"
 #include "libpq/libpq.h"
 #include "libpq/pqformat.h"
+#include "libpq/oauth.h"
 #include "miscadmin.h"
 #include "optimizer/cost.h"
 #include "optimizer/geqo.h"
@@ -4594,6 +4595,17 @@ static struct config_string ConfigureNamesString[] =
 		check_backtrace_functions, assign_backtrace_functions, NULL
 	},
 
+	{
+		{"oauth_validator_command", PGC_SIGHUP, CONN_AUTH_AUTH,
+			gettext_noop("Command to validate OAuth v2 bearer tokens."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&oauth_validator_command,
+		"",
+		NULL, NULL, NULL
+	},
+
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 3d6734f253..1c77dcb0c1 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -16,6 +16,22 @@
 
 #include "libpq/libpq-be.h"
 
+/*
+ * Maximum accepted size of GSS and SSPI authentication tokens.
+ * We also use this as a limit on ordinary password packet lengths.
+ *
+ * Kerberos tickets are usually quite small, but the TGTs issued by Windows
+ * domain controllers include an authorization field known as the Privilege
+ * Attribute Certificate (PAC), which contains the user's Windows permissions
+ * (group memberships etc.). The PAC is copied into all tickets obtained on
+ * the basis of this TGT (even those issued by Unix realms which the Windows
+ * realm trusts), and can be several kB in size. The maximum token size
+ * accepted by Windows systems is determined by the MaxAuthToken Windows
+ * registry setting. Microsoft recommends that it is not set higher than
+ * 65535 bytes, so that seems like a reasonable limit for us as well.
+ */
+#define PG_MAX_AUTH_TOKEN_LENGTH	65535
+
 extern char *pg_krb_server_keyfile;
 extern bool pg_krb_caseins_users;
 extern char *pg_krb_realm;
@@ -23,6 +39,7 @@ extern char *pg_krb_realm;
 extern void ClientAuthentication(Port *port);
 extern void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata,
 							int extralen);
+extern void set_authn_id(Port *port, const char *id);
 
 /* Hook for plugins to get control in ClientAuthentication() */
 typedef void (*ClientAuthentication_hook_type) (Port *, int);
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 8d9f3821b1..441dd5623e 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -38,8 +38,9 @@ typedef enum UserAuth
 	uaLDAP,
 	uaCert,
 	uaRADIUS,
-	uaPeer
-#define USER_AUTH_LAST uaPeer	/* Must be last value of this enum */
+	uaPeer,
+	uaOAuth
+#define USER_AUTH_LAST uaOAuth	/* Must be last value of this enum */
 } UserAuth;
 
 /*
@@ -120,6 +121,9 @@ typedef struct HbaLine
 	char	   *radiusidentifiers_s;
 	List	   *radiusports;
 	char	   *radiusports_s;
+	char	   *oauth_issuer;
+	char	   *oauth_scope;
+	bool		oauth_skip_usermap;
 } HbaLine;
 
 typedef struct IdentLine
diff --git a/src/include/libpq/oauth.h b/src/include/libpq/oauth.h
new file mode 100644
index 0000000000..870e426af1
--- /dev/null
+++ b/src/include/libpq/oauth.h
@@ -0,0 +1,24 @@
+/*-------------------------------------------------------------------------
+ *
+ * oauth.h
+ *	  Interface to libpq/auth-oauth.c
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/include/libpq/oauth.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef PG_OAUTH_H
+#define PG_OAUTH_H
+
+#include "libpq/libpq-be.h"
+#include "libpq/sasl.h"
+
+extern char *oauth_validator_command;
+
+/* Implementation */
+extern const pg_be_sasl_mech pg_be_oauth_mech;
+
+#endif /* PG_OAUTH_H */
diff --git a/src/include/libpq/sasl.h b/src/include/libpq/sasl.h
index 4c611bab6b..c0a88430d5 100644
--- a/src/include/libpq/sasl.h
+++ b/src/include/libpq/sasl.h
@@ -26,6 +26,14 @@
 #define PG_SASL_EXCHANGE_SUCCESS		1
 #define PG_SASL_EXCHANGE_FAILURE		2
 
+/*
+ * Maximum accepted size of SASL messages.
+ *
+ * The messages that the server or libpq generate are much smaller than this,
+ * but have some headroom.
+ */
+#define PG_MAX_SASL_MESSAGE_LENGTH	1024
+
 /*
  * Backend SASL mechanism callbacks.
  *
@@ -127,6 +135,9 @@ typedef struct pg_be_sasl_mech
 							 const char *input, int inputlen,
 							 char **output, int *outputlen,
 							 char **logdetail);
+
+	/* The maximum size allowed for client SASLResponses. */
+	int			max_message_length;
 } pg_be_sasl_mech;
 
 /* Common implementation for auth.c */
-- 
2.25.1

From 7c4175f9ad87141d40dd44d6c9fe9312ce8e5b88 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Tue, 18 May 2021 15:01:29 -0700
Subject: [PATCH v2 4/5] Add a very simple authn_id extension

...for retrieving the authn_id from the server in tests.
---
 contrib/authn_id/Makefile          | 19 +++++++++++++++++++
 contrib/authn_id/authn_id--1.0.sql |  8 ++++++++
 contrib/authn_id/authn_id.c        | 28 ++++++++++++++++++++++++++++
 contrib/authn_id/authn_id.control  |  5 +++++
 4 files changed, 60 insertions(+)
 create mode 100644 contrib/authn_id/Makefile
 create mode 100644 contrib/authn_id/authn_id--1.0.sql
 create mode 100644 contrib/authn_id/authn_id.c
 create mode 100644 contrib/authn_id/authn_id.control

diff --git a/contrib/authn_id/Makefile b/contrib/authn_id/Makefile
new file mode 100644
index 0000000000..46026358e0
--- /dev/null
+++ b/contrib/authn_id/Makefile
@@ -0,0 +1,19 @@
+# contrib/authn_id/Makefile
+
+MODULE_big = authn_id
+OBJS = authn_id.o
+
+EXTENSION = authn_id
+DATA = authn_id--1.0.sql
+PGFILEDESC = "authn_id - information about the authenticated user"
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = contrib/authn_id
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/contrib/authn_id/authn_id--1.0.sql b/contrib/authn_id/authn_id--1.0.sql
new file mode 100644
index 0000000000..af2a4d3991
--- /dev/null
+++ b/contrib/authn_id/authn_id--1.0.sql
@@ -0,0 +1,8 @@
+/* contrib/authn_id/authn_id--1.0.sql */
+
+-- complain if script is sourced in psql, rather than via CREATE EXTENSION
+\echo Use "CREATE EXTENSION authn_id" to load this file. \quit
+
+CREATE FUNCTION authn_id() RETURNS text
+AS 'MODULE_PATHNAME', 'authn_id'
+LANGUAGE C IMMUTABLE;
diff --git a/contrib/authn_id/authn_id.c b/contrib/authn_id/authn_id.c
new file mode 100644
index 0000000000..0fecac36a8
--- /dev/null
+++ b/contrib/authn_id/authn_id.c
@@ -0,0 +1,28 @@
+/*
+ * Extension to expose the current user's authn_id.
+ *
+ * contrib/authn_id/authn_id.c
+ */
+
+#include "postgres.h"
+
+#include "fmgr.h"
+#include "libpq/libpq-be.h"
+#include "miscadmin.h"
+#include "utils/builtins.h"
+
+PG_MODULE_MAGIC;
+
+PG_FUNCTION_INFO_V1(authn_id);
+
+/*
+ * Returns the current user's authenticated identity.
+ */
+Datum
+authn_id(PG_FUNCTION_ARGS)
+{
+	if (!MyProcPort->authn_id)
+		PG_RETURN_NULL();
+
+	PG_RETURN_TEXT_P(cstring_to_text(MyProcPort->authn_id));
+}
diff --git a/contrib/authn_id/authn_id.control b/contrib/authn_id/authn_id.control
new file mode 100644
index 0000000000..e0f9e06bed
--- /dev/null
+++ b/contrib/authn_id/authn_id.control
@@ -0,0 +1,5 @@
+# authn_id extension
+comment = 'current user identity'
+default_version = '1.0'
+module_pathname = '$libdir/authn_id'
+relocatable = true
-- 
2.25.1

From 0281635f35a44e0fdfd4369423f98ebe5b467ce3 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 4 Jun 2021 09:06:38 -0700
Subject: [PATCH v2 5/5] Add pytest suite for OAuth

Requires Python 3; on the first run of `make installcheck` the
dependencies will be installed into ./venv for you. See the README for
more details.
---
 src/test/python/.gitignore                 |    2 +
 src/test/python/Makefile                   |   38 +
 src/test/python/README                     |   54 ++
 src/test/python/client/__init__.py         |    0
 src/test/python/client/conftest.py         |  126 +++
 src/test/python/client/test_client.py      |  180 ++++
 src/test/python/client/test_oauth.py       |  936 ++++++++++++++++++
 src/test/python/pq3.py                     |  727 ++++++++++++++
 src/test/python/pytest.ini                 |    4 +
 src/test/python/requirements.txt           |    7 +
 src/test/python/server/__init__.py         |    0
 src/test/python/server/conftest.py         |   45 +
 src/test/python/server/test_oauth.py       | 1012 ++++++++++++++++++++
 src/test/python/server/test_server.py      |   21 +
 src/test/python/server/validate_bearer.py  |  101 ++
 src/test/python/server/validate_reflect.py |   34 +
 src/test/python/test_internals.py          |  138 +++
 src/test/python/test_pq3.py                |  558 +++++++++++
 src/test/python/tls.py                     |  195 ++++
 19 files changed, 4178 insertions(+)
 create mode 100644 src/test/python/.gitignore
 create mode 100644 src/test/python/Makefile
 create mode 100644 src/test/python/README
 create mode 100644 src/test/python/client/__init__.py
 create mode 100644 src/test/python/client/conftest.py
 create mode 100644 src/test/python/client/test_client.py
 create mode 100644 src/test/python/client/test_oauth.py
 create mode 100644 src/test/python/pq3.py
 create mode 100644 src/test/python/pytest.ini
 create mode 100644 src/test/python/requirements.txt
 create mode 100644 src/test/python/server/__init__.py
 create mode 100644 src/test/python/server/conftest.py
 create mode 100644 src/test/python/server/test_oauth.py
 create mode 100644 src/test/python/server/test_server.py
 create mode 100755 src/test/python/server/validate_bearer.py
 create mode 100755 src/test/python/server/validate_reflect.py
 create mode 100644 src/test/python/test_internals.py
 create mode 100644 src/test/python/test_pq3.py
 create mode 100644 src/test/python/tls.py

diff --git a/src/test/python/.gitignore b/src/test/python/.gitignore
new file mode 100644
index 0000000000..0e8f027b2e
--- /dev/null
+++ b/src/test/python/.gitignore
@@ -0,0 +1,2 @@
+__pycache__/
+/venv/
diff --git a/src/test/python/Makefile b/src/test/python/Makefile
new file mode 100644
index 0000000000..b0695b6287
--- /dev/null
+++ b/src/test/python/Makefile
@@ -0,0 +1,38 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+# Only Python 3 is supported, but if it's named something different on your
+# system you can override it with the PYTHON3 variable.
+PYTHON3 := python3
+
+# All dependencies are placed into this directory. The default is .gitignored
+# for you, but you can override it if you'd like.
+VENV := ./venv
+
+override VBIN   := $(VENV)/bin
+override PIP    := $(VBIN)/pip
+override PYTEST := $(VBIN)/py.test
+override ISORT  := $(VBIN)/isort
+override BLACK  := $(VBIN)/black
+
+.PHONY: installcheck indent
+
+installcheck: $(PYTEST)
+	$(PYTEST) -v -rs
+
+indent: $(ISORT) $(BLACK)
+	$(ISORT) --profile black *.py client/*.py server/*.py
+	$(BLACK) *.py client/*.py server/*.py
+
+$(PYTEST) $(ISORT) $(BLACK) &: requirements.txt | $(PIP)
+	$(PIP) install --force-reinstall -r $<
+
+$(PIP):
+	$(PYTHON3) -m venv $(VENV)
+
+# A convenience recipe to rebuild psycopg2 against the local libpq.
+.PHONY: rebuild-psycopg2
+rebuild-psycopg2: | $(PIP)
+	$(PIP) install --force-reinstall --no-binary :all: $(shell grep psycopg2 requirements.txt)
diff --git a/src/test/python/README b/src/test/python/README
new file mode 100644
index 0000000000..0bda582c4b
--- /dev/null
+++ b/src/test/python/README
@@ -0,0 +1,54 @@
+A test suite for exercising both the libpq client and the server backend at the
+protocol level, based on pytest and Construct.
+
+The test suite currently assumes that the standard PG* environment variables
+point to the database under test and are sufficient to log in a superuser on
+that system. In other words, a bare `psql` needs to Just Work before the test
+suite can do its thing. For a newly built dev cluster, typically all that I need
+to do is a
+
+    export PGDATABASE=postgres
+
+but you can adjust as needed for your setup.
+
+## Requirements
+
+A supported version (3.6+) of Python.
+
+The first run of
+
+    make installcheck
+
+will install a local virtual environment and all needed dependencies. During
+development, if libpq changes incompatibly, you can issue
+
+    $ make rebuild-psycopg2
+
+to force a rebuild of the client library.
+
+## Hacking
+
+The code style is enforced by a _very_ opinionated autoformatter. Running the
+
+    make indent
+
+recipe will invoke it for you automatically. Don't fight the tool; part of the
+zen is in knowing that if the formatter makes your code ugly, there's probably a
+cleaner way to write your code.
+
+## Advanced Usage
+
+The Makefile is there for convenience, but you don't have to use it. Activate
+the virtualenv to be able to use pytest directly:
+
+    $ source venv/bin/activate
+    $ py.test -k oauth
+    ...
+    $ py.test ./server/test_server.py
+    ...
+    $ deactivate  # puts the PATH et al back the way it was before
+
+To make quick smoke tests possible, slow tests have been marked explicitly. You
+can skip them by saying e.g.
+
+    $ py.test -m 'not slow'
diff --git a/src/test/python/client/__init__.py b/src/test/python/client/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/test/python/client/conftest.py b/src/test/python/client/conftest.py
new file mode 100644
index 0000000000..f38da7a138
--- /dev/null
+++ b/src/test/python/client/conftest.py
@@ -0,0 +1,126 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import socket
+import sys
+import threading
+
+import psycopg2
+import pytest
+
+import pq3
+
+BLOCKING_TIMEOUT = 2  # the number of seconds to wait for blocking calls
+
+
+@pytest.fixture
+def server_socket(unused_tcp_port_factory):
+    """
+    Returns a listening socket bound to an ephemeral port.
+    """
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+        s.bind(("127.0.0.1", unused_tcp_port_factory()))
+        s.listen(1)
+        s.settimeout(BLOCKING_TIMEOUT)
+        yield s
+
+
+class ClientHandshake(threading.Thread):
+    """
+    A thread that connects to a local Postgres server using psycopg2. Once the
+    opening handshake completes, the connection will be immediately closed.
+    """
+
+    def __init__(self, *, port, **kwargs):
+        super().__init__()
+
+        kwargs["port"] = port
+        self._kwargs = kwargs
+
+        self.exception = None
+
+    def run(self):
+        try:
+            conn = psycopg2.connect(host="127.0.0.1", **self._kwargs)
+            conn.close()
+        except Exception as e:
+            self.exception = e
+
+    def check_completed(self, timeout=BLOCKING_TIMEOUT):
+        """
+        Joins the client thread. Raises an exception if the thread could not be
+        joined, or if it threw an exception itself. (The exception will be
+        cleared, so future calls to check_completed will succeed.)
+        """
+        self.join(timeout)
+
+        if self.is_alive():
+            raise TimeoutError("client thread did not handshake within the timeout")
+        elif self.exception:
+            e = self.exception
+            self.exception = None
+            raise e
+
+
+@pytest.fixture
+def accept(server_socket):
+    """
+    Returns a factory function that, when called, returns a pair (sock, client)
+    where sock is a server socket that has accepted a connection from client,
+    and client is an instance of ClientHandshake. Clients will complete their
+    handshakes and cleanly disconnect.
+
+    The default connstring options may be extended or overridden by passing
+    arbitrary keyword arguments. Keep in mind that you generally should not
+    override the host or port, since they point to the local test server.
+
+    For situations where a client needs to connect more than once to complete a
+    handshake, the accept function may be called more than once. (The client
+    returned for subsequent calls will always be the same client that was
+    returned for the first call.)
+
+    Tests must either complete the handshake so that the client thread can be
+    automatically joined during teardown, or else call client.check_completed()
+    and manually handle any expected errors.
+    """
+    _, port = server_socket.getsockname()
+
+    client = None
+    default_opts = dict(
+        port=port,
+        user=pq3.pguser(),
+        sslmode="disable",
+    )
+
+    def factory(**kwargs):
+        nonlocal client
+
+        if client is None:
+            opts = dict(default_opts)
+            opts.update(kwargs)
+
+            # The server_socket is already listening, so the client thread can
+            # be safely started; it'll block on the connection until we accept.
+            client = ClientHandshake(**opts)
+            client.start()
+
+        sock, _ = server_socket.accept()
+        return sock, client
+
+    yield factory
+    client.check_completed()
+
+
+@pytest.fixture
+def conn(accept):
+    """
+    Returns an accepted, wrapped pq3 connection to a psycopg2 client. The socket
+    will be closed when the test finishes, and the client will be checked for a
+    cleanly completed handshake.
+    """
+    sock, client = accept()
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            yield conn
diff --git a/src/test/python/client/test_client.py b/src/test/python/client/test_client.py
new file mode 100644
index 0000000000..c4c946fda4
--- /dev/null
+++ b/src/test/python/client/test_client.py
@@ -0,0 +1,180 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import base64
+import sys
+
+import psycopg2
+import pytest
+from cryptography.hazmat.primitives import hashes, hmac
+
+import pq3
+
+
+def finish_handshake(conn):
+    """
+    Sends the AuthenticationOK message and the standard opening salvo of server
+    messages, then asserts that the client immediately sends a Terminate message
+    to close the connection cleanly.
+    """
+    pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.OK)
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"client_encoding", value=b"UTF-8")
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"DateStyle", value=b"ISO, MDY")
+    pq3.send(conn, pq3.types.ReadyForQuery, status=b"I")
+
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.Terminate
+
+
+def test_handshake(conn):
+    startup = pq3.recv1(conn, cls=pq3.Startup)
+    assert startup.proto == pq3.protocol(3, 0)
+
+    finish_handshake(conn)
+
+
+def test_aborted_connection(accept):
+    """
+    Make sure the client correctly reports an early close during handshakes.
+    """
+    sock, client = accept()
+    sock.close()
+
+    expected = "server closed the connection unexpectedly"
+    with pytest.raises(psycopg2.OperationalError, match=expected):
+        client.check_completed()
+
+
+#
+# SCRAM-SHA-256 (see RFC 5802: https://tools.ietf.org/html/rfc5802)
+#
+
+
+@pytest.fixture
+def password():
+    """
+    Returns a password for use by both client and server.
+    """
+    # TODO: parameterize this with passwords that require SASLprep.
+    return "secret"
+
+
+@pytest.fixture
+def pwconn(accept, password):
+    """
+    Like the conn fixture, but uses a password in the connection.
+    """
+    sock, client = accept(password=password)
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            yield conn
+
+
+def sha256(data):
+    """The H(str) function from Section 2.2."""
+    digest = hashes.Hash(hashes.SHA256())
+    digest.update(data)
+    return digest.finalize()
+
+
+def hmac_256(key, data):
+    """The HMAC(key, str) function from Section 2.2."""
+    h = hmac.HMAC(key, hashes.SHA256())
+    h.update(data)
+    return h.finalize()
+
+
+def xor(a, b):
+    """The XOR operation from Section 2.2."""
+    res = bytearray(a)
+    for i, byte in enumerate(b):
+        res[i] ^= byte
+    return bytes(res)
+
+
+def h_i(data, salt, i):
+    """The Hi(str, salt, i) function from Section 2.2."""
+    assert i > 0
+
+    acc = hmac_256(data, salt + b"\x00\x00\x00\x01")
+    last = acc
+    i -= 1
+
+    while i:
+        u = hmac_256(data, last)
+        acc = xor(acc, u)
+
+        last = u
+        i -= 1
+
+    return acc
+
+
+def test_scram(pwconn, password):
+    startup = pq3.recv1(pwconn, cls=pq3.Startup)
+    assert startup.proto == pq3.protocol(3, 0)
+
+    pq3.send(
+        pwconn,
+        pq3.types.AuthnRequest,
+        type=pq3.authn.SASL,
+        body=[b"SCRAM-SHA-256", b""],
+    )
+
+    # Get the client-first-message.
+    pkt = pq3.recv1(pwconn)
+    assert pkt.type == pq3.types.PasswordMessage
+
+    initial = pq3.SASLInitialResponse.parse(pkt.payload)
+    assert initial.name == b"SCRAM-SHA-256"
+
+    c_bind, authzid, c_name, c_nonce = initial.data.split(b",")
+    assert c_bind == b"n"  # no channel bindings on a plaintext connection
+    assert authzid == b""  # we don't support authzid currently
+    assert c_name == b"n="  # libpq doesn't honor the GS2 username
+    assert c_nonce.startswith(b"r=")
+
+    # Send the server-first-message.
+    salt = b"12345"
+    iterations = 2
+
+    s_nonce = c_nonce + b"somenonce"
+    s_salt = b"s=" + base64.b64encode(salt)
+    s_iterations = b"i=%d" % iterations
+
+    msg = b",".join([s_nonce, s_salt, s_iterations])
+    pq3.send(pwconn, pq3.types.AuthnRequest, type=pq3.authn.SASLContinue, body=msg)
+
+    # Get the client-final-message.
+    pkt = pq3.recv1(pwconn)
+    assert pkt.type == pq3.types.PasswordMessage
+
+    c_bind_final, c_nonce_final, c_proof = pkt.payload.split(b",")
+    assert c_bind_final == b"c=" + base64.b64encode(c_bind + b"," + authzid + b",")
+    assert c_nonce_final == s_nonce
+
+    # Calculate what the client proof should be.
+    salted_password = h_i(password.encode("ascii"), salt, iterations)
+    client_key = hmac_256(salted_password, b"Client Key")
+    stored_key = sha256(client_key)
+
+    auth_message = b",".join(
+        [c_name, c_nonce, s_nonce, s_salt, s_iterations, c_bind_final, c_nonce_final]
+    )
+    client_signature = hmac_256(stored_key, auth_message)
+    client_proof = xor(client_key, client_signature)
+
+    expected = b"p=" + base64.b64encode(client_proof)
+    assert c_proof == expected
+
+    # Send the correct server signature.
+    server_key = hmac_256(salted_password, b"Server Key")
+    server_signature = hmac_256(server_key, auth_message)
+
+    s_verify = b"v=" + base64.b64encode(server_signature)
+    pq3.send(pwconn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal, body=s_verify)
+
+    # Done!
+    finish_handshake(pwconn)
diff --git a/src/test/python/client/test_oauth.py b/src/test/python/client/test_oauth.py
new file mode 100644
index 0000000000..a754a9c0b6
--- /dev/null
+++ b/src/test/python/client/test_oauth.py
@@ -0,0 +1,936 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import base64
+import http.server
+import json
+import secrets
+import sys
+import threading
+import time
+import urllib.parse
+
+import psycopg2
+import pytest
+
+import pq3
+
+from .conftest import BLOCKING_TIMEOUT
+
+
+def finish_handshake(conn):
+    """
+    Sends the AuthenticationOK message and the standard opening salvo of server
+    messages, then asserts that the client immediately sends a Terminate message
+    to close the connection cleanly.
+    """
+    pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.OK)
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"client_encoding", value=b"UTF-8")
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"DateStyle", value=b"ISO, MDY")
+    pq3.send(conn, pq3.types.ReadyForQuery, status=b"I")
+
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.Terminate
+
+
+#
+# OAUTHBEARER (see RFC 7628: https://tools.ietf.org/html/rfc7628)
+#
+
+
+def start_oauth_handshake(conn):
+    """
+    Negotiates an OAUTHBEARER SASL challenge. Returns the client's initial
+    response data.
+    """
+    startup = pq3.recv1(conn, cls=pq3.Startup)
+    assert startup.proto == pq3.protocol(3, 0)
+
+    pq3.send(
+        conn, pq3.types.AuthnRequest, type=pq3.authn.SASL, body=[b"OAUTHBEARER", b""]
+    )
+
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.PasswordMessage
+
+    initial = pq3.SASLInitialResponse.parse(pkt.payload)
+    assert initial.name == b"OAUTHBEARER"
+
+    return initial.data
+
+
+def get_auth_value(initial):
+    """
+    Finds the auth value (e.g. "Bearer somedata..." in the client's initial SASL
+    response.
+    """
+    kvpairs = initial.split(b"\x01")
+    assert kvpairs[0] == b"n,,"  # no channel binding or authzid
+    assert kvpairs[2] == b""  # ends with an empty kvpair
+    assert kvpairs[3] == b""  # ...and there's nothing after it
+    assert len(kvpairs) == 4
+
+    key, value = kvpairs[1].split(b"=", 2)
+    assert key == b"auth"
+
+    return value
+
+
+def xtest_oauth_success(conn):  # TODO
+    initial = start_oauth_handshake(conn)
+
+    auth = get_auth_value(initial)
+    assert auth.startswith(b"Bearer ")
+
+    # Accept the token. TODO actually validate
+    pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+    finish_handshake(conn)
+
+
+class OpenIDProvider(threading.Thread):
+    """
+    A thread that runs a mock OpenID provider server.
+    """
+
+    def __init__(self, *, port):
+        super().__init__()
+
+        self.exception = None
+
+        addr = ("", port)
+        self.server = self._Server(addr, self._Handler)
+
+        # TODO: allow HTTPS only, somehow
+        oauth = self._OAuthState()
+        oauth.host = f"localhost:{port}"
+        oauth.issuer = f"http://localhost:{port}"
+
+        # The following endpoints are required to be advertised by providers,
+        # even though our chosen client implementation does not actually make
+        # use of them.
+        oauth.register_endpoint(
+            "authorization_endpoint", "POST", "/authorize", self._authorization_handler
+        )
+        oauth.register_endpoint("jwks_uri", "GET", "/keys", self._jwks_handler)
+
+        self.server.oauth = oauth
+
+    def run(self):
+        try:
+            self.server.serve_forever()
+        except Exception as e:
+            self.exception = e
+
+    def stop(self, timeout=BLOCKING_TIMEOUT):
+        """
+        Shuts down the server and joins its thread. Raises an exception if the
+        thread could not be joined, or if it threw an exception itself. Must
+        only be called once, after start().
+        """
+        self.server.shutdown()
+        self.join(timeout)
+
+        if self.is_alive():
+            raise TimeoutError("client thread did not handshake within the timeout")
+        elif self.exception:
+            e = self.exception
+            raise e
+
+    class _OAuthState(object):
+        def __init__(self):
+            self.endpoint_paths = {}
+            self._endpoints = {}
+
+        def register_endpoint(self, name, method, path, func):
+            if method not in self._endpoints:
+                self._endpoints[method] = {}
+
+            self._endpoints[method][path] = func
+            self.endpoint_paths[name] = path
+
+        def endpoint(self, method, path):
+            if method not in self._endpoints:
+                return None
+
+            return self._endpoints[method].get(path)
+
+    class _Server(http.server.HTTPServer):
+        def handle_error(self, request, addr):
+            self.shutdown_request(request)
+            raise
+
+    @staticmethod
+    def _jwks_handler(headers, params):
+        return 200, {"keys": []}
+
+    @staticmethod
+    def _authorization_handler(headers, params):
+        # We don't actually want this to be called during these tests -- we
+        # should be using the device authorization endpoint instead.
+        assert (
+            False
+        ), "authorization handler called instead of device authorization handler"
+
+    class _Handler(http.server.BaseHTTPRequestHandler):
+        timeout = BLOCKING_TIMEOUT
+
+        def _discovery_handler(self, headers, params):
+            oauth = self.server.oauth
+
+            doc = {
+                "issuer": oauth.issuer,
+                "response_types_supported": ["token"],
+                "subject_types_supported": ["public"],
+                "id_token_signing_alg_values_supported": ["RS256"],
+            }
+
+            for name, path in oauth.endpoint_paths.items():
+                doc[name] = oauth.issuer + path
+
+            return 200, doc
+
+        def _handle(self, *, params=None, handler=None):
+            oauth = self.server.oauth
+            assert self.headers["Host"] == oauth.host
+
+            if handler is None:
+                handler = oauth.endpoint(self.command, self.path)
+                assert (
+                    handler is not None
+                ), f"no registered endpoint for {self.command} {self.path}"
+
+            code, resp = handler(self.headers, params)
+
+            self.send_response(code)
+            self.send_header("Content-Type", "application/json")
+            self.end_headers()
+
+            resp = json.dumps(resp)
+            resp = resp.encode("utf-8")
+            self.wfile.write(resp)
+
+            self.close_connection = True
+
+        def do_GET(self):
+            if self.path == "/.well-known/openid-configuration":
+                self._handle(handler=self._discovery_handler)
+                return
+
+            self._handle()
+
+        def _request_body(self):
+            length = self.headers["Content-Length"]
+
+            # Handle only an explicit content-length.
+            assert length is not None
+            length = int(length)
+
+            return self.rfile.read(length).decode("utf-8")
+
+        def do_POST(self):
+            assert self.headers["Content-Type"] == "application/x-www-form-urlencoded"
+
+            body = self._request_body()
+            params = urllib.parse.parse_qs(body)
+
+            self._handle(params=params)
+
+
+@pytest.fixture
+def openid_provider(unused_tcp_port_factory):
+    """
+    A fixture that returns the OAuth state of a running OpenID provider server. The
+    server will be stopped when the fixture is torn down.
+    """
+    thread = OpenIDProvider(port=unused_tcp_port_factory())
+    thread.start()
+
+    try:
+        yield thread.server.oauth
+    finally:
+        thread.stop()
+
+
+@pytest.mark.parametrize("secret", [None, "", "hunter2"])
+@pytest.mark.parametrize("scope", [None, "", "openid email"])
+@pytest.mark.parametrize("retries", [0, 1])
+def test_oauth_with_explicit_issuer(
+    capfd, accept, openid_provider, retries, scope, secret
+):
+    client_id = secrets.token_hex()
+
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id=client_id,
+        oauth_client_secret=secret,
+        oauth_scope=scope,
+    )
+
+    device_code = secrets.token_hex()
+    user_code = f"{secrets.token_hex(2)}-{secrets.token_hex(2)}"
+    verification_url = "https://example.com/device"
+
+    access_token = secrets.token_urlsafe()
+
+    def check_client_authn(headers, params):
+        if not secret:
+            assert params["client_id"] == [client_id]
+            return
+
+        # Require the client to use Basic authn; request-body credentials are
+        # NOT RECOMMENDED (RFC 6749, Sec. 2.3.1).
+        assert "Authorization" in headers
+
+        method, creds = headers["Authorization"].split()
+        assert method == "Basic"
+
+        expected = f"{client_id}:{secret}"
+        assert base64.b64decode(creds) == expected.encode("ascii")
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        check_client_authn(headers, params)
+
+        if scope:
+            assert params["scope"] == [scope]
+        else:
+            assert "scope" not in params
+
+        resp = {
+            "device_code": device_code,
+            "user_code": user_code,
+            "interval": 0,
+            "verification_uri": verification_url,
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    attempts = 0
+    retry_lock = threading.Lock()
+
+    def token_endpoint(headers, params):
+        check_client_authn(headers, params)
+
+        assert params["grant_type"] == ["urn:ietf:params:oauth:grant-type:device_code"]
+        assert params["device_code"] == [device_code]
+
+        now = time.monotonic()
+
+        with retry_lock:
+            nonlocal attempts
+
+            # If the test wants to force the client to retry, return an
+            # authorization_pending response and decrement the retry count.
+            if attempts < retries:
+                attempts += 1
+                return 400, {"error": "authorization_pending"}
+
+        # Successfully finish the request by sending the access bearer token.
+        resp = {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            initial = start_oauth_handshake(conn)
+
+            # Validate and accept the token.
+            auth = get_auth_value(initial)
+            assert auth == f"Bearer {access_token}".encode("ascii")
+
+            pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+            finish_handshake(conn)
+
+    if retries:
+        # Finally, make sure that the client prompted the user with the expected
+        # authorization URL and user code.
+        expected = f"Visit {verification_url} and enter the code: {user_code}"
+        _, stderr = capfd.readouterr()
+        assert expected in stderr
+
+
+def test_oauth_requires_client_id(accept, openid_provider):
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        # Do not set a client ID; this should cause a client error after the
+        # server asks for OAUTHBEARER and the client tries to contact the
+        # issuer.
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake.
+            startup = pq3.recv1(conn, cls=pq3.Startup)
+            assert startup.proto == pq3.protocol(3, 0)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASL,
+                body=[b"OAUTHBEARER", b""],
+            )
+
+            # The client should disconnect at this point.
+            assert not conn.read()
+
+    expected_error = "no oauth_client_id is set"
+    with pytest.raises(psycopg2.OperationalError, match=expected_error):
+        client.check_completed()
+
+
+@pytest.mark.slow
+@pytest.mark.parametrize("error_code", ["authorization_pending", "slow_down"])
+@pytest.mark.parametrize("retries", [1, 2])
+def test_oauth_retry_interval(accept, openid_provider, retries, error_code):
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id="some-id",
+    )
+
+    expected_retry_interval = 1
+    access_token = secrets.token_urlsafe()
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        resp = {
+            "device_code": "my-device-code",
+            "user_code": "my-user-code",
+            "interval": expected_retry_interval,
+            "verification_uri": "https://example.com",
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    attempts = 0
+    last_retry = None
+    retry_lock = threading.Lock()
+
+    def token_endpoint(headers, params):
+        now = time.monotonic()
+
+        with retry_lock:
+            nonlocal attempts, last_retry, expected_retry_interval
+
+            # Make sure the retry interval is being respected by the client.
+            if last_retry is not None:
+                interval = now - last_retry
+                assert interval >= expected_retry_interval
+
+            last_retry = now
+
+            # If the test wants to force the client to retry, return the desired
+            # error response and decrement the retry count.
+            if attempts < retries:
+                attempts += 1
+
+                # A slow_down code requires the client to additionally increase
+                # its interval by five seconds.
+                if error_code == "slow_down":
+                    expected_retry_interval += 5
+
+                return 400, {"error": error_code}
+
+        # Successfully finish the request by sending the access bearer token.
+        resp = {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            initial = start_oauth_handshake(conn)
+
+            # Validate and accept the token.
+            auth = get_auth_value(initial)
+            assert auth == f"Bearer {access_token}".encode("ascii")
+
+            pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+            finish_handshake(conn)
+
+
+@pytest.mark.parametrize(
+    "failure_mode, error_pattern",
+    [
+        pytest.param(
+            {
+                "error": "invalid_client",
+                "error_description": "client authentication failed",
+            },
+            r"client authentication failed \(invalid_client\)",
+            id="authentication failure with description",
+        ),
+        pytest.param(
+            {"error": "invalid_request"},
+            r"\(invalid_request\)",
+            id="invalid request without description",
+        ),
+        pytest.param(
+            {},
+            r"failed to obtain device authorization",
+            id="broken error response",
+        ),
+    ],
+)
+def test_oauth_device_authorization_failures(
+    accept, openid_provider, failure_mode, error_pattern
+):
+    client_id = secrets.token_hex()
+
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id=client_id,
+    )
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        return 400, failure_mode
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    def token_endpoint(headers, params):
+        assert False, "token endpoint was invoked unexpectedly"
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            startup = pq3.recv1(conn, cls=pq3.Startup)
+            assert startup.proto == pq3.protocol(3, 0)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASL,
+                body=[b"OAUTHBEARER", b""],
+            )
+
+            # The client should not continue the connection due to the hardcoded
+            # provider failure; we disconnect here.
+
+    # Now make sure the client correctly failed.
+    with pytest.raises(psycopg2.OperationalError, match=error_pattern):
+        client.check_completed()
+
+
+@pytest.mark.parametrize(
+    "failure_mode, error_pattern",
+    [
+        pytest.param(
+            {
+                "error": "expired_token",
+                "error_description": "the device code has expired",
+            },
+            r"the device code has expired \(expired_token\)",
+            id="expired token with description",
+        ),
+        pytest.param(
+            {"error": "access_denied"},
+            r"\(access_denied\)",
+            id="access denied without description",
+        ),
+        pytest.param(
+            {},
+            r"OAuth token retrieval failed",
+            id="broken error response",
+        ),
+    ],
+)
+@pytest.mark.parametrize("retries", [0, 1])
+def test_oauth_token_failures(
+    accept, openid_provider, retries, failure_mode, error_pattern
+):
+    client_id = secrets.token_hex()
+
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id=client_id,
+    )
+
+    device_code = secrets.token_hex()
+    user_code = f"{secrets.token_hex(2)}-{secrets.token_hex(2)}"
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        assert params["client_id"] == [client_id]
+
+        resp = {
+            "device_code": device_code,
+            "user_code": user_code,
+            "interval": 0,
+            "verification_uri": "https://example.com/device",
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    retry_lock = threading.Lock()
+
+    def token_endpoint(headers, params):
+        with retry_lock:
+            nonlocal retries
+
+            # If the test wants to force the client to retry, return an
+            # authorization_pending response and decrement the retry count.
+            if retries > 0:
+                retries -= 1
+                return 400, {"error": "authorization_pending"}
+
+        return 400, failure_mode
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            startup = pq3.recv1(conn, cls=pq3.Startup)
+            assert startup.proto == pq3.protocol(3, 0)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASL,
+                body=[b"OAUTHBEARER", b""],
+            )
+
+            # The client should not continue the connection due to the hardcoded
+            # provider failure; we disconnect here.
+
+    # Now make sure the client correctly failed.
+    with pytest.raises(psycopg2.OperationalError, match=error_pattern):
+        client.check_completed()
+
+
+@pytest.mark.parametrize("scope", [None, "openid email"])
+@pytest.mark.parametrize(
+    "base_response",
+    [
+        {"status": "invalid_token"},
+        {"extra_object": {"key": "value"}, "status": "invalid_token"},
+        {"extra_object": {"status": 1}, "status": "invalid_token"},
+    ],
+)
+def test_oauth_discovery(accept, openid_provider, base_response, scope):
+    sock, client = accept(oauth_client_id=secrets.token_hex())
+
+    device_code = secrets.token_hex()
+    user_code = f"{secrets.token_hex(2)}-{secrets.token_hex(2)}"
+    verification_url = "https://example.com/device"
+
+    access_token = secrets.token_urlsafe()
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        if scope:
+            assert params["scope"] == [scope]
+        else:
+            assert "scope" not in params
+
+        resp = {
+            "device_code": device_code,
+            "user_code": user_code,
+            "interval": 0,
+            "verification_uri": verification_url,
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    def token_endpoint(headers, params):
+        assert params["grant_type"] == ["urn:ietf:params:oauth:grant-type:device_code"]
+        assert params["device_code"] == [device_code]
+
+        # Successfully finish the request by sending the access bearer token.
+        resp = {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            initial = start_oauth_handshake(conn)
+
+            # For discovery, the client should send an empty auth header. See
+            # RFC 7628, Sec. 4.3.
+            auth = get_auth_value(initial)
+            assert auth == b""
+
+            # We will fail the first SASL exchange. First return a link to the
+            # discovery document, pointing to the test provider server.
+            resp = dict(base_response)
+
+            discovery_uri = f"{openid_provider.issuer}/.well-known/openid-configuration"
+            resp["openid-configuration"] = discovery_uri
+
+            if scope:
+                resp["scope"] = scope
+
+            resp = json.dumps(resp)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASLContinue,
+                body=resp.encode("ascii"),
+            )
+
+            # Per RFC, the client is required to send a dummy ^A response.
+            pkt = pq3.recv1(conn)
+            assert pkt.type == pq3.types.PasswordMessage
+            assert pkt.payload == b"\x01"
+
+            # Now fail the SASL exchange.
+            pq3.send(
+                conn,
+                pq3.types.ErrorResponse,
+                fields=[
+                    b"SFATAL",
+                    b"C28000",
+                    b"Mdoesn't matter",
+                    b"",
+                ],
+            )
+
+    # The client will connect to us a second time, using the parameters we sent
+    # it.
+    sock, _ = accept()
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            initial = start_oauth_handshake(conn)
+
+            # Validate and accept the token.
+            auth = get_auth_value(initial)
+            assert auth == f"Bearer {access_token}".encode("ascii")
+
+            pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+            finish_handshake(conn)
+
+
+@pytest.mark.parametrize(
+    "response,expected_error",
+    [
+        pytest.param(
+            "abcde",
+            'Token "abcde" is invalid',
+            id="bad JSON: invalid syntax",
+        ),
+        pytest.param(
+            '"abcde"',
+            "top-level element must be an object",
+            id="bad JSON: top-level element is a string",
+        ),
+        pytest.param(
+            "[]",
+            "top-level element must be an object",
+            id="bad JSON: top-level element is an array",
+        ),
+        pytest.param(
+            "{}",
+            "server sent error response without a status",
+            id="bad JSON: no status member",
+        ),
+        pytest.param(
+            '{ "status": null }',
+            'field "status" must be a string',
+            id="bad JSON: null status member",
+        ),
+        pytest.param(
+            '{ "status": 0 }',
+            'field "status" must be a string',
+            id="bad JSON: int status member",
+        ),
+        pytest.param(
+            '{ "status": [ "bad" ] }',
+            'field "status" must be a string',
+            id="bad JSON: array status member",
+        ),
+        pytest.param(
+            '{ "status": { "bad": "bad" } }',
+            'field "status" must be a string',
+            id="bad JSON: object status member",
+        ),
+        pytest.param(
+            '{ "nested": { "status": "bad" } }',
+            "server sent error response without a status",
+            id="bad JSON: nested status",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token" ',
+            "The input string ended unexpectedly",
+            id="bad JSON: unterminated object",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token" } { }',
+            'Expected end of input, but found "{"',
+            id="bad JSON: trailing data",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token", "openid-configuration": 1 }',
+            'field "openid-configuration" must be a string',
+            id="bad JSON: int openid-configuration member",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token", "openid-configuration": 1 }',
+            'field "openid-configuration" must be a string',
+            id="bad JSON: int openid-configuration member",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token", "scope": 1 }',
+            'field "scope" must be a string',
+            id="bad JSON: int scope member",
+        ),
+    ],
+)
+def test_oauth_discovery_server_error(accept, response, expected_error):
+    sock, client = accept(oauth_client_id=secrets.token_hex())
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            initial = start_oauth_handshake(conn)
+
+            # Fail the SASL exchange with an invalid JSON response.
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASLContinue,
+                body=response.encode("utf-8"),
+            )
+
+            # The client should disconnect, so the socket is closed here. (If
+            # the client doesn't disconnect, it will report a different error
+            # below and the test will fail.)
+
+    with pytest.raises(psycopg2.OperationalError, match=expected_error):
+        client.check_completed()
+
+
+@pytest.mark.parametrize(
+    "sasl_err,resp_type,resp_payload,expected_error",
+    [
+        pytest.param(
+            {"status": "invalid_request"},
+            pq3.types.ErrorResponse,
+            dict(
+                fields=[b"SFATAL", b"C28000", b"Mexpected error message", b""],
+            ),
+            "expected error message",
+            id="standard server error: invalid_request",
+        ),
+        pytest.param(
+            {"status": "invalid_token"},
+            pq3.types.ErrorResponse,
+            dict(
+                fields=[b"SFATAL", b"C28000", b"Mexpected error message", b""],
+            ),
+            "expected error message",
+            id="standard server error: invalid_token without discovery URI",
+        ),
+        pytest.param(
+            {"status": "invalid_request"},
+            pq3.types.AuthnRequest,
+            dict(type=pq3.authn.SASLContinue, body=b""),
+            "server sent additional OAuth data",
+            id="broken server: additional challenge after error",
+        ),
+        pytest.param(
+            {"status": "invalid_request"},
+            pq3.types.AuthnRequest,
+            dict(type=pq3.authn.SASLFinal),
+            "server sent additional OAuth data",
+            id="broken server: SASL success after error",
+        ),
+    ],
+)
+def test_oauth_server_error(accept, sasl_err, resp_type, resp_payload, expected_error):
+    sock, client = accept()
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            start_oauth_handshake(conn)
+
+            # Ignore the client data. Return an error "challenge".
+            resp = json.dumps(sasl_err)
+            resp = resp.encode("utf-8")
+
+            pq3.send(
+                conn, pq3.types.AuthnRequest, type=pq3.authn.SASLContinue, body=resp
+            )
+
+            # Per RFC, the client is required to send a dummy ^A response.
+            pkt = pq3.recv1(conn)
+            assert pkt.type == pq3.types.PasswordMessage
+            assert pkt.payload == b"\x01"
+
+            # Now fail the SASL exchange (in either a valid way, or an invalid
+            # one, depending on the test).
+            pq3.send(conn, resp_type, **resp_payload)
+
+    with pytest.raises(psycopg2.OperationalError, match=expected_error):
+        client.check_completed()
diff --git a/src/test/python/pq3.py b/src/test/python/pq3.py
new file mode 100644
index 0000000000..3a22dad0b6
--- /dev/null
+++ b/src/test/python/pq3.py
@@ -0,0 +1,727 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import contextlib
+import getpass
+import io
+import os
+import ssl
+import sys
+import textwrap
+
+from construct import *
+
+import tls
+
+
+def protocol(major, minor):
+    """
+    Returns the protocol version, in integer format, corresponding to the given
+    major and minor version numbers.
+    """
+    return (major << 16) | minor
+
+
+# Startup
+
+StringList = GreedyRange(NullTerminated(GreedyBytes))
+
+
+class KeyValueAdapter(Adapter):
+    """
+    Turns a key-value store into a null-terminated list of null-terminated
+    strings, as presented on the wire in the startup packet.
+    """
+
+    def _encode(self, obj, context, path):
+        if isinstance(obj, list):
+            return obj
+
+        l = []
+
+        for k, v in obj.items():
+            if isinstance(k, str):
+                k = k.encode("utf-8")
+            l.append(k)
+
+            if isinstance(v, str):
+                v = v.encode("utf-8")
+            l.append(v)
+
+        l.append(b"")
+        return l
+
+    def _decode(self, obj, context, path):
+        # TODO: turn a list back into a dict
+        return obj
+
+
+KeyValues = KeyValueAdapter(StringList)
+
+_startup_payload = Switch(
+    this.proto,
+    {
+        protocol(3, 0): KeyValues,
+    },
+    default=GreedyBytes,
+)
+
+
+def _default_protocol(this):
+    try:
+        if isinstance(this.payload, (list, dict)):
+            return protocol(3, 0)
+    except AttributeError:
+        pass  # no payload passed during build
+
+    return 0
+
+
+def _startup_payload_len(this):
+    """
+    The payload field has a fixed size based on the length of the packet. But
+    if the caller hasn't supplied an explicit length at build time, we have to
+    build the payload to figure out how long it is, which requires us to know
+    the length first... This function exists solely to break the cycle.
+    """
+    assert this._building, "_startup_payload_len() cannot be called during parsing"
+
+    try:
+        payload = this.payload
+    except AttributeError:
+        return 0  # no payload
+
+    if isinstance(payload, bytes):
+        # already serialized; just use the given length
+        return len(payload)
+
+    try:
+        proto = this.proto
+    except AttributeError:
+        proto = _default_protocol(this)
+
+    data = _startup_payload.build(payload, proto=proto)
+    return len(data)
+
+
+Startup = Struct(
+    "len" / Default(Int32sb, lambda this: _startup_payload_len(this) + 8),
+    "proto" / Default(Hex(Int32sb), _default_protocol),
+    "payload" / FixedSized(this.len - 8, Default(_startup_payload, b"")),
+)
+
+# Pq3
+
+# Adapted from construct.core.EnumIntegerString
+class EnumNamedByte:
+    def __init__(self, val, name):
+        self._val = val
+        self._name = name
+
+    def __int__(self):
+        return ord(self._val)
+
+    def __str__(self):
+        return "(enum) %s %r" % (self._name, self._val)
+
+    def __repr__(self):
+        return "EnumNamedByte(%r)" % self._val
+
+    def __eq__(self, other):
+        if isinstance(other, EnumNamedByte):
+            other = other._val
+        if not isinstance(other, bytes):
+            return NotImplemented
+
+        return self._val == other
+
+    def __hash__(self):
+        return hash(self._val)
+
+
+# Adapted from construct.core.Enum
+class ByteEnum(Adapter):
+    def __init__(self, **mapping):
+        super(ByteEnum, self).__init__(Byte)
+        self.namemapping = {k: EnumNamedByte(v, k) for k, v in mapping.items()}
+        self.decmapping = {v: EnumNamedByte(v, k) for k, v in mapping.items()}
+
+    def __getattr__(self, name):
+        if name in self.namemapping:
+            return self.decmapping[self.namemapping[name]]
+        raise AttributeError
+
+    def _decode(self, obj, context, path):
+        b = bytes([obj])
+        try:
+            return self.decmapping[b]
+        except KeyError:
+            return EnumNamedByte(b, "(unknown)")
+
+    def _encode(self, obj, context, path):
+        if isinstance(obj, int):
+            return obj
+        elif isinstance(obj, bytes):
+            return ord(obj)
+        return int(obj)
+
+
+types = ByteEnum(
+    ErrorResponse=b"E",
+    ReadyForQuery=b"Z",
+    Query=b"Q",
+    EmptyQueryResponse=b"I",
+    AuthnRequest=b"R",
+    PasswordMessage=b"p",
+    BackendKeyData=b"K",
+    CommandComplete=b"C",
+    ParameterStatus=b"S",
+    DataRow=b"D",
+    Terminate=b"X",
+)
+
+
+authn = Enum(
+    Int32ub,
+    OK=0,
+    SASL=10,
+    SASLContinue=11,
+    SASLFinal=12,
+)
+
+
+_authn_body = Switch(
+    this.type,
+    {
+        authn.OK: Terminated,
+        authn.SASL: StringList,
+    },
+    default=GreedyBytes,
+)
+
+
+def _data_len(this):
+    assert this._building, "_data_len() cannot be called during parsing"
+
+    if not hasattr(this, "data") or this.data is None:
+        return -1
+
+    return len(this.data)
+
+
+# The protocol reuses the PasswordMessage for several authentication response
+# types, and there's no good way to figure out which is which without keeping
+# state for the entire stream. So this is a separate Construct that can be
+# explicitly parsed/built by code that knows it's needed.
+SASLInitialResponse = Struct(
+    "name" / NullTerminated(GreedyBytes),
+    "len" / Default(Int32sb, lambda this: _data_len(this)),
+    "data"
+    / IfThenElse(
+        # Allow tests to explicitly pass an incorrect length during testing, by
+        # not enforcing a FixedSized during build. (The len calculation above
+        # defaults to the correct size.)
+        this._building,
+        Optional(GreedyBytes),
+        If(this.len != -1, Default(FixedSized(this.len, GreedyBytes), b"")),
+    ),
+    Terminated,  # make sure the entire response is consumed
+)
+
+
+_column = FocusedSeq(
+    "data",
+    "len" / Default(Int32sb, lambda this: _data_len(this)),
+    "data" / If(this.len != -1, FixedSized(this.len, GreedyBytes)),
+)
+
+
+_payload_map = {
+    types.ErrorResponse: Struct("fields" / StringList),
+    types.ReadyForQuery: Struct("status" / Bytes(1)),
+    types.Query: Struct("query" / NullTerminated(GreedyBytes)),
+    types.EmptyQueryResponse: Terminated,
+    types.AuthnRequest: Struct("type" / authn, "body" / Default(_authn_body, b"")),
+    types.BackendKeyData: Struct("pid" / Int32ub, "key" / Hex(Int32ub)),
+    types.CommandComplete: Struct("tag" / NullTerminated(GreedyBytes)),
+    types.ParameterStatus: Struct(
+        "name" / NullTerminated(GreedyBytes), "value" / NullTerminated(GreedyBytes)
+    ),
+    types.DataRow: Struct("columns" / Default(PrefixedArray(Int16sb, _column), b"")),
+    types.Terminate: Terminated,
+}
+
+
+_payload = FocusedSeq(
+    "_payload",
+    "_payload"
+    / Switch(
+        this._.type,
+        _payload_map,
+        default=GreedyBytes,
+    ),
+    Terminated,  # make sure every payload consumes the entire packet
+)
+
+
+def _payload_len(this):
+    """
+    See _startup_payload_len() for an explanation.
+    """
+    assert this._building, "_payload_len() cannot be called during parsing"
+
+    try:
+        payload = this.payload
+    except AttributeError:
+        return 0  # no payload
+
+    if isinstance(payload, bytes):
+        # already serialized; just use the given length
+        return len(payload)
+
+    data = _payload.build(payload, type=this.type)
+    return len(data)
+
+
+Pq3 = Struct(
+    "type" / types,
+    "len" / Default(Int32ub, lambda this: _payload_len(this) + 4),
+    "payload" / FixedSized(this.len - 4, Default(_payload, b"")),
+)
+
+
+# Environment
+
+
+def pghost():
+    return os.environ.get("PGHOST", default="localhost")
+
+
+def pgport():
+    return int(os.environ.get("PGPORT", default=5432))
+
+
+def pguser():
+    try:
+        return os.environ["PGUSER"]
+    except KeyError:
+        return getpass.getuser()
+
+
+def pgdatabase():
+    return os.environ.get("PGDATABASE", default="postgres")
+
+
+# Connections
+
+
+def _hexdump_translation_map():
+    """
+    For hexdumps. Translates any unprintable or non-ASCII bytes into '.'.
+    """
+    input = bytearray()
+
+    for i in range(128):
+        c = chr(i)
+
+        if not c.isprintable():
+            input += bytes([i])
+
+    input += bytes(range(128, 256))
+
+    return bytes.maketrans(input, b"." * len(input))
+
+
+class _DebugStream(object):
+    """
+    Wraps a file-like object and adds hexdumps of the read and write data. Call
+    end_packet() on a _DebugStream to write the accumulated hexdumps to the
+    output stream, along with the packet that was sent.
+    """
+
+    _translation_map = _hexdump_translation_map()
+
+    def __init__(self, stream, out=sys.stdout):
+        """
+        Creates a new _DebugStream wrapping the given stream (which must have
+        been created by wrap()). All attributes not provided by the _DebugStream
+        are delegated to the wrapped stream. out is the text stream to which
+        hexdumps are written.
+        """
+        self.raw = stream
+        self._out = out
+        self._rbuf = io.BytesIO()
+        self._wbuf = io.BytesIO()
+
+    def __getattr__(self, name):
+        return getattr(self.raw, name)
+
+    def __setattr__(self, name, value):
+        if name in ("raw", "_out", "_rbuf", "_wbuf"):
+            return object.__setattr__(self, name, value)
+
+        setattr(self.raw, name, value)
+
+    def read(self, *args, **kwargs):
+        buf = self.raw.read(*args, **kwargs)
+
+        self._rbuf.write(buf)
+        return buf
+
+    def write(self, b):
+        self._wbuf.write(b)
+        return self.raw.write(b)
+
+    def recv(self, *args):
+        buf = self.raw.recv(*args)
+
+        self._rbuf.write(buf)
+        return buf
+
+    def _flush(self, buf, prefix):
+        width = 16
+        hexwidth = width * 3 - 1
+
+        count = 0
+        buf.seek(0)
+
+        while True:
+            line = buf.read(16)
+
+            if not line:
+                if count:
+                    self._out.write("\n")  # separate the output block with a newline
+                return
+
+            self._out.write("%s %04X:\t" % (prefix, count))
+            self._out.write("%*s\t" % (-hexwidth, line.hex(" ")))
+            self._out.write(line.translate(self._translation_map).decode("ascii"))
+            self._out.write("\n")
+
+            count += 16
+
+    def print_debug(self, obj, *, prefix=""):
+        contents = ""
+        if obj is not None:
+            contents = str(obj)
+
+        for line in contents.splitlines():
+            self._out.write("%s%s\n" % (prefix, line))
+
+        self._out.write("\n")
+
+    def flush_debug(self, *, prefix=""):
+        self._flush(self._rbuf, prefix + "<")
+        self._rbuf = io.BytesIO()
+
+        self._flush(self._wbuf, prefix + ">")
+        self._wbuf = io.BytesIO()
+
+    def end_packet(self, pkt, *, read=False, prefix="", indent="  "):
+        """
+        Marks the end of a logical "packet" of data. A string representation of
+        pkt will be printed, and the debug buffers will be flushed with an
+        indent. All lines can be optionally prefixed.
+
+        If read is True, the packet representation is written after the debug
+        buffers; otherwise the default of False (meaning write) causes the
+        packet representation to be dumped first. This is meant to capture the
+        logical flow of layer translation.
+        """
+        write = not read
+
+        if write:
+            self.print_debug(pkt, prefix=prefix + "> ")
+
+        self.flush_debug(prefix=prefix + indent)
+
+        if read:
+            self.print_debug(pkt, prefix=prefix + "< ")
+
+
+@contextlib.contextmanager
+def wrap(socket, *, debug_stream=None):
+    """
+    Transforms a raw socket into a connection that can be used for Construct
+    building and parsing. The return value is a context manager and can be used
+    in a with statement.
+    """
+    # It is critical that buffering be disabled here, so that we can still
+    # manipulate the raw socket without desyncing the stream.
+    with socket.makefile("rwb", buffering=0) as sfile:
+        # Expose the original socket's recv() on the SocketIO object we return.
+        def recv(self, *args):
+            return socket.recv(*args)
+
+        sfile.recv = recv.__get__(sfile)
+
+        conn = sfile
+        if debug_stream:
+            conn = _DebugStream(conn, debug_stream)
+
+        try:
+            yield conn
+        finally:
+            if debug_stream:
+                conn.flush_debug(prefix="? ")
+
+
+def _send(stream, cls, obj):
+    debugging = hasattr(stream, "flush_debug")
+    out = io.BytesIO()
+
+    # Ideally we would build directly to the passed stream, but because we need
+    # to reparse the generated output for the debugging case, build to an
+    # intermediate BytesIO and send it instead.
+    cls.build_stream(obj, out)
+    buf = out.getvalue()
+
+    stream.write(buf)
+    if debugging:
+        pkt = cls.parse(buf)
+        stream.end_packet(pkt)
+
+    stream.flush()
+
+
+def send(stream, packet_type, payload_data=None, **payloadkw):
+    """
+    Sends a packet on the given pq3 connection. type is the pq3.types member
+    that should be assigned to the packet. If payload_data is given, it will be
+    used as the packet payload; otherwise the key/value pairs in payloadkw will
+    be the payload contents.
+    """
+    data = payloadkw
+
+    if payload_data is not None:
+        if payloadkw:
+            raise ValueError(
+                "payload_data and payload keywords may not be used simultaneously"
+            )
+
+        data = payload_data
+
+    _send(stream, Pq3, dict(type=packet_type, payload=data))
+
+
+def send_startup(stream, proto=None, **kwargs):
+    """
+    Sends a startup packet on the given pq3 connection. In most cases you should
+    use the handshake functions instead, which will do this for you.
+
+    By default, a protocol version 3 packet will be sent. This can be overridden
+    with the proto parameter.
+    """
+    pkt = {}
+
+    if proto is not None:
+        pkt["proto"] = proto
+    if kwargs:
+        pkt["payload"] = kwargs
+
+    _send(stream, Startup, pkt)
+
+
+def recv1(stream, *, cls=Pq3):
+    """
+    Receives a single pq3 packet from the given stream and returns it.
+    """
+    resp = cls.parse_stream(stream)
+
+    debugging = hasattr(stream, "flush_debug")
+    if debugging:
+        stream.end_packet(resp, read=True)
+
+    return resp
+
+
+def handshake(stream, **kwargs):
+    """
+    Performs a libpq v3 startup handshake. kwargs should contain the key/value
+    parameters to send to the server in the startup packet.
+    """
+    # Send our startup parameters.
+    send_startup(stream, **kwargs)
+
+    # Receive and dump packets until the server indicates it's ready for our
+    # first query.
+    while True:
+        resp = recv1(stream)
+        if resp is None:
+            raise RuntimeError("server closed connection during handshake")
+
+        if resp.type == types.ReadyForQuery:
+            return
+        elif resp.type == types.ErrorResponse:
+            raise RuntimeError(
+                f"received error response from peer: {resp.payload.fields!r}"
+            )
+
+
+# TLS
+
+
+class _TLSStream(object):
+    """
+    A file-like object that performs TLS encryption/decryption on a wrapped
+    stream. Differs from ssl.SSLSocket in that we have full visibility and
+    control over the TLS layer.
+    """
+
+    def __init__(self, stream, context):
+        self._stream = stream
+        self._debugging = hasattr(stream, "flush_debug")
+
+        self._in = ssl.MemoryBIO()
+        self._out = ssl.MemoryBIO()
+        self._ssl = context.wrap_bio(self._in, self._out)
+
+    def handshake(self):
+        try:
+            self._pump(lambda: self._ssl.do_handshake())
+        finally:
+            self._flush_debug(prefix="? ")
+
+    def read(self, *args):
+        return self._pump(lambda: self._ssl.read(*args))
+
+    def write(self, *args):
+        return self._pump(lambda: self._ssl.write(*args))
+
+    def _decode(self, buf):
+        """
+        Attempts to decode a buffer of TLS data into a packet representation
+        that can be printed.
+
+        TODO: handle buffers (and record fragments) that don't align with packet
+        boundaries.
+        """
+        end = len(buf)
+        bio = io.BytesIO(buf)
+
+        ret = io.StringIO()
+
+        while bio.tell() < end:
+            record = tls.Plaintext.parse_stream(bio)
+
+            if ret.tell() > 0:
+                ret.write("\n")
+            ret.write("[Record] ")
+            ret.write(str(record))
+            ret.write("\n")
+
+            if record.type == tls.ContentType.handshake:
+                record_cls = tls.Handshake
+            else:
+                continue
+
+            innerlen = len(record.fragment)
+            inner = io.BytesIO(record.fragment)
+
+            while inner.tell() < innerlen:
+                msg = record_cls.parse_stream(inner)
+
+                indented = "[Message] " + str(msg)
+                indented = textwrap.indent(indented, "    ")
+
+                ret.write("\n")
+                ret.write(indented)
+                ret.write("\n")
+
+        return ret.getvalue()
+
+    def flush(self):
+        if not self._out.pending:
+            self._stream.flush()
+            return
+
+        buf = self._out.read()
+        self._stream.write(buf)
+
+        if self._debugging:
+            pkt = self._decode(buf)
+            self._stream.end_packet(pkt, prefix="  ")
+
+        self._stream.flush()
+
+    def _pump(self, operation):
+        while True:
+            try:
+                return operation()
+            except (ssl.SSLWantReadError, ssl.SSLWantWriteError) as e:
+                want = e
+            self._read_write(want)
+
+    def _recv(self, maxsize):
+        buf = self._stream.recv(4096)
+        if not buf:
+            self._in.write_eof()
+            return
+
+        self._in.write(buf)
+
+        if not self._debugging:
+            return
+
+        pkt = self._decode(buf)
+        self._stream.end_packet(pkt, read=True, prefix="  ")
+
+    def _read_write(self, want):
+        # XXX This needs work. So many corner cases yet to handle. For one,
+        # doing blocking writes in flush may lead to distributed deadlock if the
+        # peer is already blocking on its writes.
+
+        if isinstance(want, ssl.SSLWantWriteError):
+            assert self._out.pending, "SSL backend wants write without data"
+
+        self.flush()
+
+        if isinstance(want, ssl.SSLWantReadError):
+            self._recv(4096)
+
+    def _flush_debug(self, prefix):
+        if not self._debugging:
+            return
+
+        self._stream.flush_debug(prefix=prefix)
+
+
+@contextlib.contextmanager
+def tls_handshake(stream, context):
+    """
+    Performs a TLS handshake over the given stream (which must have been created
+    via a call to wrap()), and returns a new stream which transparently tunnels
+    data over the TLS connection.
+
+    If the passed stream has debugging enabled, the returned stream will also
+    have debugging, using the same output IO.
+    """
+    debugging = hasattr(stream, "flush_debug")
+
+    # Send our startup parameters.
+    send_startup(stream, proto=protocol(1234, 5679))
+
+    # Look at the SSL response.
+    resp = stream.read(1)
+    if debugging:
+        stream.flush_debug(prefix="  ")
+
+    if resp == b"N":
+        raise RuntimeError("server does not support SSLRequest")
+    if resp != b"S":
+        raise RuntimeError(f"unexpected response of type {resp!r} during TLS startup")
+
+    tls = _TLSStream(stream, context)
+    tls.handshake()
+
+    if debugging:
+        tls = _DebugStream(tls, stream._out)
+
+    try:
+        yield tls
+        # TODO: teardown/unwrap the connection?
+    finally:
+        if debugging:
+            tls.flush_debug(prefix="? ")
diff --git a/src/test/python/pytest.ini b/src/test/python/pytest.ini
new file mode 100644
index 0000000000..ab7a6e7fb9
--- /dev/null
+++ b/src/test/python/pytest.ini
@@ -0,0 +1,4 @@
+[pytest]
+
+markers =
+    slow: mark test as slow
diff --git a/src/test/python/requirements.txt b/src/test/python/requirements.txt
new file mode 100644
index 0000000000..32f105ea84
--- /dev/null
+++ b/src/test/python/requirements.txt
@@ -0,0 +1,7 @@
+black
+cryptography~=3.4.6
+construct~=2.10.61
+isort~=5.6
+psycopg2~=2.8.6
+pytest~=6.1
+pytest-asyncio~=0.14.0
diff --git a/src/test/python/server/__init__.py b/src/test/python/server/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/test/python/server/conftest.py b/src/test/python/server/conftest.py
new file mode 100644
index 0000000000..ba7342a453
--- /dev/null
+++ b/src/test/python/server/conftest.py
@@ -0,0 +1,45 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import contextlib
+import socket
+import sys
+
+import pytest
+
+import pq3
+
+
+@pytest.fixture
+def connect():
+    """
+    A factory fixture that, when called, returns a socket connected to a
+    Postgres server, wrapped in a pq3 connection. The calling test will be
+    skipped automatically if a server is not running at PGHOST:PGPORT, so it's
+    best to connect as soon as possible after the test case begins, to avoid
+    doing unnecessary work.
+    """
+    # Set up an ExitStack to handle safe cleanup of all of the moving pieces.
+    with contextlib.ExitStack() as stack:
+
+        def conn_factory():
+            addr = (pq3.pghost(), pq3.pgport())
+
+            try:
+                sock = socket.create_connection(addr, timeout=2)
+            except ConnectionError as e:
+                pytest.skip(f"unable to connect to {addr}: {e}")
+
+            # Have ExitStack close our socket.
+            stack.enter_context(sock)
+
+            # Wrap the connection in a pq3 layer and have ExitStack clean it up
+            # too.
+            wrap_ctx = pq3.wrap(sock, debug_stream=sys.stdout)
+            conn = stack.enter_context(wrap_ctx)
+
+            return conn
+
+        yield conn_factory
diff --git a/src/test/python/server/test_oauth.py b/src/test/python/server/test_oauth.py
new file mode 100644
index 0000000000..cb5ca7fa23
--- /dev/null
+++ b/src/test/python/server/test_oauth.py
@@ -0,0 +1,1012 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import base64
+import contextlib
+import json
+import os
+import pathlib
+import secrets
+import shlex
+import shutil
+import socket
+import struct
+from multiprocessing import shared_memory
+
+import psycopg2
+import pytest
+from psycopg2 import sql
+
+import pq3
+
+MAX_SASL_MESSAGE_LENGTH = 65535
+
+INVALID_AUTHORIZATION_ERRCODE = b"28000"
+PROTOCOL_VIOLATION_ERRCODE = b"08P01"
+FEATURE_NOT_SUPPORTED_ERRCODE = b"0A000"
+
+SHARED_MEM_NAME = "oauth-pytest"
+MAX_TOKEN_SIZE = 4096
+MAX_UINT16 = 2 ** 16 - 1
+
+
+def skip_if_no_postgres():
+    """
+    Used by the oauth_ctx fixture to skip this test module if no Postgres server
+    is running.
+
+    This logic is nearly duplicated with the conn fixture. Ideally oauth_ctx
+    would depend on that, but a module-scope fixture can't depend on a
+    test-scope fixture, and we haven't reached the rule of three yet.
+    """
+    addr = (pq3.pghost(), pq3.pgport())
+
+    try:
+        with socket.create_connection(addr, timeout=2):
+            pass
+    except ConnectionError as e:
+        pytest.skip(f"unable to connect to {addr}: {e}")
+
+
+@contextlib.contextmanager
+def prepend_file(path, lines):
+    """
+    A context manager that prepends a file on disk with the desired lines of
+    text. When the context manager is exited, the file will be restored to its
+    original contents.
+    """
+    # First make a backup of the original file.
+    bak = path + ".bak"
+    shutil.copy2(path, bak)
+
+    try:
+        # Write the new lines, followed by the original file content.
+        with open(path, "w") as new, open(bak, "r") as orig:
+            new.writelines(lines)
+            shutil.copyfileobj(orig, new)
+
+        # Return control to the calling code.
+        yield
+
+    finally:
+        # Put the backup back into place.
+        os.replace(bak, path)
+
+
+@pytest.fixture(scope="module")
+def oauth_ctx():
+    """
+    Creates a database and user that use the oauth auth method. The context
+    object contains the dbname and user attributes as strings to be used during
+    connection, as well as the issuer and scope that have been set in the HBA
+    configuration.
+
+    This fixture assumes that the standard PG* environment variables point to a
+    server running on a local machine, and that the PGUSER has rights to create
+    databases and roles.
+    """
+    skip_if_no_postgres()  # don't bother running these tests without a server
+
+    id = secrets.token_hex(4)
+
+    class Context:
+        dbname = "oauth_test_" + id
+
+        user = "oauth_user_" + id
+        map_user = "oauth_map_user_" + id
+        authz_user = "oauth_authz_user_" + id
+
+        issuer = "https://example.com/" + id
+        scope = "openid " + id
+
+    ctx = Context()
+    hba_lines = (
+        f'host {ctx.dbname} {ctx.map_user}   samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}" map=oauth\n',
+        f'host {ctx.dbname} {ctx.authz_user} samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}" trust_validator_authz=1\n',
+        f'host {ctx.dbname} all              samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}"\n',
+    )
+    ident_lines = (r"oauth /^(.*)@example\.com$ \1",)
+
+    conn = psycopg2.connect("")
+    conn.autocommit = True
+
+    with contextlib.closing(conn):
+        c = conn.cursor()
+
+        # Create our roles and database.
+        user = sql.Identifier(ctx.user)
+        map_user = sql.Identifier(ctx.map_user)
+        authz_user = sql.Identifier(ctx.authz_user)
+        dbname = sql.Identifier(ctx.dbname)
+
+        c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(user))
+        c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(map_user))
+        c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(authz_user))
+        c.execute(sql.SQL("CREATE DATABASE {};").format(dbname))
+
+        # Make this test script the server's oauth_validator.
+        path = pathlib.Path(__file__).parent / "validate_bearer.py"
+        path = str(path.absolute())
+
+        cmd = f"{shlex.quote(path)} {SHARED_MEM_NAME} <&%f"
+        c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (cmd,))
+
+        # Replace pg_hba and pg_ident.
+        c.execute("SHOW hba_file;")
+        hba = c.fetchone()[0]
+
+        c.execute("SHOW ident_file;")
+        ident = c.fetchone()[0]
+
+        with prepend_file(hba, hba_lines), prepend_file(ident, ident_lines):
+            c.execute("SELECT pg_reload_conf();")
+
+            # Use the new database and user.
+            yield ctx
+
+        # Put things back the way they were.
+        c.execute("SELECT pg_reload_conf();")
+
+        c.execute("ALTER SYSTEM RESET oauth_validator_command;")
+        c.execute(sql.SQL("DROP DATABASE {};").format(dbname))
+        c.execute(sql.SQL("DROP ROLE {};").format(authz_user))
+        c.execute(sql.SQL("DROP ROLE {};").format(map_user))
+        c.execute(sql.SQL("DROP ROLE {};").format(user))
+
+
+@pytest.fixture()
+def conn(oauth_ctx, connect):
+    """
+    A convenience wrapper for connect(). The main purpose of this fixture is to
+    make sure oauth_ctx runs its setup code before the connection is made.
+    """
+    return connect()
+
+
+@pytest.fixture(scope="module", autouse=True)
+def authn_id_extension(oauth_ctx):
+    """
+    Performs a `CREATE EXTENSION authn_id` in the test database. This fixture is
+    autoused, so tests don't need to rely on it.
+    """
+    conn = psycopg2.connect(database=oauth_ctx.dbname)
+    conn.autocommit = True
+
+    with contextlib.closing(conn):
+        c = conn.cursor()
+        c.execute("CREATE EXTENSION authn_id;")
+
+
+@pytest.fixture(scope="session")
+def shared_mem():
+    """
+    Yields a shared memory segment that can be used for communication between
+    the bearer_token fixture and ./validate_bearer.py.
+    """
+    size = MAX_TOKEN_SIZE + 2  # two byte length prefix
+    mem = shared_memory.SharedMemory(SHARED_MEM_NAME, create=True, size=size)
+
+    try:
+        with contextlib.closing(mem):
+            yield mem
+    finally:
+        mem.unlink()
+
+
+@pytest.fixture()
+def bearer_token(shared_mem):
+    """
+    Returns a factory function that, when called, will store a Bearer token in
+    shared_mem. If token is None (the default), a new token will be generated
+    using secrets.token_urlsafe() and returned; otherwise the passed token will
+    be used as-is.
+
+    When token is None, the generated token size in bytes may be specified as an
+    argument; if unset, a small 16-byte token will be generated. The token size
+    may not exceed MAX_TOKEN_SIZE in any case.
+
+    The return value is the token, converted to a bytes object.
+
+    As a special case for testing failure modes, accept_any may be set to True.
+    This signals to the validator command that any bearer token should be
+    accepted. The returned token in this case may be used or discarded as needed
+    by the test.
+    """
+
+    def set_token(token=None, *, size=16, accept_any=False):
+        if token is not None:
+            size = len(token)
+
+        if size > MAX_TOKEN_SIZE:
+            raise ValueError(f"token size {size} exceeds maximum size {MAX_TOKEN_SIZE}")
+
+        if token is None:
+            if size % 4:
+                raise ValueError(f"requested token size {size} is not a multiple of 4")
+
+            token = secrets.token_urlsafe(size // 4 * 3)
+            assert len(token) == size
+
+        try:
+            token = token.encode("ascii")
+        except AttributeError:
+            pass  # already encoded
+
+        if accept_any:
+            # Two-byte magic value.
+            shared_mem.buf[:2] = struct.pack("H", MAX_UINT16)
+        else:
+            # Two-byte length prefix, then the token data.
+            shared_mem.buf[:2] = struct.pack("H", len(token))
+            shared_mem.buf[2 : size + 2] = token
+
+        return token
+
+    return set_token
+
+
+def begin_oauth_handshake(conn, oauth_ctx, *, user=None):
+    if user is None:
+        user = oauth_ctx.authz_user
+
+    pq3.send_startup(conn, user=user, database=oauth_ctx.dbname)
+
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.AuthnRequest
+
+    # The server should advertise exactly one mechanism.
+    assert resp.payload.type == pq3.authn.SASL
+    assert resp.payload.body == [b"OAUTHBEARER", b""]
+
+
+def send_initial_response(conn, *, auth=None, bearer=None):
+    """
+    Sends the OAUTHBEARER initial response on the connection, using the given
+    bearer token. Alternatively to a bearer token, the initial response's auth
+    field may be explicitly specified to test corner cases.
+    """
+    if bearer is not None and auth is not None:
+        raise ValueError("exactly one of the auth and bearer kwargs must be set")
+
+    if bearer is not None:
+        auth = b"Bearer " + bearer
+
+    if auth is None:
+        raise ValueError("exactly one of the auth and bearer kwargs must be set")
+
+    initial = pq3.SASLInitialResponse.build(
+        dict(
+            name=b"OAUTHBEARER",
+            data=b"n,,\x01auth=" + auth + b"\x01\x01",
+        )
+    )
+    pq3.send(conn, pq3.types.PasswordMessage, initial)
+
+
+def expect_handshake_success(conn):
+    """
+    Validates that the server responds with an AuthnOK message, and then drains
+    the connection until a ReadyForQuery message is received.
+    """
+    resp = pq3.recv1(conn)
+
+    assert resp.type == pq3.types.AuthnRequest
+    assert resp.payload.type == pq3.authn.OK
+    assert not resp.payload.body
+
+    receive_until(conn, pq3.types.ReadyForQuery)
+
+
+def expect_handshake_failure(conn, oauth_ctx):
+    """
+    Performs the OAUTHBEARER SASL failure "handshake" and validates the server's
+    side of the conversation, including the final ErrorResponse.
+    """
+
+    # We expect a discovery "challenge" back from the server before the authn
+    # failure message.
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.AuthnRequest
+
+    req = resp.payload
+    assert req.type == pq3.authn.SASLContinue
+
+    body = json.loads(req.body)
+    assert body["status"] == "invalid_token"
+    assert body["scope"] == oauth_ctx.scope
+
+    expected_config = oauth_ctx.issuer + "/.well-known/openid-configuration"
+    assert body["openid-configuration"] == expected_config
+
+    # Send the dummy response to complete the failed handshake.
+    pq3.send(conn, pq3.types.PasswordMessage, b"\x01")
+    resp = pq3.recv1(conn)
+
+    err = ExpectedError(INVALID_AUTHORIZATION_ERRCODE, "bearer authentication failed")
+    err.match(resp)
+
+
+def receive_until(conn, type):
+    """
+    receive_until pulls packets off the pq3 connection until a packet with the
+    desired type is found, or an error response is received.
+    """
+    while True:
+        pkt = pq3.recv1(conn)
+
+        if pkt.type == type:
+            return pkt
+        elif pkt.type == pq3.types.ErrorResponse:
+            raise RuntimeError(
+                f"received error response from peer: {pkt.payload.fields!r}"
+            )
+
+
+@pytest.mark.parametrize("token_len", [16, 1024, 4096])
+@pytest.mark.parametrize(
+    "auth_prefix",
+    [
+        b"Bearer ",
+        b"bearer ",
+        b"Bearer    ",
+    ],
+)
+def test_oauth(conn, oauth_ctx, bearer_token, auth_prefix, token_len):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Generate our bearer token with the desired length.
+    token = bearer_token(size=token_len)
+    auth = auth_prefix + token
+
+    send_initial_response(conn, auth=auth)
+    expect_handshake_success(conn)
+
+    # Make sure that the server has not set an authenticated ID.
+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
+    resp = receive_until(conn, pq3.types.DataRow)
+
+    row = resp.payload
+    assert row.columns == [None]
+
+
+@pytest.mark.parametrize(
+    "token_value",
+    [
+        "abcdzA==",
+        "123456M=",
+        "x-._~+/x",
+    ],
+)
+def test_oauth_bearer_corner_cases(conn, oauth_ctx, bearer_token, token_value):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    send_initial_response(conn, bearer=bearer_token(token_value))
+
+    expect_handshake_success(conn)
+
+
+@pytest.mark.parametrize(
+    "user,authn_id,should_succeed",
+    [
+        pytest.param(
+            lambda ctx: ctx.user,
+            lambda ctx: ctx.user,
+            True,
+            id="validator authn: succeeds when authn_id == username",
+        ),
+        pytest.param(
+            lambda ctx: ctx.user,
+            lambda ctx: None,
+            False,
+            id="validator authn: fails when authn_id is not set",
+        ),
+        pytest.param(
+            lambda ctx: ctx.user,
+            lambda ctx: ctx.authz_user,
+            False,
+            id="validator authn: fails when authn_id != username",
+        ),
+        pytest.param(
+            lambda ctx: ctx.map_user,
+            lambda ctx: ctx.map_user + "@example.com",
+            True,
+            id="validator with map: succeeds when authn_id matches map",
+        ),
+        pytest.param(
+            lambda ctx: ctx.map_user,
+            lambda ctx: None,
+            False,
+            id="validator with map: fails when authn_id is not set",
+        ),
+        pytest.param(
+            lambda ctx: ctx.map_user,
+            lambda ctx: ctx.map_user + "@example.net",
+            False,
+            id="validator with map: fails when authn_id doesn't match map",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: None,
+            True,
+            id="validator authz: succeeds with no authn_id",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: "",
+            True,
+            id="validator authz: succeeds with empty authn_id",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: "postgres",
+            True,
+            id="validator authz: succeeds with basic username",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: "me@example.com",
+            True,
+            id="validator authz: succeeds with email address",
+        ),
+    ],
+)
+def test_oauth_authn_id(conn, oauth_ctx, bearer_token, user, authn_id, should_succeed):
+    token = None
+
+    authn_id = authn_id(oauth_ctx)
+    if authn_id is not None:
+        authn_id = authn_id.encode("ascii")
+
+        # As a hack to get the validator to reflect arbitrary output from this
+        # test, encode the desired output as a base64 token. The validator will
+        # key on the leading "output=" to differentiate this from the random
+        # tokens generated by secrets.token_urlsafe().
+        output = b"output=" + authn_id + b"\n"
+        token = base64.urlsafe_b64encode(output)
+
+    token = bearer_token(token)
+    username = user(oauth_ctx)
+
+    begin_oauth_handshake(conn, oauth_ctx, user=username)
+    send_initial_response(conn, bearer=token)
+
+    if not should_succeed:
+        expect_handshake_failure(conn, oauth_ctx)
+        return
+
+    expect_handshake_success(conn)
+
+    # Check the reported authn_id.
+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
+    resp = receive_until(conn, pq3.types.DataRow)
+
+    row = resp.payload
+    assert row.columns == [authn_id]
+
+
+class ExpectedError(object):
+    def __init__(self, code, msg=None, detail=None):
+        self.code = code
+        self.msg = msg
+        self.detail = detail
+
+        # Protect against the footgun of an accidental empty string, which will
+        # "match" anything. If you don't want to match message or detail, just
+        # don't pass them.
+        if self.msg == "":
+            raise ValueError("msg must be non-empty or None")
+        if self.detail == "":
+            raise ValueError("detail must be non-empty or None")
+
+    def _getfield(self, resp, type):
+        """
+        Searches an ErrorResponse for a single field of the given type (e.g.
+        "M", "C", "D") and returns its value. Asserts if it doesn't find exactly
+        one field.
+        """
+        prefix = type.encode("ascii")
+        fields = [f for f in resp.payload.fields if f.startswith(prefix)]
+
+        assert len(fields) == 1
+        return fields[0][1:]  # strip off the type byte
+
+    def match(self, resp):
+        """
+        Checks that the given response matches the expected code, message, and
+        detail (if given). The error code must match exactly. The expected
+        message and detail must be contained within the actual strings.
+        """
+        assert resp.type == pq3.types.ErrorResponse
+
+        code = self._getfield(resp, "C")
+        assert code == self.code
+
+        if self.msg:
+            msg = self._getfield(resp, "M")
+            expected = self.msg.encode("utf-8")
+            assert expected in msg
+
+        if self.detail:
+            detail = self._getfield(resp, "D")
+            expected = self.detail.encode("utf-8")
+            assert expected in detail
+
+
+def test_oauth_rejected_bearer(conn, oauth_ctx, bearer_token):
+    # Generate a new bearer token, which we will proceed not to use.
+    _ = bearer_token()
+
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Send a bearer token that doesn't match what the validator expects. It
+    # should fail the connection.
+    send_initial_response(conn, bearer=b"xxxxxx")
+
+    expect_handshake_failure(conn, oauth_ctx)
+
+
+@pytest.mark.parametrize(
+    "bad_bearer",
+    [
+        b"Bearer    ",
+        b"Bearer a===b",
+        b"Bearer hello!",
+        b"Bearer me@example.com",
+        b'OAuth realm="Example"',
+        b"",
+    ],
+)
+def test_oauth_invalid_bearer(conn, oauth_ctx, bearer_token, bad_bearer):
+    # Tell the validator to accept any token. This ensures that the invalid
+    # bearer tokens are rejected before the validation step.
+    _ = bearer_token(accept_any=True)
+
+    begin_oauth_handshake(conn, oauth_ctx)
+    send_initial_response(conn, auth=bad_bearer)
+
+    expect_handshake_failure(conn, oauth_ctx)
+
+
+@pytest.mark.slow
+@pytest.mark.parametrize(
+    "resp_type,resp,err",
+    [
+        pytest.param(
+            None,
+            None,
+            None,
+            marks=pytest.mark.slow,
+            id="no response (expect timeout)",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            b"hello",
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not send a kvsep response",
+            ),
+            id="bad dummy response",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            b"\x01\x01",
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not send a kvsep response",
+            ),
+            id="multiple kvseps",
+        ),
+        pytest.param(
+            pq3.types.Query,
+            dict(query=b""),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "expected SASL response"),
+            id="bad response message type",
+        ),
+    ],
+)
+def test_oauth_bad_response_to_error_challenge(conn, oauth_ctx, resp_type, resp, err):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Send an empty auth initial response, which will force an authn failure.
+    send_initial_response(conn, auth=b"")
+
+    # We expect a discovery "challenge" back from the server before the authn
+    # failure message.
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.AuthnRequest
+
+    req = pkt.payload
+    assert req.type == pq3.authn.SASLContinue
+
+    body = json.loads(req.body)
+    assert body["status"] == "invalid_token"
+
+    if resp_type is None:
+        # Do not send the dummy response. We should time out and not get a
+        # response from the server.
+        with pytest.raises(socket.timeout):
+            conn.read(1)
+
+        # Done with the test.
+        return
+
+    # Send the bad response.
+    pq3.send(conn, resp_type, resp)
+
+    # Make sure the server fails the connection correctly.
+    pkt = pq3.recv1(conn)
+    err.match(pkt)
+
+
+@pytest.mark.parametrize(
+    "type,payload,err",
+    [
+        pytest.param(
+            pq3.types.ErrorResponse,
+            dict(fields=[b""]),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "expected SASL response"),
+            id="error response in initial message",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            b"x" * (MAX_SASL_MESSAGE_LENGTH + 1),
+            ExpectedError(
+                INVALID_AUTHORIZATION_ERRCODE, "bearer authentication failed"
+            ),
+            id="overlong initial response data",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"SCRAM-SHA-256")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE, "invalid SASL authentication mechanism"
+            ),
+            id="bad SASL mechanism selection",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", len=2, data=b"x")),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "insufficient data"),
+            id="SASL data underflow",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", len=0, data=b"x")),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "invalid message format"),
+            id="SASL data overflow",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "message is empty",
+            ),
+            id="empty",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"n,,\x01auth=\x01\x01\0")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "length does not match input length",
+            ),
+            id="contains null byte",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"\x01")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected channel-binding flag",  # XXX this is a bit strange
+            ),
+            id="initial error response",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"p=tls-server-end-point,,\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "server does not support channel binding",
+            ),
+            id="uses channel binding",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"x,,\x01")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected channel-binding flag",
+            ),
+            id="invalid channel binding specifier",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Comma expected",
+            ),
+            id="bad GS2 header: missing channel binding terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,a")),
+            ExpectedError(
+                FEATURE_NOT_SUPPORTED_ERRCODE,
+                "client uses authorization identity",
+            ),
+            id="bad GS2 header: authzid in use",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,b,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected attribute",
+            ),
+            id="bad GS2 header: extra attribute",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected attribute 0x00",  # XXX this is a bit strange
+            ),
+            id="bad GS2 header: missing authzid terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Key-value separator expected",
+            ),
+            id="missing initial kvsep",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Key-value separator expected",
+            ),
+            id="missing initial kvsep",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "does not contain an auth value",
+            ),
+            id="missing auth value: empty key-value list",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01host=example.com\x01\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "does not contain an auth value",
+            ),
+            id="missing auth value: other keys present",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01host=example.com")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "unterminated key/value pair",
+            ),
+            id="missing value terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,,\x01")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not contain a final terminator",
+            ),
+            id="missing list terminator: empty list",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01auth=Bearer 0\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not contain a final terminator",
+            ),
+            id="missing list terminator: with auth value",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01auth=Bearer 0\x01\x01blah")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "additional data after the final terminator",
+            ),
+            id="additional key after terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01key\x01\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "key without a value",
+            ),
+            id="key without value",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(
+                    name=b"OAUTHBEARER",
+                    data=b"y,,\x01auth=Bearer 0\x01auth=Bearer 1\x01\x01",
+                )
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "contains multiple auth values",
+            ),
+            id="multiple auth values",
+        ),
+    ],
+)
+def test_oauth_bad_initial_response(conn, oauth_ctx, type, payload, err):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # The server expects a SASL response; give it something else instead.
+    if not isinstance(payload, dict):
+        payload = dict(payload_data=payload)
+    pq3.send(conn, type, **payload)
+
+    resp = pq3.recv1(conn)
+    err.match(resp)
+
+
+def test_oauth_empty_initial_response(conn, oauth_ctx, bearer_token):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Send an initial response without data.
+    initial = pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER"))
+    pq3.send(conn, pq3.types.PasswordMessage, initial)
+
+    # The server should respond with an empty challenge so we can send the data
+    # it wants.
+    pkt = pq3.recv1(conn)
+
+    assert pkt.type == pq3.types.AuthnRequest
+    assert pkt.payload.type == pq3.authn.SASLContinue
+    assert not pkt.payload.body
+
+    # Now send the initial data.
+    data = b"n,,\x01auth=Bearer " + bearer_token() + b"\x01\x01"
+    pq3.send(conn, pq3.types.PasswordMessage, data)
+
+    # Server should now complete the handshake.
+    expect_handshake_success(conn)
+
+
+@pytest.fixture()
+def set_validator():
+    """
+    A per-test fixture that allows a test to override the setting of
+    oauth_validator_command for the cluster. The setting will be reverted during
+    teardown.
+
+    Passing None will perform an ALTER SYSTEM RESET.
+    """
+    conn = psycopg2.connect("")
+    conn.autocommit = True
+
+    with contextlib.closing(conn):
+        c = conn.cursor()
+
+        # Save the previous value.
+        c.execute("SHOW oauth_validator_command;")
+        prev_cmd = c.fetchone()[0]
+
+        def setter(cmd):
+            c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (cmd,))
+            c.execute("SELECT pg_reload_conf();")
+
+        yield setter
+
+        # Restore the previous value.
+        c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (prev_cmd,))
+        c.execute("SELECT pg_reload_conf();")
+
+
+def test_oauth_no_validator(oauth_ctx, set_validator, connect, bearer_token):
+    # Clear out our validator command, then establish a new connection.
+    set_validator("")
+    conn = connect()
+
+    begin_oauth_handshake(conn, oauth_ctx)
+    send_initial_response(conn, bearer=bearer_token())
+
+    # The server should fail the connection.
+    expect_handshake_failure(conn, oauth_ctx)
+
+
+def test_oauth_validator_role(oauth_ctx, set_validator, connect):
+    # Switch the validator implementation. This validator will reflect the
+    # PGUSER as the authenticated identity.
+    path = pathlib.Path(__file__).parent / "validate_reflect.py"
+    path = str(path.absolute())
+
+    set_validator(f"{shlex.quote(path)} '%r' <&%f")
+    conn = connect()
+
+    # Log in. Note that the reflection validator ignores the bearer token.
+    begin_oauth_handshake(conn, oauth_ctx, user=oauth_ctx.user)
+    send_initial_response(conn, bearer=b"dontcare")
+    expect_handshake_success(conn)
+
+    # Check the user identity.
+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
+    resp = receive_until(conn, pq3.types.DataRow)
+
+    row = resp.payload
+    expected = oauth_ctx.user.encode("utf-8")
+    assert row.columns == [expected]
+
+
+def test_oauth_role_with_shell_unsafe_characters(oauth_ctx, set_validator, connect):
+    """
+    XXX This test pins undesirable behavior. We should be able to handle any
+    valid Postgres role name.
+    """
+    # Switch the validator implementation. This validator will reflect the
+    # PGUSER as the authenticated identity.
+    path = pathlib.Path(__file__).parent / "validate_reflect.py"
+    path = str(path.absolute())
+
+    set_validator(f"{shlex.quote(path)} '%r' <&%f")
+    conn = connect()
+
+    unsafe_username = "hello'there"
+    begin_oauth_handshake(conn, oauth_ctx, user=unsafe_username)
+
+    # The server should reject the handshake.
+    send_initial_response(conn, bearer=b"dontcare")
+    expect_handshake_failure(conn, oauth_ctx)
diff --git a/src/test/python/server/test_server.py b/src/test/python/server/test_server.py
new file mode 100644
index 0000000000..02126dba79
--- /dev/null
+++ b/src/test/python/server/test_server.py
@@ -0,0 +1,21 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import pq3
+
+
+def test_handshake(connect):
+    """Basic sanity check."""
+    conn = connect()
+
+    pq3.handshake(conn, user=pq3.pguser(), database=pq3.pgdatabase())
+
+    pq3.send(conn, pq3.types.Query, query=b"")
+
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.EmptyQueryResponse
+
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.ReadyForQuery
diff --git a/src/test/python/server/validate_bearer.py b/src/test/python/server/validate_bearer.py
new file mode 100755
index 0000000000..2cc73ff154
--- /dev/null
+++ b/src/test/python/server/validate_bearer.py
@@ -0,0 +1,101 @@
+#! /usr/bin/env python3
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+# DO NOT USE THIS OAUTH VALIDATOR IN PRODUCTION. It doesn't actually validate
+# anything, and it logs the bearer token data, which is sensitive.
+#
+# This executable is used as an oauth_validator_command in concert with
+# test_oauth.py. Memory is shared and communicated from that test module's
+# bearer_token() fixture.
+#
+# This script must run under the Postgres server environment; keep the
+# dependency list fairly standard.
+
+import base64
+import binascii
+import contextlib
+import struct
+import sys
+from multiprocessing import shared_memory
+
+MAX_UINT16 = 2 ** 16 - 1
+
+
+def remove_shm_from_resource_tracker():
+    """
+    Monkey-patch multiprocessing.resource_tracker so SharedMemory won't be
+    tracked. Pulled from this thread, where there are more details:
+
+        https://bugs.python.org/issue38119
+
+    TL;DR: all clients of shared memory segments automatically destroy them on
+    process exit, which makes shared memory segments much less useful. This
+    monkeypatch removes that behavior so that we can defer to the test to manage
+    the segment lifetime.
+
+    Ideally a future Python patch will pull in this fix and then the entire
+    function can go away.
+    """
+    from multiprocessing import resource_tracker
+
+    def fix_register(name, rtype):
+        if rtype == "shared_memory":
+            return
+        return resource_tracker._resource_tracker.register(self, name, rtype)
+
+    resource_tracker.register = fix_register
+
+    def fix_unregister(name, rtype):
+        if rtype == "shared_memory":
+            return
+        return resource_tracker._resource_tracker.unregister(self, name, rtype)
+
+    resource_tracker.unregister = fix_unregister
+
+    if "shared_memory" in resource_tracker._CLEANUP_FUNCS:
+        del resource_tracker._CLEANUP_FUNCS["shared_memory"]
+
+
+def main(args):
+    remove_shm_from_resource_tracker()  # XXX remove some day
+
+    # Get the expected token from the currently running test.
+    shared_mem_name = args[0]
+
+    mem = shared_memory.SharedMemory(shared_mem_name)
+    with contextlib.closing(mem):
+        # First two bytes are the token length.
+        size = struct.unpack("H", mem.buf[:2])[0]
+
+        if size == MAX_UINT16:
+            # Special case: the test wants us to accept any token.
+            sys.stderr.write("accepting token without validation\n")
+            return
+
+        # The remainder of the buffer contains the expected token.
+        assert size <= (mem.size - 2)
+        expected_token = mem.buf[2 : size + 2].tobytes()
+
+        mem.buf[:] = b"\0" * mem.size  # scribble over the token
+
+    token = sys.stdin.buffer.read()
+    if token != expected_token:
+        sys.exit(f"failed to match Bearer token ({token!r} != {expected_token!r})")
+
+    # See if the test wants us to print anything. If so, it will have encoded
+    # the desired output in the token with an "output=" prefix.
+    try:
+        # altchars="-_" corresponds to the urlsafe alphabet.
+        data = base64.b64decode(token, altchars="-_", validate=True)
+
+        if data.startswith(b"output="):
+            sys.stdout.buffer.write(data[7:])
+
+    except binascii.Error:
+        pass
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])
diff --git a/src/test/python/server/validate_reflect.py b/src/test/python/server/validate_reflect.py
new file mode 100755
index 0000000000..24c3a7e715
--- /dev/null
+++ b/src/test/python/server/validate_reflect.py
@@ -0,0 +1,34 @@
+#! /usr/bin/env python3
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+# DO NOT USE THIS OAUTH VALIDATOR IN PRODUCTION. It ignores the bearer token
+# entirely and automatically logs the user in.
+#
+# This executable is used as an oauth_validator_command in concert with
+# test_oauth.py. It expects the user's desired role name as an argument; the
+# actual token will be discarded and the user will be logged in with the role
+# name as the authenticated identity.
+#
+# This script must run under the Postgres server environment; keep the
+# dependency list fairly standard.
+
+import sys
+
+
+def main(args):
+    # We have to read the entire token as our first action to unblock the
+    # server, but we won't actually use it.
+    _ = sys.stdin.buffer.read()
+
+    if len(args) != 1:
+        sys.exit("usage: ./validate_reflect.py ROLE")
+
+    # Log the user in as the provided role.
+    role = args[0]
+    print(role)
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])
diff --git a/src/test/python/test_internals.py b/src/test/python/test_internals.py
new file mode 100644
index 0000000000..dee4855fc0
--- /dev/null
+++ b/src/test/python/test_internals.py
@@ -0,0 +1,138 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import io
+
+from pq3 import _DebugStream
+
+
+def test_DebugStream_read():
+    under = io.BytesIO(b"abcdefghijklmnopqrstuvwxyz")
+    out = io.StringIO()
+
+    stream = _DebugStream(under, out)
+
+    res = stream.read(5)
+    assert res == b"abcde"
+
+    res = stream.read(16)
+    assert res == b"fghijklmnopqrstu"
+
+    stream.flush_debug()
+
+    res = stream.read()
+    assert res == b"vwxyz"
+
+    stream.flush_debug()
+
+    expected = (
+        "< 0000:\t61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70\tabcdefghijklmnop\n"
+        "< 0010:\t71 72 73 74 75                                 \tqrstu\n"
+        "\n"
+        "< 0000:\t76 77 78 79 7a                                 \tvwxyz\n"
+        "\n"
+    )
+    assert out.getvalue() == expected
+
+
+def test_DebugStream_write():
+    under = io.BytesIO()
+    out = io.StringIO()
+
+    stream = _DebugStream(under, out)
+
+    stream.write(b"\x00\x01\x02")
+    stream.flush()
+
+    assert under.getvalue() == b"\x00\x01\x02"
+
+    stream.write(b"\xc0\xc1\xc2")
+    stream.flush()
+
+    assert under.getvalue() == b"\x00\x01\x02\xc0\xc1\xc2"
+
+    stream.flush_debug()
+
+    expected = "> 0000:\t00 01 02 c0 c1 c2                              \t......\n\n"
+    assert out.getvalue() == expected
+
+
+def test_DebugStream_read_write():
+    under = io.BytesIO(b"abcdefghijklmnopqrstuvwxyz")
+    out = io.StringIO()
+    stream = _DebugStream(under, out)
+
+    res = stream.read(5)
+    assert res == b"abcde"
+
+    stream.write(b"xxxxx")
+    stream.flush()
+
+    assert under.getvalue() == b"abcdexxxxxklmnopqrstuvwxyz"
+
+    res = stream.read(5)
+    assert res == b"klmno"
+
+    stream.write(b"xxxxx")
+    stream.flush()
+
+    assert under.getvalue() == b"abcdexxxxxklmnoxxxxxuvwxyz"
+
+    stream.flush_debug()
+
+    expected = (
+        "< 0000:\t61 62 63 64 65 6b 6c 6d 6e 6f                  \tabcdeklmno\n"
+        "\n"
+        "> 0000:\t78 78 78 78 78 78 78 78 78 78                  \txxxxxxxxxx\n"
+        "\n"
+    )
+    assert out.getvalue() == expected
+
+
+def test_DebugStream_end_packet():
+    under = io.BytesIO(b"abcdefghijklmnopqrstuvwxyz")
+    out = io.StringIO()
+    stream = _DebugStream(under, out)
+
+    stream.read(5)
+    stream.end_packet("read description", read=True, indent=" ")
+
+    stream.write(b"xxxxx")
+    stream.flush()
+    stream.end_packet("write description", indent=" ")
+
+    stream.read(5)
+    stream.write(b"xxxxx")
+    stream.flush()
+    stream.end_packet("read/write combo for read", read=True, indent=" ")
+
+    stream.read(5)
+    stream.write(b"xxxxx")
+    stream.flush()
+    stream.end_packet("read/write combo for write", indent=" ")
+
+    expected = (
+        " < 0000:\t61 62 63 64 65                                 \tabcde\n"
+        "\n"
+        "< read description\n"
+        "\n"
+        "> write description\n"
+        "\n"
+        " > 0000:\t78 78 78 78 78                                 \txxxxx\n"
+        "\n"
+        " < 0000:\t6b 6c 6d 6e 6f                                 \tklmno\n"
+        "\n"
+        " > 0000:\t78 78 78 78 78                                 \txxxxx\n"
+        "\n"
+        "< read/write combo for read\n"
+        "\n"
+        "> read/write combo for write\n"
+        "\n"
+        " < 0000:\t75 76 77 78 79                                 \tuvwxy\n"
+        "\n"
+        " > 0000:\t78 78 78 78 78                                 \txxxxx\n"
+        "\n"
+    )
+    assert out.getvalue() == expected
diff --git a/src/test/python/test_pq3.py b/src/test/python/test_pq3.py
new file mode 100644
index 0000000000..e0c0e0568d
--- /dev/null
+++ b/src/test/python/test_pq3.py
@@ -0,0 +1,558 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import contextlib
+import getpass
+import io
+import struct
+import sys
+
+import pytest
+from construct import Container, PaddingError, StreamError, TerminatedError
+
+import pq3
+
+
+@pytest.mark.parametrize(
+    "raw,expected,extra",
+    [
+        pytest.param(
+            b"\x00\x00\x00\x10\x00\x04\x00\x00abcdefgh",
+            Container(len=16, proto=0x40000, payload=b"abcdefgh"),
+            b"",
+            id="8-byte payload",
+        ),
+        pytest.param(
+            b"\x00\x00\x00\x08\x00\x04\x00\x00",
+            Container(len=8, proto=0x40000, payload=b""),
+            b"",
+            id="no payload",
+        ),
+        pytest.param(
+            b"\x00\x00\x00\x09\x00\x04\x00\x00abcde",
+            Container(len=9, proto=0x40000, payload=b"a"),
+            b"bcde",
+            id="1-byte payload and extra padding",
+        ),
+        pytest.param(
+            b"\x00\x00\x00\x0B\x00\x03\x00\x00hi\x00",
+            Container(len=11, proto=pq3.protocol(3, 0), payload=[b"hi"]),
+            b"",
+            id="implied parameter list when using proto version 3.0",
+        ),
+    ],
+)
+def test_Startup_parse(raw, expected, extra):
+    with io.BytesIO(raw) as stream:
+        actual = pq3.Startup.parse_stream(stream)
+
+        assert actual == expected
+        assert stream.read() == extra
+
+
+@pytest.mark.parametrize(
+    "packet,expected_bytes",
+    [
+        pytest.param(
+            dict(),
+            b"\x00\x00\x00\x08\x00\x00\x00\x00",
+            id="nothing set",
+        ),
+        pytest.param(
+            dict(len=10, proto=0x12345678),
+            b"\x00\x00\x00\x0A\x12\x34\x56\x78\x00\x00",
+            id="len and proto set explicitly",
+        ),
+        pytest.param(
+            dict(proto=0x12345678),
+            b"\x00\x00\x00\x08\x12\x34\x56\x78",
+            id="implied len with no payload",
+        ),
+        pytest.param(
+            dict(proto=0x12345678, payload=b"abcd"),
+            b"\x00\x00\x00\x0C\x12\x34\x56\x78abcd",
+            id="implied len with payload",
+        ),
+        pytest.param(
+            dict(payload=[b""]),
+            b"\x00\x00\x00\x09\x00\x03\x00\x00\x00",
+            id="implied proto version 3 when sending parameters",
+        ),
+        pytest.param(
+            dict(payload=[b"hi", b""]),
+            b"\x00\x00\x00\x0C\x00\x03\x00\x00hi\x00\x00",
+            id="implied proto version 3 and len when sending more than one parameter",
+        ),
+        pytest.param(
+            dict(payload=dict(user="jsmith", database="postgres")),
+            b"\x00\x00\x00\x27\x00\x03\x00\x00user\x00jsmith\x00database\x00postgres\x00\x00",
+            id="auto-serialization of dict parameters",
+        ),
+    ],
+)
+def test_Startup_build(packet, expected_bytes):
+    actual = pq3.Startup.build(packet)
+    assert actual == expected_bytes
+
+
+@pytest.mark.parametrize(
+    "raw,expected,extra",
+    [
+        pytest.param(
+            b"*\x00\x00\x00\x08abcd",
+            dict(type=b"*", len=8, payload=b"abcd"),
+            b"",
+            id="4-byte payload",
+        ),
+        pytest.param(
+            b"*\x00\x00\x00\x04",
+            dict(type=b"*", len=4, payload=b""),
+            b"",
+            id="no payload",
+        ),
+        pytest.param(
+            b"*\x00\x00\x00\x05xabcd",
+            dict(type=b"*", len=5, payload=b"x"),
+            b"abcd",
+            id="1-byte payload with extra padding",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x08\x00\x00\x00\x00",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=8,
+                payload=dict(type=pq3.authn.OK, body=None),
+            ),
+            b"",
+            id="AuthenticationOk",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x12\x00\x00\x00\x0AEXTERNAL\x00\x00",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=18,
+                payload=dict(type=pq3.authn.SASL, body=[b"EXTERNAL", b""]),
+            ),
+            b"",
+            id="AuthenticationSASL",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0B12345",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=13,
+                payload=dict(type=pq3.authn.SASLContinue, body=b"12345"),
+            ),
+            b"",
+            id="AuthenticationSASLContinue",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0C12345",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=13,
+                payload=dict(type=pq3.authn.SASLFinal, body=b"12345"),
+            ),
+            b"",
+            id="AuthenticationSASLFinal",
+        ),
+        pytest.param(
+            b"p\x00\x00\x00\x0Bhunter2",
+            dict(
+                type=pq3.types.PasswordMessage,
+                len=11,
+                payload=b"hunter2",
+            ),
+            b"",
+            id="PasswordMessage",
+        ),
+        pytest.param(
+            b"K\x00\x00\x00\x0C\x00\x00\x00\x00\x12\x34\x56\x78",
+            dict(
+                type=pq3.types.BackendKeyData,
+                len=12,
+                payload=dict(pid=0, key=0x12345678),
+            ),
+            b"",
+            id="BackendKeyData",
+        ),
+        pytest.param(
+            b"C\x00\x00\x00\x08SET\x00",
+            dict(
+                type=pq3.types.CommandComplete,
+                len=8,
+                payload=dict(tag=b"SET"),
+            ),
+            b"",
+            id="CommandComplete",
+        ),
+        pytest.param(
+            b"E\x00\x00\x00\x11Mbad!\x00Mdog!\x00\x00",
+            dict(type=b"E", len=17, payload=dict(fields=[b"Mbad!", b"Mdog!", b""])),
+            b"",
+            id="ErrorResponse",
+        ),
+        pytest.param(
+            b"S\x00\x00\x00\x08a\x00b\x00",
+            dict(
+                type=pq3.types.ParameterStatus,
+                len=8,
+                payload=dict(name=b"a", value=b"b"),
+            ),
+            b"",
+            id="ParameterStatus",
+        ),
+        pytest.param(
+            b"Z\x00\x00\x00\x05x",
+            dict(type=b"Z", len=5, payload=dict(status=b"x")),
+            b"",
+            id="ReadyForQuery",
+        ),
+        pytest.param(
+            b"Q\x00\x00\x00\x06!\x00",
+            dict(type=pq3.types.Query, len=6, payload=dict(query=b"!")),
+            b"",
+            id="Query",
+        ),
+        pytest.param(
+            b"D\x00\x00\x00\x0B\x00\x01\x00\x00\x00\x01!",
+            dict(type=pq3.types.DataRow, len=11, payload=dict(columns=[b"!"])),
+            b"",
+            id="DataRow",
+        ),
+        pytest.param(
+            b"D\x00\x00\x00\x06\x00\x00extra",
+            dict(type=pq3.types.DataRow, len=6, payload=dict(columns=[])),
+            b"extra",
+            id="DataRow with extra data",
+        ),
+        pytest.param(
+            b"I\x00\x00\x00\x04",
+            dict(type=pq3.types.EmptyQueryResponse, len=4, payload=None),
+            b"",
+            id="EmptyQueryResponse",
+        ),
+        pytest.param(
+            b"I\x00\x00\x00\x04\xFF",
+            dict(type=b"I", len=4, payload=None),
+            b"\xFF",
+            id="EmptyQueryResponse with extra bytes",
+        ),
+        pytest.param(
+            b"X\x00\x00\x00\x04",
+            dict(type=pq3.types.Terminate, len=4, payload=None),
+            b"",
+            id="Terminate",
+        ),
+    ],
+)
+def test_Pq3_parse(raw, expected, extra):
+    with io.BytesIO(raw) as stream:
+        actual = pq3.Pq3.parse_stream(stream)
+
+        assert actual == expected
+        assert stream.read() == extra
+
+
+@pytest.mark.parametrize(
+    "fields,expected",
+    [
+        pytest.param(
+            dict(type=b"*", len=5),
+            b"*\x00\x00\x00\x05\x00",
+            id="type and len set explicitly",
+        ),
+        pytest.param(
+            dict(type=b"*"),
+            b"*\x00\x00\x00\x04",
+            id="implied len with no payload",
+        ),
+        pytest.param(
+            dict(type=b"*", payload=b"1234"),
+            b"*\x00\x00\x00\x081234",
+            id="implied len with payload",
+        ),
+        pytest.param(
+            dict(type=pq3.types.AuthnRequest, payload=dict(type=pq3.authn.OK)),
+            b"R\x00\x00\x00\x08\x00\x00\x00\x00",
+            id="implied len/type for AuthenticationOK",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.AuthnRequest,
+                payload=dict(
+                    type=pq3.authn.SASL,
+                    body=[b"SCRAM-SHA-256-PLUS", b"SCRAM-SHA-256", b""],
+                ),
+            ),
+            b"R\x00\x00\x00\x2A\x00\x00\x00\x0ASCRAM-SHA-256-PLUS\x00SCRAM-SHA-256\x00\x00",
+            id="implied len/type for AuthenticationSASL",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.AuthnRequest,
+                payload=dict(type=pq3.authn.SASLContinue, body=b"12345"),
+            ),
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0B12345",
+            id="implied len/type for AuthenticationSASLContinue",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.AuthnRequest,
+                payload=dict(type=pq3.authn.SASLFinal, body=b"12345"),
+            ),
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0C12345",
+            id="implied len/type for AuthenticationSASLFinal",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.PasswordMessage,
+                payload=b"hunter2",
+            ),
+            b"p\x00\x00\x00\x0Bhunter2",
+            id="implied len/type for PasswordMessage",
+        ),
+        pytest.param(
+            dict(type=pq3.types.BackendKeyData, payload=dict(pid=1, key=7)),
+            b"K\x00\x00\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x07",
+            id="implied len/type for BackendKeyData",
+        ),
+        pytest.param(
+            dict(type=pq3.types.CommandComplete, payload=dict(tag=b"SET")),
+            b"C\x00\x00\x00\x08SET\x00",
+            id="implied len/type for CommandComplete",
+        ),
+        pytest.param(
+            dict(type=pq3.types.ErrorResponse, payload=dict(fields=[b"error", b""])),
+            b"E\x00\x00\x00\x0Berror\x00\x00",
+            id="implied len/type for ErrorResponse",
+        ),
+        pytest.param(
+            dict(type=pq3.types.ParameterStatus, payload=dict(name=b"a", value=b"b")),
+            b"S\x00\x00\x00\x08a\x00b\x00",
+            id="implied len/type for ParameterStatus",
+        ),
+        pytest.param(
+            dict(type=pq3.types.ReadyForQuery, payload=dict(status=b"I")),
+            b"Z\x00\x00\x00\x05I",
+            id="implied len/type for ReadyForQuery",
+        ),
+        pytest.param(
+            dict(type=pq3.types.Query, payload=dict(query=b"SELECT 1;")),
+            b"Q\x00\x00\x00\x0eSELECT 1;\x00",
+            id="implied len/type for Query",
+        ),
+        pytest.param(
+            dict(type=pq3.types.DataRow, payload=dict(columns=[b"abcd"])),
+            b"D\x00\x00\x00\x0E\x00\x01\x00\x00\x00\x04abcd",
+            id="implied len/type for DataRow",
+        ),
+        pytest.param(
+            dict(type=pq3.types.EmptyQueryResponse),
+            b"I\x00\x00\x00\x04",
+            id="implied len for EmptyQueryResponse",
+        ),
+        pytest.param(
+            dict(type=pq3.types.Terminate),
+            b"X\x00\x00\x00\x04",
+            id="implied len for Terminate",
+        ),
+    ],
+)
+def test_Pq3_build(fields, expected):
+    actual = pq3.Pq3.build(fields)
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "raw,expected,extra",
+    [
+        pytest.param(
+            b"\x00\x00",
+            dict(columns=[]),
+            b"",
+            id="no columns",
+        ),
+        pytest.param(
+            b"\x00\x01\x00\x00\x00\x04abcd",
+            dict(columns=[b"abcd"]),
+            b"",
+            id="one column",
+        ),
+        pytest.param(
+            b"\x00\x02\x00\x00\x00\x04abcd\x00\x00\x00\x01x",
+            dict(columns=[b"abcd", b"x"]),
+            b"",
+            id="multiple columns",
+        ),
+        pytest.param(
+            b"\x00\x02\x00\x00\x00\x00\x00\x00\x00\x01x",
+            dict(columns=[b"", b"x"]),
+            b"",
+            id="empty column value",
+        ),
+        pytest.param(
+            b"\x00\x02\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",
+            dict(columns=[None, None]),
+            b"",
+            id="null columns",
+        ),
+    ],
+)
+def test_DataRow_parse(raw, expected, extra):
+    pkt = b"D" + struct.pack("!i", len(raw) + 4) + raw
+    with io.BytesIO(pkt) as stream:
+        actual = pq3.Pq3.parse_stream(stream)
+
+        assert actual.type == pq3.types.DataRow
+        assert actual.payload == expected
+        assert stream.read() == extra
+
+
+@pytest.mark.parametrize(
+    "fields,expected",
+    [
+        pytest.param(
+            dict(),
+            b"\x00\x00",
+            id="no columns",
+        ),
+        pytest.param(
+            dict(columns=[None, None]),
+            b"\x00\x02\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",
+            id="null columns",
+        ),
+    ],
+)
+def test_DataRow_build(fields, expected):
+    actual = pq3.Pq3.build(dict(type=pq3.types.DataRow, payload=fields))
+
+    expected = b"D" + struct.pack("!i", len(expected) + 4) + expected
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "raw,expected,exception",
+    [
+        pytest.param(
+            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            dict(name=b"EXTERNAL", len=-1, data=None),
+            None,
+            id="no initial response",
+        ),
+        pytest.param(
+            b"EXTERNAL\x00\x00\x00\x00\x02me",
+            dict(name=b"EXTERNAL", len=2, data=b"me"),
+            None,
+            id="initial response",
+        ),
+        pytest.param(
+            b"EXTERNAL\x00\x00\x00\x00\x02meextra",
+            None,
+            TerminatedError,
+            id="extra data",
+        ),
+        pytest.param(
+            b"EXTERNAL\x00\x00\x00\x00\xFFme",
+            None,
+            StreamError,
+            id="underflow",
+        ),
+    ],
+)
+def test_SASLInitialResponse_parse(raw, expected, exception):
+    ctx = contextlib.nullcontext()
+    if exception:
+        ctx = pytest.raises(exception)
+
+    with ctx:
+        actual = pq3.SASLInitialResponse.parse(raw)
+        assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "fields,expected",
+    [
+        pytest.param(
+            dict(name=b"EXTERNAL"),
+            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            id="no initial response",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", data=None),
+            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            id="no initial response (explicit None)",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", data=b""),
+            b"EXTERNAL\x00\x00\x00\x00\x00",
+            id="empty response",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", data=b"me@example.com"),
+            b"EXTERNAL\x00\x00\x00\x00\x0Eme@example.com",
+            id="initial response",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", len=2, data=b"me@example.com"),
+            b"EXTERNAL\x00\x00\x00\x00\x02me@example.com",
+            id="data overflow",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", len=14, data=b"me"),
+            b"EXTERNAL\x00\x00\x00\x00\x0Eme",
+            id="data underflow",
+        ),
+    ],
+)
+def test_SASLInitialResponse_build(fields, expected):
+    actual = pq3.SASLInitialResponse.build(fields)
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "version,expected_bytes",
+    [
+        pytest.param((3, 0), b"\x00\x03\x00\x00", id="version 3"),
+        pytest.param((1234, 5679), b"\x04\xd2\x16\x2f", id="SSLRequest"),
+    ],
+)
+def test_protocol(version, expected_bytes):
+    # Make sure the integer returned by protocol is correctly serialized on the
+    # wire.
+    assert struct.pack("!i", pq3.protocol(*version)) == expected_bytes
+
+
+@pytest.mark.parametrize(
+    "envvar,func,expected",
+    [
+        ("PGHOST", pq3.pghost, "localhost"),
+        ("PGPORT", pq3.pgport, 5432),
+        ("PGUSER", pq3.pguser, getpass.getuser()),
+        ("PGDATABASE", pq3.pgdatabase, "postgres"),
+    ],
+)
+def test_env_defaults(monkeypatch, envvar, func, expected):
+    monkeypatch.delenv(envvar, raising=False)
+
+    actual = func()
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "envvars,func,expected",
+    [
+        (dict(PGHOST="otherhost"), pq3.pghost, "otherhost"),
+        (dict(PGPORT="6789"), pq3.pgport, 6789),
+        (dict(PGUSER="postgres"), pq3.pguser, "postgres"),
+        (dict(PGDATABASE="template1"), pq3.pgdatabase, "template1"),
+    ],
+)
+def test_env(monkeypatch, envvars, func, expected):
+    for k, v in envvars.items():
+        monkeypatch.setenv(k, v)
+
+    actual = func()
+    assert actual == expected
diff --git a/src/test/python/tls.py b/src/test/python/tls.py
new file mode 100644
index 0000000000..075c02c1ca
--- /dev/null
+++ b/src/test/python/tls.py
@@ -0,0 +1,195 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+from construct import *
+
+#
+# TLS 1.3
+#
+# Most of the types below are transcribed from RFC 8446:
+#
+#     https://tools.ietf.org/html/rfc8446
+#
+
+
+def _Vector(size_field, element):
+    return Prefixed(size_field, GreedyRange(element))
+
+
+# Alerts
+
+AlertLevel = Enum(
+    Byte,
+    warning=1,
+    fatal=2,
+)
+
+AlertDescription = Enum(
+    Byte,
+    close_notify=0,
+    unexpected_message=10,
+    bad_record_mac=20,
+    decryption_failed_RESERVED=21,
+    record_overflow=22,
+    decompression_failure=30,
+    handshake_failure=40,
+    no_certificate_RESERVED=41,
+    bad_certificate=42,
+    unsupported_certificate=43,
+    certificate_revoked=44,
+    certificate_expired=45,
+    certificate_unknown=46,
+    illegal_parameter=47,
+    unknown_ca=48,
+    access_denied=49,
+    decode_error=50,
+    decrypt_error=51,
+    export_restriction_RESERVED=60,
+    protocol_version=70,
+    insufficient_security=71,
+    internal_error=80,
+    user_canceled=90,
+    no_renegotiation=100,
+    unsupported_extension=110,
+)
+
+Alert = Struct(
+    "level" / AlertLevel,
+    "description" / AlertDescription,
+)
+
+
+# Extensions
+
+ExtensionType = Enum(
+    Int16ub,
+    server_name=0,
+    max_fragment_length=1,
+    status_request=5,
+    supported_groups=10,
+    signature_algorithms=13,
+    use_srtp=14,
+    heartbeat=15,
+    application_layer_protocol_negotiation=16,
+    signed_certificate_timestamp=18,
+    client_certificate_type=19,
+    server_certificate_type=20,
+    padding=21,
+    pre_shared_key=41,
+    early_data=42,
+    supported_versions=43,
+    cookie=44,
+    psk_key_exchange_modes=45,
+    certificate_authorities=47,
+    oid_filters=48,
+    post_handshake_auth=49,
+    signature_algorithms_cert=50,
+    key_share=51,
+)
+
+Extension = Struct(
+    "extension_type" / ExtensionType,
+    "extension_data" / Prefixed(Int16ub, GreedyBytes),
+)
+
+
+# ClientHello
+
+
+class _CipherSuiteAdapter(Adapter):
+    class _hextuple(tuple):
+        def __repr__(self):
+            return f"(0x{self[0]:02X}, 0x{self[1]:02X})"
+
+    def _encode(self, obj, context, path):
+        return bytes(obj)
+
+    def _decode(self, obj, context, path):
+        assert len(obj) == 2
+        return self._hextuple(obj)
+
+
+ProtocolVersion = Hex(Int16ub)
+
+Random = Hex(Bytes(32))
+
+CipherSuite = _CipherSuiteAdapter(Byte[2])
+
+ClientHello = Struct(
+    "legacy_version" / ProtocolVersion,
+    "random" / Random,
+    "legacy_session_id" / Prefixed(Byte, Hex(GreedyBytes)),
+    "cipher_suites" / _Vector(Int16ub, CipherSuite),
+    "legacy_compression_methods" / Prefixed(Byte, GreedyBytes),
+    "extensions" / _Vector(Int16ub, Extension),
+)
+
+# ServerHello
+
+ServerHello = Struct(
+    "legacy_version" / ProtocolVersion,
+    "random" / Random,
+    "legacy_session_id_echo" / Prefixed(Byte, Hex(GreedyBytes)),
+    "cipher_suite" / CipherSuite,
+    "legacy_compression_method" / Hex(Byte),
+    "extensions" / _Vector(Int16ub, Extension),
+)
+
+# Handshake
+
+HandshakeType = Enum(
+    Byte,
+    client_hello=1,
+    server_hello=2,
+    new_session_ticket=4,
+    end_of_early_data=5,
+    encrypted_extensions=8,
+    certificate=11,
+    certificate_request=13,
+    certificate_verify=15,
+    finished=20,
+    key_update=24,
+    message_hash=254,
+)
+
+Handshake = Struct(
+    "msg_type" / HandshakeType,
+    "length" / Int24ub,
+    "payload"
+    / Switch(
+        this.msg_type,
+        {
+            HandshakeType.client_hello: ClientHello,
+            HandshakeType.server_hello: ServerHello,
+            # HandshakeType.end_of_early_data: EndOfEarlyData,
+            # HandshakeType.encrypted_extensions: EncryptedExtensions,
+            # HandshakeType.certificate_request: CertificateRequest,
+            # HandshakeType.certificate: Certificate,
+            # HandshakeType.certificate_verify: CertificateVerify,
+            # HandshakeType.finished: Finished,
+            # HandshakeType.new_session_ticket: NewSessionTicket,
+            # HandshakeType.key_update: KeyUpdate,
+        },
+        default=FixedSized(this.length, GreedyBytes),
+    ),
+)
+
+# Records
+
+ContentType = Enum(
+    Byte,
+    invalid=0,
+    change_cipher_spec=20,
+    alert=21,
+    handshake=22,
+    application_data=23,
+)
+
+Plaintext = Struct(
+    "type" / ContentType,
+    "legacy_record_version" / ProtocolVersion,
+    "length" / Int16ub,
+    "fragment" / FixedSized(this.length, GreedyBytes),
+)
-- 
2.25.1

From 206060ed1b31fcec48fb6ee05d61b135ec98cecf Mon Sep 17 00:00:00 2001
From: Samay Sharma <smilingsamay@gmail.com>
Date: Tue, 15 Feb 2022 22:23:29 -0800
Subject: [PATCH v3 1/9] Add support for custom authentication methods

Currently, PostgreSQL supports only a set of pre-defined authentication
methods. This patch adds support for 2 hooks which allow users to add
their custom authentication methods by defining a check function and an
error function. Users can then use these methods by using a new "custom"
keyword in pg_hba.conf and specifying the authentication provider they
want to use.
---
 src/backend/libpq/auth.c | 89 ++++++++++++++++++++++++++++++----------
 src/backend/libpq/hba.c  | 44 ++++++++++++++++++++
 src/include/libpq/auth.h | 27 ++++++++++++
 src/include/libpq/hba.h  |  4 ++
 4 files changed, 143 insertions(+), 21 deletions(-)

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index efc53f3135..3533b0bc50 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -47,8 +47,6 @@
  *----------------------------------------------------------------
  */
 static void auth_failed(Port *port, int status, const char *logdetail);
-static char *recv_password_packet(Port *port);
-static void set_authn_id(Port *port, const char *id);
 
 
 /*----------------------------------------------------------------
@@ -206,23 +204,6 @@ static int	pg_SSPI_make_upn(char *accountname,
 static int	CheckRADIUSAuth(Port *port);
 static int	PerformRadiusTransaction(const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd);
 
-
-/*
- * Maximum accepted size of GSS and SSPI authentication tokens.
- * We also use this as a limit on ordinary password packet lengths.
- *
- * Kerberos tickets are usually quite small, but the TGTs issued by Windows
- * domain controllers include an authorization field known as the Privilege
- * Attribute Certificate (PAC), which contains the user's Windows permissions
- * (group memberships etc.). The PAC is copied into all tickets obtained on
- * the basis of this TGT (even those issued by Unix realms which the Windows
- * realm trusts), and can be several kB in size. The maximum token size
- * accepted by Windows systems is determined by the MaxAuthToken Windows
- * registry setting. Microsoft recommends that it is not set higher than
- * 65535 bytes, so that seems like a reasonable limit for us as well.
- */
-#define PG_MAX_AUTH_TOKEN_LENGTH	65535
-
 /*----------------------------------------------------------------
  * Global authentication functions
  *----------------------------------------------------------------
@@ -235,6 +216,16 @@ static int	PerformRadiusTransaction(const char *server, const char *secret, cons
  */
 ClientAuthentication_hook_type ClientAuthentication_hook = NULL;
 
+/*
+ * These hooks allow plugins to get control of the client authentication check
+ * and error reporting logic. This allows users to write extensions to
+ * implement authentication using any protocol of their choice. To acquire these
+ * hooks, plugins need to call the RegisterAuthProvider() function.
+ */
+static CustomAuthenticationCheck_hook_type CustomAuthenticationCheck_hook = NULL;
+static CustomAuthenticationError_hook_type CustomAuthenticationError_hook = NULL;
+char *custom_provider_name = NULL;
+
 /*
  * Tell the user the authentication failed, but not (much about) why.
  *
@@ -311,6 +302,12 @@ auth_failed(Port *port, int status, const char *logdetail)
 		case uaRADIUS:
 			errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
 			break;
+		case uaCustom:
+			if (CustomAuthenticationError_hook)
+				errstr = CustomAuthenticationError_hook(port);
+			else
+				errstr = gettext_noop("Custom authentication failed for user \"%s\"");
+			break;
 		default:
 			errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
 			break;
@@ -345,7 +342,7 @@ auth_failed(Port *port, int status, const char *logdetail)
  * lifetime of the Port, so it is safe to pass a string that is managed by an
  * external library.
  */
-static void
+void
 set_authn_id(Port *port, const char *id)
 {
 	Assert(id);
@@ -630,6 +627,10 @@ ClientAuthentication(Port *port)
 		case uaTrust:
 			status = STATUS_OK;
 			break;
+		case uaCustom:
+			if (CustomAuthenticationCheck_hook)
+				status = CustomAuthenticationCheck_hook(port);
+			break;
 	}
 
 	if ((status == STATUS_OK && port->hba->clientcert == clientCertFull)
@@ -689,7 +690,7 @@ sendAuthRequest(Port *port, AuthRequest areq, const char *extradata, int extrale
  *
  * Returns NULL if couldn't get password, else palloc'd string.
  */
-static char *
+char *
 recv_password_packet(Port *port)
 {
 	StringInfoData buf;
@@ -3343,3 +3344,49 @@ PerformRadiusTransaction(const char *server, const char *secret, const char *por
 		}
 	}							/* while (true) */
 }
+
+/*----------------------------------------------------------------
+ * Custom authentication
+ *----------------------------------------------------------------
+ */
+
+/*
+ * RegisterAuthProvider registers a custom authentication provider to be
+ * used for authentication. Currently, we allow only one authentication
+ * provider to be registered for use at a time.
+ *
+ * This function should be called in _PG_init() by any extension looking to
+ * add a custom authentication method.
+ */
+void RegisterAuthProvider(const char *provider_name,
+		CustomAuthenticationCheck_hook_type AuthenticationCheckFunction,
+		CustomAuthenticationError_hook_type AuthenticationErrorFunction)
+{
+	if (provider_name == NULL)
+	{
+		ereport(ERROR,
+				(errmsg("cannot register authentication provider without name")));
+	}
+
+	if (AuthenticationCheckFunction == NULL)
+	{
+		ereport(ERROR,
+				(errmsg("cannot register authentication provider without a check function")));
+	}
+
+	if (custom_provider_name)
+	{
+		ereport(ERROR,
+				(errmsg("cannot register authentication provider %s", provider_name),
+				 errdetail("Only one authentication provider allowed.  Provider %s is already registered.",
+							custom_provider_name)));
+	}
+
+	/*
+	 * Allocate in top memory context as we need to read this whenever
+	 * we parse pg_hba.conf
+	 */
+	custom_provider_name = MemoryContextStrdup(TopMemoryContext,provider_name);
+	CustomAuthenticationCheck_hook = AuthenticationCheckFunction;
+	CustomAuthenticationError_hook = AuthenticationErrorFunction;
+}
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index d84a40b726..ebae992964 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -134,6 +134,7 @@ static const char *const UserAuthName[] =
 	"ldap",
 	"cert",
 	"radius",
+	"custom",
 	"peer"
 };
 
@@ -1399,6 +1400,8 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 #endif
 	else if (strcmp(token->string, "radius") == 0)
 		parsedline->auth_method = uaRADIUS;
+	else if (strcmp(token->string, "custom") == 0)
+		parsedline->auth_method = uaCustom;
 	else
 	{
 		ereport(elevel,
@@ -1691,6 +1694,14 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 		parsedline->clientcert = clientCertFull;
 	}
 
+	/*
+	 * Ensure that the provider name is specified for custom authentication method.
+	 */
+	if (parsedline->auth_method == uaCustom)
+	{
+		MANDATORY_AUTH_ARG(parsedline->custom_provider, "provider", "custom");
+	}
+
 	return parsedline;
 }
 
@@ -2102,6 +2113,32 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 		hbaline->radiusidentifiers = parsed_identifiers;
 		hbaline->radiusidentifiers_s = pstrdup(val);
 	}
+	else if (strcmp(name, "provider") == 0)
+	{
+		REQUIRE_AUTH_OPTION(uaCustom, "provider", "custom");
+
+		/*
+		 * Verify that the provider mentioned is same as the one loaded
+		 * via shared_preload_libraries.
+		 */
+
+		if (custom_provider_name == NULL || strcmp(val,custom_provider_name) != 0)
+		{
+			ereport(elevel,
+					(errcode(ERRCODE_CONFIG_FILE_ERROR),
+					 errmsg("cannot use authentication provider %s",val),
+					 errhint("Load authentication provider via shared_preload_libraries."),
+					 errcontext("line %d of configuration file \"%s\"",
+							line_num, HbaFileName)));
+			*err_msg = psprintf("cannot use authentication provider %s", val);
+
+			return false;
+		}
+		else
+		{
+			hbaline->custom_provider = pstrdup(val);
+		}
+	}
 	else
 	{
 		ereport(elevel,
@@ -2442,6 +2479,13 @@ gethba_options(HbaLine *hba)
 				CStringGetTextDatum(psprintf("radiusports=%s", hba->radiusports_s));
 	}
 
+	if (hba->auth_method == uaCustom)
+	{
+		if (hba->custom_provider)
+			options[noptions++] =
+				CStringGetTextDatum(psprintf("provider=%s",hba->custom_provider));
+	}
+
 	/* If you add more options, consider increasing MAX_HBA_OPTIONS. */
 	Assert(noptions <= MAX_HBA_OPTIONS);
 
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 6d7ee1acb9..1d10cccc1b 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -23,9 +23,36 @@ extern char *pg_krb_realm;
 extern void ClientAuthentication(Port *port);
 extern void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata,
 							int extralen);
+extern void set_authn_id(Port *port, const char *id);
+extern char *recv_password_packet(Port *port);
 
 /* Hook for plugins to get control in ClientAuthentication() */
+typedef int (*CustomAuthenticationCheck_hook_type) (Port *);
 typedef void (*ClientAuthentication_hook_type) (Port *, int);
 extern PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook;
 
+/* Hook for plugins to report error messages in auth_failed() */
+typedef const char * (*CustomAuthenticationError_hook_type) (Port *);
+
+extern void RegisterAuthProvider
+		(const char *provider_name,
+		 CustomAuthenticationCheck_hook_type CustomAuthenticationCheck_hook,
+		 CustomAuthenticationError_hook_type CustomAuthenticationError_hook);
+
+/*
+ * Maximum accepted size of GSS and SSPI authentication tokens.
+ * We also use this as a limit on ordinary password packet lengths.
+ *
+ * Kerberos tickets are usually quite small, but the TGTs issued by Windows
+ * domain controllers include an authorization field known as the Privilege
+ * Attribute Certificate (PAC), which contains the user's Windows permissions
+ * (group memberships etc.). The PAC is copied into all tickets obtained on
+ * the basis of this TGT (even those issued by Unix realms which the Windows
+ * realm trusts), and can be several kB in size. The maximum token size
+ * accepted by Windows systems is determined by the MaxAuthToken Windows
+ * registry setting. Microsoft recommends that it is not set higher than
+ * 65535 bytes, so that seems like a reasonable limit for us as well.
+ */
+#define PG_MAX_AUTH_TOKEN_LENGTH	65535
+
 #endif							/* AUTH_H */
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 8d9f3821b1..c5aef6994c 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -38,6 +38,7 @@ typedef enum UserAuth
 	uaLDAP,
 	uaCert,
 	uaRADIUS,
+	uaCustom,
 	uaPeer
 #define USER_AUTH_LAST uaPeer	/* Must be last value of this enum */
 } UserAuth;
@@ -120,6 +121,7 @@ typedef struct HbaLine
 	char	   *radiusidentifiers_s;
 	List	   *radiusports;
 	char	   *radiusports_s;
+	char	   *custom_provider;
 } HbaLine;
 
 typedef struct IdentLine
@@ -144,4 +146,6 @@ extern int	check_usermap(const char *usermap_name,
 						  bool case_sensitive);
 extern bool pg_isblank(const char c);
 
+extern char *custom_provider_name;
+
 #endif							/* HBA_H */
-- 
2.25.1

From 93b108334fa9fcc2d5f68d75fc320cd2714eb9da Mon Sep 17 00:00:00 2001
From: Samay Sharma <smilingsamay@gmail.com>
Date: Tue, 15 Feb 2022 22:28:40 -0800
Subject: [PATCH v3 2/9] Add sample extension to test custom auth provider
 hooks

This change adds a new extension to src/test/modules to
test the custom authentication provider hooks. In this
extension, we use an array to define which users to
authenticate and what passwords to use.
---
 src/test/modules/test_auth_provider/Makefile  | 16 ++++
 .../test_auth_provider/test_auth_provider.c   | 90 +++++++++++++++++++
 2 files changed, 106 insertions(+)
 create mode 100644 src/test/modules/test_auth_provider/Makefile
 create mode 100644 src/test/modules/test_auth_provider/test_auth_provider.c

diff --git a/src/test/modules/test_auth_provider/Makefile b/src/test/modules/test_auth_provider/Makefile
new file mode 100644
index 0000000000..17971a5c7a
--- /dev/null
+++ b/src/test/modules/test_auth_provider/Makefile
@@ -0,0 +1,16 @@
+# src/test/modules/test_auth_provider/Makefile
+
+MODULE_big = test_auth_provider
+OBJS = test_auth_provider.o
+PGFILEDESC = "test_auth_provider - provider to test auth hooks"
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = src/test/modules/test_auth_provider
+top_builddir = ../../../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/src/test/modules/test_auth_provider/test_auth_provider.c b/src/test/modules/test_auth_provider/test_auth_provider.c
new file mode 100644
index 0000000000..477ef8b2c3
--- /dev/null
+++ b/src/test/modules/test_auth_provider/test_auth_provider.c
@@ -0,0 +1,90 @@
+/* -------------------------------------------------------------------------
+ *
+ * test_auth_provider.c
+ *			example authentication provider plugin		
+ *
+ * Copyright (c) 2022, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *		contrib/test_auth_provider/test_auth_provider.c
+ *
+ * -------------------------------------------------------------------------
+ */
+
+#include "postgres.h"
+#include "fmgr.h"
+#include "libpq/auth.h"
+#include "libpq/libpq.h"
+
+PG_MODULE_MAGIC;
+
+void _PG_init(void);
+
+static char *get_password_for_user(char *user_name);
+
+/*
+ * List of usernames / passwords to approve. Here we are not
+ * getting passwords from Postgres but from this list. In a more real-life
+ * extension, you can fetch valid credentials and authentication tokens /
+ * passwords from an external authentication provider.
+ */
+char credentials[3][3][50] = {
+	{"bob","alice","carol"},
+	{"bob123","alice123","carol123"}
+};
+
+static int TestAuthenticationCheck(Port *port)
+{
+	char *passwd;
+	int result = STATUS_ERROR;
+	char *real_pass;
+
+	sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
+
+	passwd = recv_password_packet(port);
+	if (passwd == NULL)
+		return STATUS_EOF;
+		
+	real_pass = get_password_for_user(port->user_name);
+	if (real_pass)
+	{
+		if(strcmp(passwd, real_pass) == 0)
+		{
+			result = STATUS_OK;
+		}
+		pfree(real_pass);
+	}
+
+	pfree(passwd);
+
+	return result;
+}
+
+static char *
+get_password_for_user(char *user_name)
+{
+	char *password = NULL;
+	int i;
+	for (i=0; i<3; i++)
+	{
+		if (strcmp(user_name, credentials[0][i]) == 0)
+		{
+			password = pstrdup(credentials[1][i]);
+		}
+	}
+
+	return password;
+}
+
+static const char *TestAuthenticationError(Port *port)
+{
+	char *error_message = (char *)palloc (100);
+	sprintf(error_message, "Test authentication failed for user %s", port->user_name);
+	return error_message;
+}
+
+void
+_PG_init(void)
+{
+	RegisterAuthProvider("test", TestAuthenticationCheck, TestAuthenticationError);
+}
-- 
2.25.1

From 3aa2535fa42b142beabdcef234d1939738f36b9a Mon Sep 17 00:00:00 2001
From: Samay Sharma <smilingsamay@gmail.com>
Date: Wed, 16 Feb 2022 12:28:36 -0800
Subject: [PATCH v3 3/9] Add tests for test_auth_provider extension

Add tap tests for test_auth_provider extension allow make check in
src/test/modules to run them.
---
 src/test/modules/Makefile                     |   1 +
 src/test/modules/test_auth_provider/Makefile  |   2 +
 .../test_auth_provider/t/001_custom_auth.pl   | 125 ++++++++++++++++++
 3 files changed, 128 insertions(+)
 create mode 100644 src/test/modules/test_auth_provider/t/001_custom_auth.pl

diff --git a/src/test/modules/Makefile b/src/test/modules/Makefile
index dffc79b2d9..f56533ea13 100644
--- a/src/test/modules/Makefile
+++ b/src/test/modules/Makefile
@@ -14,6 +14,7 @@ SUBDIRS = \
 		  plsample \
 		  snapshot_too_old \
 		  spgist_name_ops \
+		  test_auth_provider \
 		  test_bloomfilter \
 		  test_ddl_deparse \
 		  test_extensions \
diff --git a/src/test/modules/test_auth_provider/Makefile b/src/test/modules/test_auth_provider/Makefile
index 17971a5c7a..7d601cf7d5 100644
--- a/src/test/modules/test_auth_provider/Makefile
+++ b/src/test/modules/test_auth_provider/Makefile
@@ -4,6 +4,8 @@ MODULE_big = test_auth_provider
 OBJS = test_auth_provider.o
 PGFILEDESC = "test_auth_provider - provider to test auth hooks"
 
+TAP_TESTS = 1
+
 ifdef USE_PGXS
 PG_CONFIG = pg_config
 PGXS := $(shell $(PG_CONFIG) --pgxs)
diff --git a/src/test/modules/test_auth_provider/t/001_custom_auth.pl b/src/test/modules/test_auth_provider/t/001_custom_auth.pl
new file mode 100644
index 0000000000..3b7472dc7f
--- /dev/null
+++ b/src/test/modules/test_auth_provider/t/001_custom_auth.pl
@@ -0,0 +1,125 @@
+
+# Copyright (c) 2021-2022, PostgreSQL Global Development Group
+
+# Set of tests for testing custom authentication hooks.
+
+use strict;
+use warnings;
+use PostgreSQL::Test::Cluster;
+use PostgreSQL::Test::Utils;
+use Test::More;
+
+# Delete pg_hba.conf from the given node, add a new entry to it
+# and then execute a reload to refresh it.
+sub reset_pg_hba
+{
+	my $node       = shift;
+	my $hba_method = shift;
+
+	unlink($node->data_dir . '/pg_hba.conf');
+	# just for testing purposes, use a continuation line
+	$node->append_conf('pg_hba.conf', "local all all\\\n $hba_method");
+	$node->reload;
+	return;
+}
+
+# Test if you get expected results in pg_hba_file_rules error column after
+# changing pg_hba.conf and reloading it.
+sub test_hba_reload
+{
+	my ($node, $method, $expected_res) = @_;
+	my $status_string = 'failed';
+	$status_string = 'success' if ($expected_res eq 0);
+	my $testname = "pg_hba.conf reload $status_string for method $method";
+
+	reset_pg_hba($node, $method);
+
+	my ($cmdret, $stdout, $stderr) = $node->psql("postgres",
+		"select count(*) from pg_hba_file_rules where error is not null",extra_params => ['-U','bob']);
+
+	is($stdout, $expected_res, $testname);
+}
+
+# Test access for a single role, useful to wrap all tests into one.  Extra
+# named parameters are passed to connect_ok/fails as-is.
+sub test_role
+{
+	local $Test::Builder::Level = $Test::Builder::Level + 1;
+
+	my ($node, $role, $method, $expected_res, %params) = @_;
+	my $status_string = 'failed';
+	$status_string = 'success' if ($expected_res eq 0);
+
+	my $connstr = "user=$role";
+	my $testname =
+	  "authentication $status_string for method $method, role $role";
+
+	if ($expected_res eq 0)
+	{
+		$node->connect_ok($connstr, $testname, %params);
+	}
+	else
+	{
+		# No checks of the error message, only the status code.
+		$node->connect_fails($connstr, $testname, %params);
+	}
+}
+
+# Initialize server node
+my $node = PostgreSQL::Test::Cluster->new('server');
+$node->init;
+$node->append_conf('postgresql.conf', "log_connections = on\n");
+$node->append_conf('postgresql.conf', "shared_preload_libraries = 'test_auth_provider.so'\n");
+$node->start;
+
+$node->safe_psql('postgres', "CREATE ROLE bob SUPERUSER LOGIN;");
+$node->safe_psql('postgres', "CREATE ROLE alice LOGIN;");
+$node->safe_psql('postgres', "CREATE ROLE test LOGIN;");
+
+# Add custom auth method to pg_hba.conf
+reset_pg_hba($node, 'custom provider=test');
+
+# Test that users are able to login with correct passwords.
+$ENV{"PGPASSWORD"} = 'bob123';
+test_role($node, 'bob', 'custom', 0, log_like => [qr/connection authorized: user=bob/]);
+$ENV{"PGPASSWORD"} = 'alice123';
+test_role($node, 'alice', 'custom', 0, log_like => [qr/connection authorized: user=alice/]);
+
+# Test that bad passwords are rejected.
+$ENV{"PGPASSWORD"} = 'badpassword';
+test_role($node, 'bob', 'custom', 2, log_unlike => [qr/connection authorized:/]);
+test_role($node, 'alice', 'custom', 2, log_unlike => [qr/connection authorized:/]);
+
+# Test that users not in authentication list are rejected.
+test_role($node, 'test', 'custom', 2, log_unlike => [qr/connection authorized:/]);
+
+$ENV{"PGPASSWORD"} = 'bob123';
+
+# Tests for invalid auth options
+
+# Test that an incorrect provider name is not accepted.
+test_hba_reload($node, 'custom provider=wrong', 1);
+
+# Test that specifying provider option with different auth method is not allowed.
+test_hba_reload($node, 'trust provider=test', 1);
+
+# Test that provider name is a mandatory option for custom auth.
+test_hba_reload($node, 'custom', 1);
+
+# Test that correct provider name allows reload to succeed.
+test_hba_reload($node, 'custom provider=test', 0);
+
+# Custom auth modules require mentioning extension in shared_preload_libraries.
+
+# Remove extension from shared_preload_libraries and try to restart.
+$node->adjust_conf('postgresql.conf', 'shared_preload_libraries', "''");
+command_fails(['pg_ctl', '-w', '-D', $node->data_dir, '-l', $node->logfile, 'restart'],'restart with empty shared_preload_libraries failed');
+
+# Fix shared_preload_libraries and confirm that you can now restart.
+$node->adjust_conf('postgresql.conf', 'shared_preload_libraries', "'test_auth_provider.so'");
+command_ok(['pg_ctl', '-w', '-D', $node->data_dir, '-l', $node->logfile,'start'],'restart with correct shared_preload_libraries succeeded');
+
+# Test that we can connect again
+test_role($node, 'bob', 'custom', 0, log_like => [qr/connection authorized: user=bob/]);
+
+done_testing();
-- 
2.25.1

From 13bee49d8c674e921804b4e6edc363dcf33211ce Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Mon, 3 May 2021 15:38:26 -0700
Subject: [PATCH v3 4/9] common/jsonapi: support FRONTEND clients

Based on a patch by Michael Paquier.

For frontend code, use PQExpBuffer instead of StringInfo. This requires
us to track allocation failures so that we can return JSON_OUT_OF_MEMORY
as needed. json_errdetail() now allocates its error message inside
memory owned by the JsonLexContext, so clients don't need to worry about
freeing it.

For convenience, the backend now has destroyJsonLexContext() to mirror
other create/destroy APIs. The frontend has init/term versions of the
API to handle stack-allocated JsonLexContexts.

We can now partially revert b44669b2ca, now that json_errdetail() works
correctly.
---
 src/backend/utils/adt/jsonfuncs.c             |   4 +-
 src/bin/pg_verifybackup/parse_manifest.c      |  13 +-
 src/bin/pg_verifybackup/t/005_bad_manifest.pl |   2 +-
 src/common/Makefile                           |   2 +-
 src/common/jsonapi.c                          | 290 +++++++++++++-----
 src/include/common/jsonapi.h                  |  47 ++-
 6 files changed, 270 insertions(+), 88 deletions(-)

diff --git a/src/backend/utils/adt/jsonfuncs.c b/src/backend/utils/adt/jsonfuncs.c
index 2457061f97..f58233cda9 100644
--- a/src/backend/utils/adt/jsonfuncs.c
+++ b/src/backend/utils/adt/jsonfuncs.c
@@ -723,9 +723,7 @@ json_object_keys(PG_FUNCTION_ARGS)
 		pg_parse_json_or_ereport(lex, sem);
 		/* keys are now in state->result */
 
-		pfree(lex->strval->data);
-		pfree(lex->strval);
-		pfree(lex);
+		destroyJsonLexContext(lex);
 		pfree(sem);
 
 		MemoryContextSwitchTo(oldcontext);
diff --git a/src/bin/pg_verifybackup/parse_manifest.c b/src/bin/pg_verifybackup/parse_manifest.c
index 6364b01282..4b38fd3963 100644
--- a/src/bin/pg_verifybackup/parse_manifest.c
+++ b/src/bin/pg_verifybackup/parse_manifest.c
@@ -119,7 +119,7 @@ void
 json_parse_manifest(JsonManifestParseContext *context, char *buffer,
 					size_t size)
 {
-	JsonLexContext *lex;
+	JsonLexContext lex = {0};
 	JsonParseErrorType json_error;
 	JsonSemAction sem;
 	JsonManifestParseState parse;
@@ -129,8 +129,8 @@ json_parse_manifest(JsonManifestParseContext *context, char *buffer,
 	parse.state = JM_EXPECT_TOPLEVEL_START;
 	parse.saw_version_field = false;
 
-	/* Create a JSON lexing context. */
-	lex = makeJsonLexContextCstringLen(buffer, size, PG_UTF8, true);
+	/* Initialize a JSON lexing context. */
+	initJsonLexContextCstringLen(&lex, buffer, size, PG_UTF8, true);
 
 	/* Set up semantic actions. */
 	sem.semstate = &parse;
@@ -145,14 +145,17 @@ json_parse_manifest(JsonManifestParseContext *context, char *buffer,
 	sem.scalar = json_manifest_scalar;
 
 	/* Run the actual JSON parser. */
-	json_error = pg_parse_json(lex, &sem);
+	json_error = pg_parse_json(&lex, &sem);
 	if (json_error != JSON_SUCCESS)
-		json_manifest_parse_failure(context, "parsing failed");
+		json_manifest_parse_failure(context, json_errdetail(json_error, &lex));
 	if (parse.state != JM_EXPECT_EOF)
 		json_manifest_parse_failure(context, "manifest ended unexpectedly");
 
 	/* Verify the manifest checksum. */
 	verify_manifest_checksum(&parse, buffer, size);
+
+	/* Clean up. */
+	termJsonLexContext(&lex);
 }
 
 /*
diff --git a/src/bin/pg_verifybackup/t/005_bad_manifest.pl b/src/bin/pg_verifybackup/t/005_bad_manifest.pl
index 118beb53d7..f2692972fe 100644
--- a/src/bin/pg_verifybackup/t/005_bad_manifest.pl
+++ b/src/bin/pg_verifybackup/t/005_bad_manifest.pl
@@ -16,7 +16,7 @@ my $tempdir = PostgreSQL::Test::Utils::tempdir;
 
 test_bad_manifest(
 	'input string ended unexpectedly',
-	qr/could not parse backup manifest: parsing failed/,
+	qr/could not parse backup manifest: The input string ended unexpectedly/,
 	<<EOM);
 {
 EOM
diff --git a/src/common/Makefile b/src/common/Makefile
index 31c0dd366d..8e8b27546e 100644
--- a/src/common/Makefile
+++ b/src/common/Makefile
@@ -40,7 +40,7 @@ override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\""
 override CPPFLAGS += -DVAL_LDFLAGS_SL="\"$(LDFLAGS_SL)\""
 override CPPFLAGS += -DVAL_LIBS="\"$(LIBS)\""
 
-override CPPFLAGS := -DFRONTEND -I. -I$(top_srcdir)/src/common $(CPPFLAGS)
+override CPPFLAGS := -DFRONTEND -I. -I$(top_srcdir)/src/common -I$(libpq_srcdir) $(CPPFLAGS)
 LIBS += $(PTHREAD_LIBS)
 
 # If you add objects here, see also src/tools/msvc/Mkvcbuild.pm
diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 6666077a93..7fc5eaf460 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -20,10 +20,39 @@
 #include "common/jsonapi.h"
 #include "mb/pg_wchar.h"
 
-#ifndef FRONTEND
+#ifdef FRONTEND
+#include "pqexpbuffer.h"
+#else
+#include "lib/stringinfo.h"
 #include "miscadmin.h"
 #endif
 
+/*
+ * In backend, we will use palloc/pfree along with StringInfo.  In frontend, use
+ * malloc and PQExpBuffer, and return JSON_OUT_OF_MEMORY on out-of-memory.
+ */
+#ifdef FRONTEND
+
+#define STRDUP(s) strdup(s)
+#define ALLOC(size) malloc(size)
+
+#define appendStrVal		appendPQExpBuffer
+#define appendStrValChar	appendPQExpBufferChar
+#define createStrVal		createPQExpBuffer
+#define resetStrVal			resetPQExpBuffer
+
+#else /* !FRONTEND */
+
+#define STRDUP(s) pstrdup(s)
+#define ALLOC(size) palloc(size)
+
+#define appendStrVal		appendStringInfo
+#define appendStrValChar	appendStringInfoChar
+#define createStrVal		makeStringInfo
+#define resetStrVal			resetStringInfo
+
+#endif
+
 /*
  * The context of the parser is maintained by the recursive descent
  * mechanism, but is passed explicitly to the error reporting routine
@@ -132,10 +161,12 @@ IsValidJsonNumber(const char *str, int len)
 	return (!numeric_error) && (total_len == dummy_lex.input_length);
 }
 
+#ifndef FRONTEND
+
 /*
  * makeJsonLexContextCstringLen
  *
- * lex constructor, with or without StringInfo object for de-escaped lexemes.
+ * lex constructor, with or without a string object for de-escaped lexemes.
  *
  * Without is better as it makes the processing faster, so only make one
  * if really required.
@@ -145,13 +176,66 @@ makeJsonLexContextCstringLen(char *json, int len, int encoding, bool need_escape
 {
 	JsonLexContext *lex = palloc0(sizeof(JsonLexContext));
 
+	initJsonLexContextCstringLen(lex, json, len, encoding, need_escapes);
+
+	return lex;
+}
+
+void
+destroyJsonLexContext(JsonLexContext *lex)
+{
+	termJsonLexContext(lex);
+	pfree(lex);
+}
+
+#endif /* !FRONTEND */
+
+void
+initJsonLexContextCstringLen(JsonLexContext *lex, char *json, int len, int encoding, bool need_escapes)
+{
 	lex->input = lex->token_terminator = lex->line_start = json;
 	lex->line_number = 1;
 	lex->input_length = len;
 	lex->input_encoding = encoding;
-	if (need_escapes)
-		lex->strval = makeStringInfo();
-	return lex;
+	lex->parse_strval = need_escapes;
+	if (lex->parse_strval)
+	{
+		/*
+		 * This call can fail in FRONTEND code. We defer error handling to time
+		 * of use (json_lex_string()) since there's no way to signal failure
+		 * here, and we might not need to parse any strings anyway.
+		 */
+		lex->strval = createStrVal();
+	}
+	lex->errormsg = NULL;
+}
+
+void
+termJsonLexContext(JsonLexContext *lex)
+{
+	static const JsonLexContext empty = {0};
+
+	if (lex->strval)
+	{
+#ifdef FRONTEND
+		destroyPQExpBuffer(lex->strval);
+#else
+		pfree(lex->strval->data);
+		pfree(lex->strval);
+#endif
+	}
+
+	if (lex->errormsg)
+	{
+#ifdef FRONTEND
+		destroyPQExpBuffer(lex->errormsg);
+#else
+		pfree(lex->errormsg->data);
+		pfree(lex->errormsg);
+#endif
+	}
+
+	*lex = empty;
 }
 
 /*
@@ -217,7 +301,7 @@ json_count_array_elements(JsonLexContext *lex, int *elements)
 	 * etc, so doing this with a copy makes that safe.
 	 */
 	memcpy(&copylex, lex, sizeof(JsonLexContext));
-	copylex.strval = NULL;		/* not interested in values here */
+	copylex.parse_strval = false;		/* not interested in values here */
 	copylex.lex_level++;
 
 	count = 0;
@@ -279,14 +363,21 @@ parse_scalar(JsonLexContext *lex, JsonSemAction *sem)
 	/* extract the de-escaped string value, or the raw lexeme */
 	if (lex_peek(lex) == JSON_TOKEN_STRING)
 	{
-		if (lex->strval != NULL)
-			val = pstrdup(lex->strval->data);
+		if (lex->parse_strval)
+		{
+			val = STRDUP(lex->strval->data);
+			if (val == NULL)
+				return JSON_OUT_OF_MEMORY;
+		}
 	}
 	else
 	{
 		int			len = (lex->token_terminator - lex->token_start);
 
-		val = palloc(len + 1);
+		val = ALLOC(len + 1);
+		if (val == NULL)
+			return JSON_OUT_OF_MEMORY;
+
 		memcpy(val, lex->token_start, len);
 		val[len] = '\0';
 	}
@@ -320,8 +411,12 @@ parse_object_field(JsonLexContext *lex, JsonSemAction *sem)
 
 	if (lex_peek(lex) != JSON_TOKEN_STRING)
 		return report_parse_error(JSON_PARSE_STRING, lex);
-	if ((ostart != NULL || oend != NULL) && lex->strval != NULL)
-		fname = pstrdup(lex->strval->data);
+	if ((ostart != NULL || oend != NULL) && lex->parse_strval)
+	{
+		fname = STRDUP(lex->strval->data);
+		if (fname == NULL)
+			return JSON_OUT_OF_MEMORY;
+	}
 	result = json_lex(lex);
 	if (result != JSON_SUCCESS)
 		return result;
@@ -368,6 +463,10 @@ parse_object(JsonLexContext *lex, JsonSemAction *sem)
 	JsonParseErrorType result;
 
 #ifndef FRONTEND
+	/*
+	 * TODO: clients need some way to put a bound on stack growth. Parse level
+	 * limits maybe?
+	 */
 	check_stack_depth();
 #endif
 
@@ -676,8 +775,15 @@ json_lex_string(JsonLexContext *lex)
 	int			len;
 	int			hi_surrogate = -1;
 
-	if (lex->strval != NULL)
-		resetStringInfo(lex->strval);
+	if (lex->parse_strval)
+	{
+#ifdef FRONTEND
+		/* make sure initialization succeeded */
+		if (lex->strval == NULL)
+			return JSON_OUT_OF_MEMORY;
+#endif
+		resetStrVal(lex->strval);
+	}
 
 	Assert(lex->input_length > 0);
 	s = lex->token_start;
@@ -737,7 +843,7 @@ json_lex_string(JsonLexContext *lex)
 						return JSON_UNICODE_ESCAPE_FORMAT;
 					}
 				}
-				if (lex->strval != NULL)
+				if (lex->parse_strval)
 				{
 					/*
 					 * Combine surrogate pairs.
@@ -797,19 +903,19 @@ json_lex_string(JsonLexContext *lex)
 
 						unicode_to_utf8(ch, (unsigned char *) utf8str);
 						utf8len = pg_utf_mblen((unsigned char *) utf8str);
-						appendBinaryStringInfo(lex->strval, utf8str, utf8len);
+						appendBinaryPQExpBuffer(lex->strval, utf8str, utf8len);
 					}
 					else if (ch <= 0x007f)
 					{
 						/* The ASCII range is the same in all encodings */
-						appendStringInfoChar(lex->strval, (char) ch);
+						appendPQExpBufferChar(lex->strval, (char) ch);
 					}
 					else
 						return JSON_UNICODE_HIGH_ESCAPE;
 #endif							/* FRONTEND */
 				}
 			}
-			else if (lex->strval != NULL)
+			else if (lex->parse_strval)
 			{
 				if (hi_surrogate != -1)
 					return JSON_UNICODE_LOW_SURROGATE;
@@ -819,22 +925,22 @@ json_lex_string(JsonLexContext *lex)
 					case '"':
 					case '\\':
 					case '/':
-						appendStringInfoChar(lex->strval, *s);
+						appendStrValChar(lex->strval, *s);
 						break;
 					case 'b':
-						appendStringInfoChar(lex->strval, '\b');
+						appendStrValChar(lex->strval, '\b');
 						break;
 					case 'f':
-						appendStringInfoChar(lex->strval, '\f');
+						appendStrValChar(lex->strval, '\f');
 						break;
 					case 'n':
-						appendStringInfoChar(lex->strval, '\n');
+						appendStrValChar(lex->strval, '\n');
 						break;
 					case 'r':
-						appendStringInfoChar(lex->strval, '\r');
+						appendStrValChar(lex->strval, '\r');
 						break;
 					case 't':
-						appendStringInfoChar(lex->strval, '\t');
+						appendStrValChar(lex->strval, '\t');
 						break;
 					default:
 						/* Not a valid string escape, so signal error. */
@@ -858,12 +964,12 @@ json_lex_string(JsonLexContext *lex)
 			}
 
 		}
-		else if (lex->strval != NULL)
+		else if (lex->parse_strval)
 		{
 			if (hi_surrogate != -1)
 				return JSON_UNICODE_LOW_SURROGATE;
 
-			appendStringInfoChar(lex->strval, *s);
+			appendStrValChar(lex->strval, *s);
 		}
 
 	}
@@ -871,6 +977,11 @@ json_lex_string(JsonLexContext *lex)
 	if (hi_surrogate != -1)
 		return JSON_UNICODE_LOW_SURROGATE;
 
+#ifdef FRONTEND
+	if (lex->parse_strval && PQExpBufferBroken(lex->strval))
+		return JSON_OUT_OF_MEMORY;
+#endif
+
 	/* Hooray, we found the end of the string! */
 	lex->prev_token_terminator = lex->token_terminator;
 	lex->token_terminator = s + 1;
@@ -1043,72 +1154,93 @@ report_parse_error(JsonParseContext ctx, JsonLexContext *lex)
 	return JSON_SUCCESS;		/* silence stupider compilers */
 }
 
-
-#ifndef FRONTEND
-/*
- * Extract the current token from a lexing context, for error reporting.
- */
-static char *
-extract_token(JsonLexContext *lex)
-{
-	int			toklen = lex->token_terminator - lex->token_start;
-	char	   *token = palloc(toklen + 1);
-
-	memcpy(token, lex->token_start, toklen);
-	token[toklen] = '\0';
-	return token;
-}
-
 /*
  * Construct a detail message for a JSON error.
  *
- * Note that the error message generated by this routine may not be
- * palloc'd, making it unsafe for frontend code as there is no way to
- * know if this can be safery pfree'd or not.
+ * The returned allocation is either static or owned by the JsonLexContext and
+ * should not be freed.
  */
 char *
 json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
 {
+	int		toklen = lex->token_terminator - lex->token_start;
+
+	if (error == JSON_OUT_OF_MEMORY)
+	{
+		/* Short circuit. Allocating anything for this case is unhelpful. */
+		return _("out of memory");
+	}
+
+	if (lex->errormsg)
+		resetStrVal(lex->errormsg);
+	else
+		lex->errormsg = createStrVal();
+
 	switch (error)
 	{
 		case JSON_SUCCESS:
 			/* fall through to the error code after switch */
 			break;
 		case JSON_ESCAPING_INVALID:
-			return psprintf(_("Escape sequence \"\\%s\" is invalid."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Escape sequence \"\\%.*s\" is invalid."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_ESCAPING_REQUIRED:
-			return psprintf(_("Character with value 0x%02x must be escaped."),
-							(unsigned char) *(lex->token_terminator));
+			appendStrVal(lex->errormsg,
+						 _("Character with value 0x%02x must be escaped."),
+						 (unsigned char) *(lex->token_terminator));
+			break;
 		case JSON_EXPECTED_END:
-			return psprintf(_("Expected end of input, but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected end of input, but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_ARRAY_FIRST:
-			return psprintf(_("Expected array element or \"]\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected array element or \"]\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_ARRAY_NEXT:
-			return psprintf(_("Expected \",\" or \"]\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected \",\" or \"]\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_COLON:
-			return psprintf(_("Expected \":\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected \":\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_JSON:
-			return psprintf(_("Expected JSON value, but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected JSON value, but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_MORE:
 			return _("The input string ended unexpectedly.");
 		case JSON_EXPECTED_OBJECT_FIRST:
-			return psprintf(_("Expected string or \"}\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected string or \"}\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_OBJECT_NEXT:
-			return psprintf(_("Expected \",\" or \"}\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected \",\" or \"}\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_STRING:
-			return psprintf(_("Expected string, but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected string, but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_INVALID_TOKEN:
-			return psprintf(_("Token \"%s\" is invalid."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Token \"%.*s\" is invalid."),
+						 toklen, lex->token_start);
+			break;
+		case JSON_OUT_OF_MEMORY:
+			/* should have been handled above; use the error path */
+			break;
 		case JSON_UNICODE_CODE_POINT_ZERO:
 			return _("\\u0000 cannot be converted to text.");
 		case JSON_UNICODE_ESCAPE_FORMAT:
@@ -1122,12 +1254,22 @@ json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
 			return _("Unicode low surrogate must follow a high surrogate.");
 	}
 
-	/*
-	 * We don't use a default: case, so that the compiler will warn about
-	 * unhandled enum values.  But this needs to be here anyway to cover the
-	 * possibility of an incorrect input.
-	 */
-	elog(ERROR, "unexpected json parse error type: %d", (int) error);
-	return NULL;
-}
+	/* Note that lex->errormsg can be NULL in FRONTEND code. */
+	if (lex->errormsg && !lex->errormsg->data[0])
+	{
+		/*
+		 * We don't use a default: case, so that the compiler will warn about
+		 * unhandled enum values.  But this needs to be here anyway to cover the
+		 * possibility of an incorrect input.
+		 */
+		appendStrVal(lex->errormsg,
+					 "unexpected json parse error type: %d", (int) error);
+	}
+
+#ifdef FRONTEND
+	if (PQExpBufferBroken(lex->errormsg))
+		return _("out of memory while constructing error description");
 #endif
+
+	return lex->errormsg->data;
+}
diff --git a/src/include/common/jsonapi.h b/src/include/common/jsonapi.h
index 52cb4a9339..d7cafc84fe 100644
--- a/src/include/common/jsonapi.h
+++ b/src/include/common/jsonapi.h
@@ -14,8 +14,6 @@
 #ifndef JSONAPI_H
 #define JSONAPI_H
 
-#include "lib/stringinfo.h"
-
 typedef enum
 {
 	JSON_TOKEN_INVALID,
@@ -48,6 +46,7 @@ typedef enum
 	JSON_EXPECTED_OBJECT_NEXT,
 	JSON_EXPECTED_STRING,
 	JSON_INVALID_TOKEN,
+	JSON_OUT_OF_MEMORY,
 	JSON_UNICODE_CODE_POINT_ZERO,
 	JSON_UNICODE_ESCAPE_FORMAT,
 	JSON_UNICODE_HIGH_ESCAPE,
@@ -55,6 +54,17 @@ typedef enum
 	JSON_UNICODE_LOW_SURROGATE
 } JsonParseErrorType;
 
+/*
+ * Don't depend on the internal type header for strval; if callers need access
+ * then they can include the appropriate header themselves.
+ */
+#ifdef FRONTEND
+#define StrValType PQExpBufferData
+#else
+#define StrValType StringInfoData
+#endif
+
+typedef struct StrValType StrValType;
 
 /*
  * All the fields in this structure should be treated as read-only.
@@ -81,7 +91,9 @@ typedef struct JsonLexContext
 	int			lex_level;
 	int			line_number;	/* line number, starting from 1 */
 	char	   *line_start;		/* where that line starts within input */
-	StringInfo	strval;
+	bool		parse_strval;
+	StrValType *strval;			/* only used if parse_strval == true */
+	StrValType *errormsg;
 } JsonLexContext;
 
 typedef void (*json_struct_action) (void *state);
@@ -141,9 +153,10 @@ extern JsonSemAction nullSemAction;
  */
 extern JsonParseErrorType json_count_array_elements(JsonLexContext *lex,
 													int *elements);
+#ifndef FRONTEND
 
 /*
- * constructor for JsonLexContext, with or without strval element.
+ * allocating constructor for JsonLexContext, with or without strval element.
  * If supplied, the strval element will contain a de-escaped version of
  * the lexeme. However, doing this imposes a performance penalty, so
  * it should be avoided if the de-escaped lexeme is not required.
@@ -153,6 +166,32 @@ extern JsonLexContext *makeJsonLexContextCstringLen(char *json,
 													int encoding,
 													bool need_escapes);
 
+/*
+ * Counterpart to makeJsonLexContextCstringLen(): clears and deallocates lex.
+ * The context pointer should not be used after this call.
+ */
+extern void destroyJsonLexContext(JsonLexContext *lex);
+
+#endif /* !FRONTEND */
+
+/*
+ * stack constructor for JsonLexContext, with or without strval element.
+ * If supplied, the strval element will contain a de-escaped version of
+ * the lexeme. However, doing this imposes a performance penalty, so
+ * it should be avoided if the de-escaped lexeme is not required.
+ */
+extern void initJsonLexContextCstringLen(JsonLexContext *lex,
+										 char *json,
+										 int len,
+										 int encoding,
+										 bool need_escapes);
+
+/*
+ * Counterpart to initJsonLexContextCstringLen(): clears the contents of lex,
+ * but does not deallocate lex itself.
+ */
+extern void termJsonLexContext(JsonLexContext *lex);
+
 /* lex one token */
 extern JsonParseErrorType json_lex(JsonLexContext *lex);
 
-- 
2.25.1

From 7f6b02652cd771a93ce4269607d498f4ac574e7f Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Tue, 13 Apr 2021 10:27:27 -0700
Subject: [PATCH v3 5/9] libpq: add OAUTHBEARER SASL mechanism

DO NOT USE THIS PROOF OF CONCEPT IN PRODUCTION.

Implement OAUTHBEARER (RFC 7628) and OAuth 2.0 Device Authorization
Grants (RFC 8628) on the client side. When speaking to a OAuth-enabled
server, it looks a bit like this:

    $ psql 'host=example.org oauth_client_id=f02c6361-0635-...'
    Visit https://oauth.example.org/login and enter the code: FPQ2-M4BG

The OAuth issuer must support device authorization. No other OAuth flows
are currently implemented.

The client implementation requires libiddawc and its development
headers. Configure --with-oauth (and --with-includes/--with-libraries to
point at the iddawc installation, if it's in a custom location).

Several TODOs:
- don't retry forever if the server won't accept our token
- perform several sanity checks on the OAuth issuer's responses
- handle cases where the client has been set up with an issuer and
  scope, but the Postgres server wants to use something different
- improve error debuggability during the OAuth handshake
- ...and more.
---
 configure                            | 100 ++++
 configure.ac                         |  19 +
 src/Makefile.global.in               |   1 +
 src/include/common/oauth-common.h    |  19 +
 src/include/pg_config.h.in           |   6 +
 src/interfaces/libpq/Makefile        |   7 +-
 src/interfaces/libpq/fe-auth-oauth.c | 744 +++++++++++++++++++++++++++
 src/interfaces/libpq/fe-auth-sasl.h  |   5 +-
 src/interfaces/libpq/fe-auth-scram.c |   6 +-
 src/interfaces/libpq/fe-auth.c       |  42 +-
 src/interfaces/libpq/fe-auth.h       |   3 +
 src/interfaces/libpq/fe-connect.c    |  38 ++
 src/interfaces/libpq/libpq-int.h     |   8 +
 13 files changed, 979 insertions(+), 19 deletions(-)
 create mode 100644 src/include/common/oauth-common.h
 create mode 100644 src/interfaces/libpq/fe-auth-oauth.c

diff --git a/configure b/configure
index f3cb5c2b51..cd0c50a951 100755
--- a/configure
+++ b/configure
@@ -718,6 +718,7 @@ with_uuid
 with_readline
 with_systemd
 with_selinux
+with_oauth
 with_ldap
 with_krb_srvnam
 krb_srvtab
@@ -861,6 +862,7 @@ with_krb_srvnam
 with_pam
 with_bsd_auth
 with_ldap
+with_oauth
 with_bonjour
 with_selinux
 with_systemd
@@ -1570,6 +1572,7 @@ Optional Packages:
   --with-pam              build with PAM support
   --with-bsd-auth         build with BSD Authentication support
   --with-ldap             build with LDAP support
+  --with-oauth            build with OAuth 2.0 support
   --with-bonjour          build with Bonjour support
   --with-selinux          build with SELinux support
   --with-systemd          build with systemd support
@@ -8377,6 +8380,42 @@ $as_echo "$with_ldap" >&6; }
 
 
 
+#
+# OAuth 2.0
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with OAuth support" >&5
+$as_echo_n "checking whether to build with OAuth support... " >&6; }
+
+
+
+# Check whether --with-oauth was given.
+if test "${with_oauth+set}" = set; then :
+  withval=$with_oauth;
+  case $withval in
+    yes)
+
+$as_echo "#define USE_OAUTH 1" >>confdefs.h
+
+      ;;
+    no)
+      :
+      ;;
+    *)
+      as_fn_error $? "no argument expected for --with-oauth option" "$LINENO" 5
+      ;;
+  esac
+
+else
+  with_oauth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_oauth" >&5
+$as_echo "$with_oauth" >&6; }
+
+
+
 #
 # Bonjour
 #
@@ -13500,6 +13539,56 @@ fi
 
 
 
+if test "$with_oauth" = yes ; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for i_init_session in -liddawc" >&5
+$as_echo_n "checking for i_init_session in -liddawc... " >&6; }
+if ${ac_cv_lib_iddawc_i_init_session+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-liddawc  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char i_init_session ();
+int
+main ()
+{
+return i_init_session ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_iddawc_i_init_session=yes
+else
+  ac_cv_lib_iddawc_i_init_session=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_iddawc_i_init_session" >&5
+$as_echo "$ac_cv_lib_iddawc_i_init_session" >&6; }
+if test "x$ac_cv_lib_iddawc_i_init_session" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBIDDAWC 1
+_ACEOF
+
+  LIBS="-liddawc $LIBS"
+
+else
+  as_fn_error $? "library 'iddawc' is required for OAuth support" "$LINENO" 5
+fi
+
+fi
+
 # for contrib/sepgsql
 if test "$with_selinux" = yes; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for security_compute_create_name in -lselinux" >&5
@@ -14513,6 +14602,17 @@ fi
 
 done
 
+fi
+
+if test "$with_oauth" != no; then
+  ac_fn_c_check_header_mongrel "$LINENO" "iddawc.h" "ac_cv_header_iddawc_h" "$ac_includes_default"
+if test "x$ac_cv_header_iddawc_h" = xyes; then :
+
+else
+  as_fn_error $? "header file <iddawc.h> is required for OAuth" "$LINENO" 5
+fi
+
+
 fi
 
 if test "$PORTNAME" = "win32" ; then
diff --git a/configure.ac b/configure.ac
index 19d1a80367..922608065f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -887,6 +887,17 @@ AC_MSG_RESULT([$with_ldap])
 AC_SUBST(with_ldap)
 
 
+#
+# OAuth 2.0
+#
+AC_MSG_CHECKING([whether to build with OAuth support])
+PGAC_ARG_BOOL(with, oauth, no,
+              [build with OAuth 2.0 support],
+              [AC_DEFINE([USE_OAUTH], 1, [Define to 1 to build with OAuth 2.0 support. (--with-oauth)])])
+AC_MSG_RESULT([$with_oauth])
+AC_SUBST(with_oauth)
+
+
 #
 # Bonjour
 #
@@ -1385,6 +1396,10 @@ fi
 AC_SUBST(LDAP_LIBS_FE)
 AC_SUBST(LDAP_LIBS_BE)
 
+if test "$with_oauth" = yes ; then
+  AC_CHECK_LIB(iddawc, i_init_session, [], [AC_MSG_ERROR([library 'iddawc' is required for OAuth support])])
+fi
+
 # for contrib/sepgsql
 if test "$with_selinux" = yes; then
   AC_CHECK_LIB(selinux, security_compute_create_name, [],
@@ -1603,6 +1618,10 @@ elif test "$with_uuid" = ossp ; then
       [AC_MSG_ERROR([header file <ossp/uuid.h> or <uuid.h> is required for OSSP UUID])])])
 fi
 
+if test "$with_oauth" != no; then
+  AC_CHECK_HEADER(iddawc.h, [], [AC_MSG_ERROR([header file <iddawc.h> is required for OAuth])])
+fi
+
 if test "$PORTNAME" = "win32" ; then
    AC_CHECK_HEADERS(crtdefs.h)
 fi
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index bbdc1c4bda..c9c61a9c99 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -193,6 +193,7 @@ with_ldap	= @with_ldap@
 with_libxml	= @with_libxml@
 with_libxslt	= @with_libxslt@
 with_llvm	= @with_llvm@
+with_oauth	= @with_oauth@
 with_system_tzdata = @with_system_tzdata@
 with_uuid	= @with_uuid@
 with_zlib	= @with_zlib@
diff --git a/src/include/common/oauth-common.h b/src/include/common/oauth-common.h
new file mode 100644
index 0000000000..3fa95ac7e8
--- /dev/null
+++ b/src/include/common/oauth-common.h
@@ -0,0 +1,19 @@
+/*-------------------------------------------------------------------------
+ *
+ * oauth-common.h
+ *		Declarations for helper functions used for OAuth/OIDC authentication
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/include/common/oauth-common.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef OAUTH_COMMON_H
+#define OAUTH_COMMON_H
+
+/* Name of SASL mechanism per IANA */
+#define OAUTHBEARER_NAME "OAUTHBEARER"
+
+#endif /* OAUTH_COMMON_H */
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 635fbb2181..1b3332601e 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -319,6 +319,9 @@
 /* Define to 1 if you have the `crypto' library (-lcrypto). */
 #undef HAVE_LIBCRYPTO
 
+/* Define to 1 if you have the `iddawc' library (-liddawc). */
+#undef HAVE_LIBIDDAWC
+
 /* Define to 1 if you have the `ldap' library (-lldap). */
 #undef HAVE_LIBLDAP
 
@@ -922,6 +925,9 @@
 /* Define to select named POSIX semaphores. */
 #undef USE_NAMED_POSIX_SEMAPHORES
 
+/* Define to 1 to build with OAuth 2.0 support. (--with-oauth) */
+#undef USE_OAUTH
+
 /* Define to 1 to build with OpenSSL support. (--with-ssl=openssl) */
 #undef USE_OPENSSL
 
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index 3c53393fa4..727305c578 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -62,6 +62,11 @@ OBJS += \
 	fe-secure-gssapi.o
 endif
 
+ifeq ($(with_oauth),yes)
+OBJS += \
+	fe-auth-oauth.o
+endif
+
 ifeq ($(PORTNAME), cygwin)
 override shlib = cyg$(NAME)$(DLSUFFIX)
 endif
@@ -83,7 +88,7 @@ endif
 # that are built correctly for use in a shlib.
 SHLIB_LINK_INTERNAL = -lpgcommon_shlib -lpgport_shlib
 ifneq ($(PORTNAME), win32)
-SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lgssapi_krb5 -lgss -lgssapi -lssl -lsocket -lnsl -lresolv -lintl -lm, $(LIBS)) $(LDAP_LIBS_FE) $(PTHREAD_LIBS)
+SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lgssapi_krb5 -lgss -lgssapi -lssl -liddawc -lsocket -lnsl -lresolv -lintl -lm, $(LIBS)) $(LDAP_LIBS_FE) $(PTHREAD_LIBS)
 else
 SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lgssapi32 -lssl -lsocket -lnsl -lresolv -lintl -lm $(PTHREAD_LIBS), $(LIBS)) $(LDAP_LIBS_FE)
 endif
diff --git a/src/interfaces/libpq/fe-auth-oauth.c b/src/interfaces/libpq/fe-auth-oauth.c
new file mode 100644
index 0000000000..383c9d4bdb
--- /dev/null
+++ b/src/interfaces/libpq/fe-auth-oauth.c
@@ -0,0 +1,744 @@
+/*-------------------------------------------------------------------------
+ *
+ * fe-auth-oauth.c
+ *	   The front-end (client) implementation of OAuth/OIDC authentication.
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * IDENTIFICATION
+ *	  src/interfaces/libpq/fe-auth-oauth.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include <iddawc.h>
+
+#include "postgres_fe.h"
+
+#include "common/base64.h"
+#include "common/hmac.h"
+#include "common/jsonapi.h"
+#include "common/oauth-common.h"
+#include "fe-auth.h"
+#include "mb/pg_wchar.h"
+
+/* The exported OAuth callback mechanism. */
+static void *oauth_init(PGconn *conn, const char *password,
+						const char *sasl_mechanism);
+static void oauth_exchange(void *opaq, bool final,
+						   char *input, int inputlen,
+						   char **output, int *outputlen,
+						   bool *done, bool *success);
+static bool oauth_channel_bound(void *opaq);
+static void oauth_free(void *opaq);
+
+const pg_fe_sasl_mech pg_oauth_mech = {
+	oauth_init,
+	oauth_exchange,
+	oauth_channel_bound,
+	oauth_free,
+};
+
+typedef enum
+{
+	FE_OAUTH_INIT,
+	FE_OAUTH_BEARER_SENT,
+	FE_OAUTH_SERVER_ERROR,
+} fe_oauth_state_enum;
+
+typedef struct
+{
+	fe_oauth_state_enum state;
+
+	PGconn	   *conn;
+} fe_oauth_state;
+
+static void *
+oauth_init(PGconn *conn, const char *password,
+		   const char *sasl_mechanism)
+{
+	fe_oauth_state *state;
+
+	/*
+	 * We only support one SASL mechanism here; anything else is programmer
+	 * error.
+	 */
+	Assert(sasl_mechanism != NULL);
+	Assert(!strcmp(sasl_mechanism, OAUTHBEARER_NAME));
+
+	state = malloc(sizeof(*state));
+	if (!state)
+		return NULL;
+
+	state->state = FE_OAUTH_INIT;
+	state->conn = conn;
+
+	return state;
+}
+
+static const char *
+iddawc_error_string(int errcode)
+{
+	switch (errcode)
+	{
+		case I_OK:
+			return "I_OK";
+
+		case I_ERROR:
+			return "I_ERROR";
+
+		case I_ERROR_PARAM:
+			return "I_ERROR_PARAM";
+
+		case I_ERROR_MEMORY:
+			return "I_ERROR_MEMORY";
+
+		case I_ERROR_UNAUTHORIZED:
+			return "I_ERROR_UNAUTHORIZED";
+
+		case I_ERROR_SERVER:
+			return "I_ERROR_SERVER";
+	}
+
+	return "<unknown>";
+}
+
+static void
+iddawc_error(PGconn *conn, int errcode, const char *msg)
+{
+	appendPQExpBufferStr(&conn->errorMessage, libpq_gettext(msg));
+	appendPQExpBuffer(&conn->errorMessage,
+					  libpq_gettext(" (iddawc error %s)\n"),
+					  iddawc_error_string(errcode));
+}
+
+static void
+iddawc_request_error(PGconn *conn, struct _i_session *i, int err, const char *msg)
+{
+	const char *error_code;
+	const char *desc;
+
+	appendPQExpBuffer(&conn->errorMessage, "%s: ", libpq_gettext(msg));
+
+	error_code = i_get_str_parameter(i, I_OPT_ERROR);
+	if (!error_code)
+	{
+		/*
+		 * The server didn't give us any useful information, so just print the
+		 * error code.
+		 */
+		appendPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("(iddawc error %s)\n"),
+						  iddawc_error_string(err));
+		return;
+	}
+
+	/* If the server gave a string description, print that too. */
+	desc = i_get_str_parameter(i, I_OPT_ERROR_DESCRIPTION);
+	if (desc)
+		appendPQExpBuffer(&conn->errorMessage, "%s ", desc);
+
+	appendPQExpBuffer(&conn->errorMessage, "(%s)\n", error_code);
+}
+
+static char *
+get_auth_token(PGconn *conn)
+{
+	PQExpBuffer	token_buf = NULL;
+	struct _i_session session;
+	int			err;
+	int			auth_method;
+	bool		user_prompted = false;
+	const char *verification_uri;
+	const char *user_code;
+	const char *access_token;
+	const char *token_type;
+	char	   *token = NULL;
+
+	if (!conn->oauth_discovery_uri)
+		return strdup(""); /* ask the server for one */
+
+	if (!conn->oauth_client_id)
+	{
+		/* We can't talk to a server without a client identifier. */
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("no oauth_client_id is set for the connection"));
+		return NULL;
+	}
+
+	i_init_session(&session);
+
+	token_buf = createPQExpBuffer();
+	if (!token_buf)
+		goto cleanup;
+
+	err = i_set_str_parameter(&session, I_OPT_OPENID_CONFIG_ENDPOINT, conn->oauth_discovery_uri);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to set OpenID config endpoint");
+		goto cleanup;
+	}
+
+	err = i_get_openid_config(&session);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to fetch OpenID discovery document");
+		goto cleanup;
+	}
+
+	if (!i_get_str_parameter(&session, I_OPT_TOKEN_ENDPOINT))
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer has no token endpoint"));
+		goto cleanup;
+	}
+
+	if (!i_get_str_parameter(&session, I_OPT_DEVICE_AUTHORIZATION_ENDPOINT))
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer does not support device authorization"));
+		goto cleanup;
+	}
+
+	err = i_set_response_type(&session, I_RESPONSE_TYPE_DEVICE_CODE);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to set device code response type");
+		goto cleanup;
+	}
+
+	auth_method = I_TOKEN_AUTH_METHOD_NONE;
+	if (conn->oauth_client_secret && *conn->oauth_client_secret)
+		auth_method = I_TOKEN_AUTH_METHOD_SECRET_BASIC;
+
+	err = i_set_parameter_list(&session,
+		I_OPT_CLIENT_ID, conn->oauth_client_id,
+		I_OPT_CLIENT_SECRET, conn->oauth_client_secret,
+		I_OPT_TOKEN_METHOD, auth_method,
+		I_OPT_SCOPE, conn->oauth_scope,
+		I_OPT_NONE
+	);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to set client identifier");
+		goto cleanup;
+	}
+
+	err = i_run_device_auth_request(&session);
+	if (err)
+	{
+		iddawc_request_error(conn, &session, err,
+							"failed to obtain device authorization");
+		goto cleanup;
+	}
+
+	verification_uri = i_get_str_parameter(&session, I_OPT_DEVICE_AUTH_VERIFICATION_URI);
+	if (!verification_uri)
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer did not provide a verification URI"));
+		goto cleanup;
+	}
+
+	user_code = i_get_str_parameter(&session, I_OPT_DEVICE_AUTH_USER_CODE);
+	if (!user_code)
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer did not provide a user code"));
+		goto cleanup;
+	}
+
+	/*
+	 * Poll the token endpoint until either the user logs in and authorizes the
+	 * use of a token, or a hard failure occurs. We perform one ping _before_
+	 * prompting the user, so that we don't make them do the work of logging in
+	 * only to find that the token endpoint is completely unreachable.
+	 */
+	err = i_run_token_request(&session);
+	while (err)
+	{
+		const char *error_code;
+		uint		interval;
+
+		error_code = i_get_str_parameter(&session, I_OPT_ERROR);
+
+		/*
+		 * authorization_pending and slow_down are the only acceptable errors;
+		 * anything else and we bail.
+		 */
+		if (!error_code || (strcmp(error_code, "authorization_pending")
+							&& strcmp(error_code, "slow_down")))
+		{
+			iddawc_request_error(conn, &session, err,
+								"OAuth token retrieval failed");
+			goto cleanup;
+		}
+
+		if (!user_prompted)
+		{
+			/*
+			 * Now that we know the token endpoint isn't broken, give the user
+			 * the login instructions.
+			 */
+			pqInternalNotice(&conn->noticeHooks,
+							 "Visit %s and enter the code: %s",
+							 verification_uri, user_code);
+
+			user_prompted = true;
+		}
+
+		/*
+		 * We are required to wait between polls; the server tells us how long.
+		 * TODO: if interval's not set, we need to default to five seconds
+		 * TODO: sanity check the interval
+		 */
+		interval = i_get_int_parameter(&session, I_OPT_DEVICE_AUTH_INTERVAL);
+
+		/*
+		 * A slow_down error requires us to permanently increase our retry
+		 * interval by five seconds. RFC 8628, Sec. 3.5.
+		 */
+		if (!strcmp(error_code, "slow_down"))
+		{
+			interval += 5;
+			i_set_int_parameter(&session, I_OPT_DEVICE_AUTH_INTERVAL, interval);
+		}
+
+		sleep(interval);
+
+		/*
+		 * XXX Reset the error code before every call, because iddawc won't do
+		 * that for us. This matters if the server first sends a "pending" error
+		 * code, then later hard-fails without sending an error code to
+		 * overwrite the first one.
+		 *
+		 * That we have to do this at all seems like a bug in iddawc.
+		 */
+		i_set_str_parameter(&session, I_OPT_ERROR, NULL);
+
+		err = i_run_token_request(&session);
+	}
+
+	access_token = i_get_str_parameter(&session, I_OPT_ACCESS_TOKEN);
+	token_type = i_get_str_parameter(&session, I_OPT_TOKEN_TYPE);
+
+	if (!access_token || !token_type || strcasecmp(token_type, "Bearer"))
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer did not provide a bearer token"));
+		goto cleanup;
+	}
+
+	appendPQExpBufferStr(token_buf, "Bearer ");
+	appendPQExpBufferStr(token_buf, access_token);
+
+	if (PQExpBufferBroken(token_buf))
+		goto cleanup;
+
+	token = strdup(token_buf->data);
+
+cleanup:
+	if (token_buf)
+		destroyPQExpBuffer(token_buf);
+	i_clean_session(&session);
+
+	return token;
+}
+
+#define kvsep "\x01"
+
+static char *
+client_initial_response(PGconn *conn)
+{
+	static const char * const resp_format = "n,," kvsep "auth=%s" kvsep kvsep;
+
+	PQExpBuffer	token_buf;
+	PQExpBuffer	discovery_buf = NULL;
+	char	   *token = NULL;
+	char	   *response = NULL;
+
+	token_buf = createPQExpBuffer();
+	if (!token_buf)
+		goto cleanup;
+
+	/*
+	 * If we don't yet have a discovery URI, but the user gave us an explicit
+	 * issuer, use the .well-known discovery URI for that issuer.
+	 */
+	if (!conn->oauth_discovery_uri && conn->oauth_issuer)
+	{
+		discovery_buf = createPQExpBuffer();
+		if (!discovery_buf)
+			goto cleanup;
+
+		appendPQExpBufferStr(discovery_buf, conn->oauth_issuer);
+		appendPQExpBufferStr(discovery_buf, "/.well-known/openid-configuration");
+
+		if (PQExpBufferBroken(discovery_buf))
+			goto cleanup;
+
+		conn->oauth_discovery_uri = strdup(discovery_buf->data);
+	}
+
+	token = get_auth_token(conn);
+	if (!token)
+		goto cleanup;
+
+	appendPQExpBuffer(token_buf, resp_format, token);
+	if (PQExpBufferBroken(token_buf))
+		goto cleanup;
+
+	response = strdup(token_buf->data);
+
+cleanup:
+	if (token)
+		free(token);
+	if (discovery_buf)
+		destroyPQExpBuffer(discovery_buf);
+	if (token_buf)
+		destroyPQExpBuffer(token_buf);
+
+	return response;
+}
+
+#define ERROR_STATUS_FIELD "status"
+#define ERROR_SCOPE_FIELD "scope"
+#define ERROR_OPENID_CONFIGURATION_FIELD "openid-configuration"
+
+struct json_ctx
+{
+	char		   *errmsg; /* any non-NULL value stops all processing */
+	PQExpBufferData errbuf; /* backing memory for errmsg */
+	int				nested; /* nesting level (zero is the top) */
+
+	const char	   *target_field_name; /* points to a static allocation */
+	char		  **target_field;      /* see below */
+
+	/* target_field, if set, points to one of the following: */
+	char		   *status;
+	char		   *scope;
+	char		   *discovery_uri;
+};
+
+#define oauth_json_has_error(ctx) \
+	(PQExpBufferDataBroken((ctx)->errbuf) || (ctx)->errmsg)
+
+#define oauth_json_set_error(ctx, ...) \
+	do { \
+		appendPQExpBuffer(&(ctx)->errbuf, __VA_ARGS__); \
+		(ctx)->errmsg = (ctx)->errbuf.data; \
+	} while (0)
+
+static void
+oauth_json_object_start(void *state)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+		return; /* short-circuit */
+
+	if (ctx->target_field)
+	{
+		Assert(ctx->nested == 1);
+
+		oauth_json_set_error(ctx,
+							 libpq_gettext("field \"%s\" must be a string"),
+							 ctx->target_field_name);
+	}
+
+	++ctx->nested;
+}
+
+static void
+oauth_json_object_end(void *state)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+		return; /* short-circuit */
+
+	--ctx->nested;
+}
+
+static void
+oauth_json_object_field_start(void *state, char *name, bool isnull)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+	{
+		/* short-circuit */
+		free(name);
+		return;
+	}
+
+	if (ctx->nested == 1)
+	{
+		if (!strcmp(name, ERROR_STATUS_FIELD))
+		{
+			ctx->target_field_name = ERROR_STATUS_FIELD;
+			ctx->target_field = &ctx->status;
+		}
+		else if (!strcmp(name, ERROR_SCOPE_FIELD))
+		{
+			ctx->target_field_name = ERROR_SCOPE_FIELD;
+			ctx->target_field = &ctx->scope;
+		}
+		else if (!strcmp(name, ERROR_OPENID_CONFIGURATION_FIELD))
+		{
+			ctx->target_field_name = ERROR_OPENID_CONFIGURATION_FIELD;
+			ctx->target_field = &ctx->discovery_uri;
+		}
+	}
+
+	free(name);
+}
+
+static void
+oauth_json_array_start(void *state)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+		return; /* short-circuit */
+
+	if (!ctx->nested)
+	{
+		ctx->errmsg = libpq_gettext("top-level element must be an object");
+	}
+	else if (ctx->target_field)
+	{
+		Assert(ctx->nested == 1);
+
+		oauth_json_set_error(ctx,
+							 libpq_gettext("field \"%s\" must be a string"),
+							 ctx->target_field_name);
+	}
+}
+
+static void
+oauth_json_scalar(void *state, char *token, JsonTokenType type)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+	{
+		/* short-circuit */
+		free(token);
+		return;
+	}
+
+	if (!ctx->nested)
+	{
+		ctx->errmsg = libpq_gettext("top-level element must be an object");
+	}
+	else if (ctx->target_field)
+	{
+		Assert(ctx->nested == 1);
+
+		if (type == JSON_TOKEN_STRING)
+		{
+			*ctx->target_field = token;
+
+			ctx->target_field = NULL;
+			ctx->target_field_name = NULL;
+
+			return; /* don't free the token we're using */
+		}
+
+		oauth_json_set_error(ctx,
+							 libpq_gettext("field \"%s\" must be a string"),
+							 ctx->target_field_name);
+	}
+
+	free(token);
+}
+
+static bool
+handle_oauth_sasl_error(PGconn *conn, char *msg, int msglen)
+{
+	JsonLexContext		lex = {0};
+	JsonSemAction		sem = {0};
+	JsonParseErrorType	err;
+	struct json_ctx		ctx = {0};
+	char			   *errmsg = NULL;
+
+	/* Sanity check. */
+	if (strlen(msg) != msglen)
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("server's error message contained an embedded NULL"));
+		return false;
+	}
+
+	initJsonLexContextCstringLen(&lex, msg, msglen, PG_UTF8, true);
+
+	initPQExpBuffer(&ctx.errbuf);
+	sem.semstate = &ctx;
+
+	sem.object_start = oauth_json_object_start;
+	sem.object_end = oauth_json_object_end;
+	sem.object_field_start = oauth_json_object_field_start;
+	sem.array_start = oauth_json_array_start;
+	sem.scalar = oauth_json_scalar;
+
+	err = pg_parse_json(&lex, &sem);
+
+	if (err != JSON_SUCCESS)
+	{
+		errmsg = json_errdetail(err, &lex);
+	}
+	else if (PQExpBufferDataBroken(ctx.errbuf))
+	{
+		errmsg = libpq_gettext("out of memory");
+	}
+	else if (ctx.errmsg)
+	{
+		errmsg = ctx.errmsg;
+	}
+
+	if (errmsg)
+		appendPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("failed to parse server's error response: %s"),
+						  errmsg);
+
+	/* Don't need the error buffer or the JSON lexer anymore. */
+	termPQExpBuffer(&ctx.errbuf);
+	termJsonLexContext(&lex);
+
+	if (errmsg)
+		return false;
+
+	/* TODO: what if these override what the user already specified? */
+	if (ctx.discovery_uri)
+	{
+		if (conn->oauth_discovery_uri)
+			free(conn->oauth_discovery_uri);
+
+		conn->oauth_discovery_uri = ctx.discovery_uri;
+	}
+
+	if (ctx.scope)
+	{
+		if (conn->oauth_scope)
+			free(conn->oauth_scope);
+
+		conn->oauth_scope = ctx.scope;
+	}
+	/* TODO: missing error scope should clear any existing connection scope */
+
+	if (!ctx.status)
+	{
+		appendPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("server sent error response without a status"));
+		return false;
+	}
+
+	if (!strcmp(ctx.status, "invalid_token"))
+	{
+		/*
+		 * invalid_token is the only error code we'll automatically retry for,
+		 * but only if we have enough information to do so.
+		 */
+		if (conn->oauth_discovery_uri)
+			conn->oauth_want_retry = true;
+	}
+	/* TODO: include status in hard failure message */
+
+	return true;
+}
+
+static void
+oauth_exchange(void *opaq, bool final,
+			   char *input, int inputlen,
+			   char **output, int *outputlen,
+			   bool *done, bool *success)
+{
+	fe_oauth_state *state = opaq;
+	PGconn	   *conn = state->conn;
+
+	*done = false;
+	*success = false;
+	*output = NULL;
+	*outputlen = 0;
+
+	switch (state->state)
+	{
+		case FE_OAUTH_INIT:
+			Assert(inputlen == -1);
+
+			*output = client_initial_response(conn);
+			if (!*output)
+				goto error;
+
+			*outputlen = strlen(*output);
+			state->state = FE_OAUTH_BEARER_SENT;
+
+			break;
+
+		case FE_OAUTH_BEARER_SENT:
+			if (final)
+			{
+				/* TODO: ensure there is no message content here. */
+				*done = true;
+				*success = true;
+
+				break;
+			}
+
+			/*
+			 * Error message sent by the server.
+			 */
+			if (!handle_oauth_sasl_error(conn, input, inputlen))
+				goto error;
+
+			/*
+			 * Respond with the required dummy message (RFC 7628, sec. 3.2.3).
+			 */
+			*output = strdup(kvsep);
+			*outputlen = strlen(*output); /* == 1 */
+
+			state->state = FE_OAUTH_SERVER_ERROR;
+			break;
+
+		case FE_OAUTH_SERVER_ERROR:
+			/*
+			 * After an error, the server should send an error response to fail
+			 * the SASL handshake, which is handled in higher layers.
+			 *
+			 * If we get here, the server either sent *another* challenge which
+			 * isn't defined in the RFC, or completed the handshake successfully
+			 * after telling us it was going to fail. Neither is acceptable.
+			 */
+			appendPQExpBufferStr(&conn->errorMessage,
+								 libpq_gettext("server sent additional OAuth data after error\n"));
+			goto error;
+
+		default:
+			appendPQExpBufferStr(&conn->errorMessage,
+								 libpq_gettext("invalid OAuth exchange state\n"));
+			goto error;
+	}
+
+	return;
+
+error:
+	*done = true;
+	*success = false;
+}
+
+static bool
+oauth_channel_bound(void *opaq)
+{
+	/* This mechanism does not support channel binding. */
+	return false;
+}
+
+static void
+oauth_free(void *opaq)
+{
+	fe_oauth_state *state = opaq;
+
+	free(state);
+}
diff --git a/src/interfaces/libpq/fe-auth-sasl.h b/src/interfaces/libpq/fe-auth-sasl.h
index da3c30b87b..b1bb382f70 100644
--- a/src/interfaces/libpq/fe-auth-sasl.h
+++ b/src/interfaces/libpq/fe-auth-sasl.h
@@ -65,6 +65,8 @@ typedef struct pg_fe_sasl_mech
 	 *
 	 *	state:	   The opaque mechanism state returned by init()
 	 *
+	 *	final:	   true if the server has sent a final exchange outcome
+	 *
 	 *	input:	   The challenge data sent by the server, or NULL when
 	 *			   generating a client-first initial response (that is, when
 	 *			   the server expects the client to send a message to start
@@ -92,7 +94,8 @@ typedef struct pg_fe_sasl_mech
 	 *			   Ignored if *done is false.
 	 *--------
 	 */
-	void		(*exchange) (void *state, char *input, int inputlen,
+	void		(*exchange) (void *state, bool final,
+							 char *input, int inputlen,
 							 char **output, int *outputlen,
 							 bool *done, bool *success);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index e616200704..681b76adbe 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -24,7 +24,8 @@
 /* The exported SCRAM callback mechanism. */
 static void *scram_init(PGconn *conn, const char *password,
 						const char *sasl_mechanism);
-static void scram_exchange(void *opaq, char *input, int inputlen,
+static void scram_exchange(void *opaq, bool final,
+						   char *input, int inputlen,
 						   char **output, int *outputlen,
 						   bool *done, bool *success);
 static bool scram_channel_bound(void *opaq);
@@ -206,7 +207,8 @@ scram_free(void *opaq)
  * Exchange a SCRAM message with backend.
  */
 static void
-scram_exchange(void *opaq, char *input, int inputlen,
+scram_exchange(void *opaq, bool final,
+			   char *input, int inputlen,
 			   char **output, int *outputlen,
 			   bool *done, bool *success)
 {
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 6fceff561b..2567a34023 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -38,6 +38,7 @@
 #endif
 
 #include "common/md5.h"
+#include "common/oauth-common.h"
 #include "common/scram-common.h"
 #include "fe-auth.h"
 #include "fe-auth-sasl.h"
@@ -422,7 +423,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		success;
 	const char *selected_mechanism;
 	PQExpBufferData mechanism_buf;
-	char	   *password;
+	char	   *password = NULL;
 
 	initPQExpBuffer(&mechanism_buf);
 
@@ -444,8 +445,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	/*
 	 * Parse the list of SASL authentication mechanisms in the
 	 * AuthenticationSASL message, and select the best mechanism that we
-	 * support.  SCRAM-SHA-256-PLUS and SCRAM-SHA-256 are the only ones
-	 * supported at the moment, listed by order of decreasing importance.
+	 * support.  Mechanisms are listed by order of decreasing importance.
 	 */
 	selected_mechanism = NULL;
 	for (;;)
@@ -485,6 +485,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 				{
 					selected_mechanism = SCRAM_SHA_256_PLUS_NAME;
 					conn->sasl = &pg_scram_mech;
+					conn->password_needed = true;
 				}
 #else
 				/*
@@ -522,7 +523,17 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		{
 			selected_mechanism = SCRAM_SHA_256_NAME;
 			conn->sasl = &pg_scram_mech;
+			conn->password_needed = true;
 		}
+#ifdef USE_OAUTH
+		else if (strcmp(mechanism_buf.data, OAUTHBEARER_NAME) == 0 &&
+				!selected_mechanism)
+		{
+			selected_mechanism = OAUTHBEARER_NAME;
+			conn->sasl = &pg_oauth_mech;
+			conn->password_needed = false;
+		}
+#endif
 	}
 
 	if (!selected_mechanism)
@@ -547,18 +558,19 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 
 	/*
 	 * First, select the password to use for the exchange, complaining if
-	 * there isn't one.  Currently, all supported SASL mechanisms require a
-	 * password, so we can just go ahead here without further distinction.
+	 * there isn't one and the SASL mechanism needs it.
 	 */
-	conn->password_needed = true;
-	password = conn->connhost[conn->whichhost].password;
-	if (password == NULL)
-		password = conn->pgpass;
-	if (password == NULL || password[0] == '\0')
+	if (conn->password_needed)
 	{
-		appendPQExpBufferStr(&conn->errorMessage,
-							 PQnoPasswordSupplied);
-		goto error;
+		password = conn->connhost[conn->whichhost].password;
+		if (password == NULL)
+			password = conn->pgpass;
+		if (password == NULL || password[0] == '\0')
+		{
+			appendPQExpBufferStr(&conn->errorMessage,
+								 PQnoPasswordSupplied);
+			goto error;
+		}
 	}
 
 	Assert(conn->sasl);
@@ -576,7 +588,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		goto oom_error;
 
 	/* Get the mechanism-specific Initial Client Response, if any */
-	conn->sasl->exchange(conn->sasl_state,
+	conn->sasl->exchange(conn->sasl_state, false,
 						 NULL, -1,
 						 &initialresponse, &initialresponselen,
 						 &done, &success);
@@ -657,7 +669,7 @@ pg_SASL_continue(PGconn *conn, int payloadlen, bool final)
 	/* For safety and convenience, ensure the buffer is NULL-terminated. */
 	challenge[payloadlen] = '\0';
 
-	conn->sasl->exchange(conn->sasl_state,
+	conn->sasl->exchange(conn->sasl_state, final,
 						 challenge, payloadlen,
 						 &output, &outputlen,
 						 &done, &success);
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 049a8bb1a1..2a56774019 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -28,4 +28,7 @@ extern const pg_fe_sasl_mech pg_scram_mech;
 extern char *pg_fe_scram_build_secret(const char *password,
 									  const char **errstr);
 
+/* Mechanisms in fe-auth-oauth.c */
+extern const pg_fe_sasl_mech pg_oauth_mech;
+
 #endif							/* FE_AUTH_H */
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 1c5a2b43e9..5f78439586 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -344,6 +344,23 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"Target-Session-Attrs", "", 15, /* sizeof("prefer-standby") = 15 */
 	offsetof(struct pg_conn, target_session_attrs)},
 
+	/* OAuth v2 */
+	{"oauth_issuer", NULL, NULL, NULL,
+		"OAuth-Issuer", "", 40,
+	offsetof(struct pg_conn, oauth_issuer)},
+
+	{"oauth_client_id", NULL, NULL, NULL,
+		"OAuth-Client-ID", "", 40,
+	offsetof(struct pg_conn, oauth_client_id)},
+
+	{"oauth_client_secret", NULL, NULL, NULL,
+		"OAuth-Client-Secret", "", 40,
+	offsetof(struct pg_conn, oauth_client_secret)},
+
+	{"oauth_scope", NULL, NULL, NULL,
+		"OAuth-Scope", "", 15,
+	offsetof(struct pg_conn, oauth_scope)},
+
 	/* Terminating entry --- MUST BE LAST */
 	{NULL, NULL, NULL, NULL,
 	NULL, NULL, 0}
@@ -606,6 +623,7 @@ pqDropServerData(PGconn *conn)
 	conn->write_err_msg = NULL;
 	conn->be_pid = 0;
 	conn->be_key = 0;
+	/* conn->oauth_want_retry = false; TODO */
 }
 
 
@@ -3381,6 +3399,16 @@ keep_going:						/* We will come back to here until there is
 					/* Check to see if we should mention pgpassfile */
 					pgpassfileWarning(conn);
 
+#ifdef USE_OAUTH
+					if (conn->sasl == &pg_oauth_mech
+						&& conn->oauth_want_retry)
+					{
+						/* TODO: only allow retry once */
+						need_new_connection = true;
+						goto keep_going;
+					}
+#endif
+
 #ifdef ENABLE_GSS
 
 					/*
@@ -4161,6 +4189,16 @@ freePGconn(PGconn *conn)
 		free(conn->rowBuf);
 	if (conn->target_session_attrs)
 		free(conn->target_session_attrs);
+	if (conn->oauth_issuer)
+		free(conn->oauth_issuer);
+	if (conn->oauth_discovery_uri)
+		free(conn->oauth_discovery_uri);
+	if (conn->oauth_client_id)
+		free(conn->oauth_client_id);
+	if (conn->oauth_client_secret)
+		free(conn->oauth_client_secret);
+	if (conn->oauth_scope)
+		free(conn->oauth_scope);
 	termPQExpBuffer(&conn->errorMessage);
 	termPQExpBuffer(&conn->workBuffer);
 
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index e0cee4b142..0dff13505a 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -394,6 +394,14 @@ struct pg_conn
 	char	   *ssl_max_protocol_version;	/* maximum TLS protocol version */
 	char	   *target_session_attrs;	/* desired session properties */
 
+	/* OAuth v2 */
+	char	   *oauth_issuer;			/* token issuer URL */
+	char	   *oauth_discovery_uri;	/* URI of the issuer's discovery document */
+	char	   *oauth_client_id;		/* client identifier */
+	char	   *oauth_client_secret;	/* client secret */
+	char	   *oauth_scope;			/* access token scope */
+	bool		oauth_want_retry;		/* should we retry on failure? */
+
 	/* Optional file to write trace info to */
 	FILE	   *Pfdebug;
 	int			traceFlags;
-- 
2.25.1

From 43ab0310ce8ee26a469167a2e4eae4c4bc295518 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Tue, 4 May 2021 16:21:11 -0700
Subject: [PATCH v3 6/9] backend: add OAUTHBEARER SASL mechanism

DO NOT USE THIS PROOF OF CONCEPT IN PRODUCTION.

Implement OAUTHBEARER (RFC 7628) on the server side. This adds a new
auth method, oauth, to pg_hba.

Because OAuth implementations vary so wildly, and bearer token
validation is heavily dependent on the issuing party, authn/z is done by
communicating with an external program: the oauth_validator_command.
This command must do the following:

1. Receive the bearer token by reading its contents from a file
   descriptor passed from the server. (The numeric value of this
   descriptor may be inserted into the oauth_validator_command using the
   %f specifier.)

   This MUST be the first action the command performs. The server will
   not begin reading stdout from the command until the token has been
   read in full, so if the command tries to print anything and hits a
   buffer limit, the backend will deadlock and time out.

2. Validate the bearer token. The correct way to do this depends on the
   issuer, but it generally involves either cryptographic operations to
   prove that the token was issued by a trusted party, or the
   presentation of the bearer token to some other party so that _it_ can
   perform validation.

   The command MUST maintain confidentiality of the bearer token, since
   in most cases it can be used just like a password. (There are ways to
   cryptographically bind tokens to client certificates, but they are
   way beyond the scope of this commit message.)

   If the token cannot be validated, the command must exit with a
   non-zero status. Further authentication/authorization is pointless if
   the bearer token wasn't issued by someone you trust.

3. Authenticate the user, authorize the user, or both:

   a. To authenticate the user, use the bearer token to retrieve some
      trusted identifier string for the end user. The exact process for
      this is, again, issuer-dependent. The command should print the
      authenticated identity string to stdout, followed by a newline.

      If the user cannot be authenticated, the validator should not
      print anything to stdout. It should also exit with a non-zero
      status, unless the token may be used to authorize the connection
      through some other means (see below).

      On a success, the command may then exit with a zero success code.
      By default, the server will then check to make sure the identity
      string matches the role that is being used (or matches a usermap
      entry, if one is in use).

   b. To optionally authorize the user, in combination with the HBA
      option trust_validator_authz=1 (see below), the validator simply
      returns a zero exit code if the client should be allowed to
      connect with its presented role (which can be passed to the
      command using the %r specifier), or a non-zero code otherwise.

      The hard part is in determining whether the given token truly
      authorizes the client to use the given role, which must
      unfortunately be left as an exercise to the reader.

      This obviously requires some care, as a poorly implemented token
      validator may silently open the entire database to anyone with a
      bearer token. But it may be a more portable approach, since OAuth
      is designed as an authorization framework, not an authentication
      framework. For example, the user's bearer token could carry an
      "allow_superuser_access" claim, which would authorize pseudonymous
      database access as any role. It's then up to the OAuth system
      administrators to ensure that allow_superuser_access is doled out
      only to the proper users.

   c. It's possible that the user can be successfully authenticated but
      isn't authorized to connect. In this case, the command may print
      the authenticated ID and then fail with a non-zero exit code.
      (This makes it easier to see what's going on in the Postgres
      logs.)

4. Token validators may optionally log to stderr. This will be printed
   verbatim into the Postgres server logs.

The oauth method supports the following HBA options (but note that two
of them are not optional, since we have no way of choosing sensible
defaults):

  issuer: Required. The URL of the OAuth issuing party, which the client
          must contact to receive a bearer token.

          Some real-world examples as of time of writing:
          - https://accounts.google.com
          - https://login.microsoft.com/[tenant-id]/v2.0

  scope:  Required. The OAuth scope(s) required for the server to
          authenticate and/or authorize the user. This is heavily
          deployment-specific, but a simple example is "openid email".

  map:    Optional. Specify a standard PostgreSQL user map; this works
          the same as with other auth methods such as peer. If a map is
          not specified, the user ID returned by the token validator
          must exactly match the role that's being requested (but see
          trust_validator_authz, below).

  trust_validator_authz:
          Optional. When set to 1, this allows the token validator to
          take full control of the authorization process. Standard user
          mapping is skipped: if the validator command succeeds, the
          client is allowed to connect under its desired role and no
          further checks are done.

Unlike the client, servers support OAuth without needing to be built
against libiddawc (since the responsibility for "speaking" OAuth/OIDC
correctly is delegated entirely to the oauth_validator_command).

Several TODOs:
- port to platforms other than "modern Linux"
- overhaul the communication with oauth_validator_command, which is
  currently a bad hack on OpenPipeStream()
- implement more sanity checks on the OAUTHBEARER message format and
  tokens sent by the client
- implement more helpful handling of HBA misconfigurations
- properly interpolate JSON when generating error responses
- use logdetail during auth failures
- deal with role names that can't be safely passed to system() without
  shell-escaping
- allow passing the configured issuer to the oauth_validator_command, to
  deal with multi-issuer setups
- ...and more.
---
 src/backend/libpq/Makefile     |   1 +
 src/backend/libpq/auth-oauth.c | 797 +++++++++++++++++++++++++++++++++
 src/backend/libpq/auth-sasl.c  |  10 +-
 src/backend/libpq/auth-scram.c |   4 +-
 src/backend/libpq/auth.c       |   7 +
 src/backend/libpq/hba.c        |  29 +-
 src/backend/utils/misc/guc.c   |  12 +
 src/include/libpq/hba.h        |   8 +-
 src/include/libpq/oauth.h      |  24 +
 src/include/libpq/sasl.h       |  11 +
 10 files changed, 889 insertions(+), 14 deletions(-)
 create mode 100644 src/backend/libpq/auth-oauth.c
 create mode 100644 src/include/libpq/oauth.h

diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile
index 6d385fd6a4..98eb2a8242 100644
--- a/src/backend/libpq/Makefile
+++ b/src/backend/libpq/Makefile
@@ -15,6 +15,7 @@ include $(top_builddir)/src/Makefile.global
 # be-fsstubs is here for historical reasons, probably belongs elsewhere
 
 OBJS = \
+	auth-oauth.o \
 	auth-sasl.o \
 	auth-scram.o \
 	auth.o \
diff --git a/src/backend/libpq/auth-oauth.c b/src/backend/libpq/auth-oauth.c
new file mode 100644
index 0000000000..c1232a31a0
--- /dev/null
+++ b/src/backend/libpq/auth-oauth.c
@@ -0,0 +1,797 @@
+/*-------------------------------------------------------------------------
+ *
+ * auth-oauth.c
+ *	  Server-side implementation of the SASL OAUTHBEARER mechanism.
+ *
+ * See the following RFC for more details:
+ * - RFC 7628: https://tools.ietf.org/html/rfc7628
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/backend/libpq/auth-oauth.c
+ *
+ *-------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include <unistd.h>
+#include <fcntl.h>
+
+#include "common/oauth-common.h"
+#include "lib/stringinfo.h"
+#include "libpq/auth.h"
+#include "libpq/hba.h"
+#include "libpq/oauth.h"
+#include "libpq/sasl.h"
+#include "storage/fd.h"
+
+/* GUC */
+char *oauth_validator_command;
+
+static void  oauth_get_mechanisms(Port *port, StringInfo buf);
+static void *oauth_init(Port *port, const char *selected_mech, const char *shadow_pass);
+static int   oauth_exchange(void *opaq, const char *input, int inputlen,
+							char **output, int *outputlen, const char **logdetail);
+
+/* Mechanism declaration */
+const pg_be_sasl_mech pg_be_oauth_mech = {
+	oauth_get_mechanisms,
+	oauth_init,
+	oauth_exchange,
+
+	PG_MAX_AUTH_TOKEN_LENGTH,
+};
+
+
+typedef enum
+{
+	OAUTH_STATE_INIT = 0,
+	OAUTH_STATE_ERROR,
+	OAUTH_STATE_FINISHED,
+} oauth_state;
+
+struct oauth_ctx
+{
+	oauth_state	state;
+	Port	   *port;
+	const char *issuer;
+	const char *scope;
+};
+
+static char *sanitize_char(char c);
+static char *parse_kvpairs_for_auth(char **input);
+static void generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen);
+static bool validate(Port *port, const char *auth, const char **logdetail);
+static bool run_validator_command(Port *port, const char *token);
+static bool check_exit(FILE **fh, const char *command);
+static bool unset_cloexec(int fd);
+static bool username_ok_for_shell(const char *username);
+
+#define KVSEP 0x01
+#define AUTH_KEY "auth"
+#define BEARER_SCHEME "Bearer "
+
+static void
+oauth_get_mechanisms(Port *port, StringInfo buf)
+{
+	/* Only OAUTHBEARER is supported. */
+	appendStringInfoString(buf, OAUTHBEARER_NAME);
+	appendStringInfoChar(buf, '\0');
+}
+
+static void *
+oauth_init(Port *port, const char *selected_mech, const char *shadow_pass)
+{
+	struct oauth_ctx *ctx;
+
+	if (strcmp(selected_mech, OAUTHBEARER_NAME))
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("client selected an invalid SASL authentication mechanism")));
+
+	ctx = palloc0(sizeof(*ctx));
+
+	ctx->state = OAUTH_STATE_INIT;
+	ctx->port = port;
+
+	Assert(port->hba);
+	ctx->issuer = port->hba->oauth_issuer;
+	ctx->scope = port->hba->oauth_scope;
+
+	return ctx;
+}
+
+static int
+oauth_exchange(void *opaq, const char *input, int inputlen,
+			   char **output, int *outputlen, const char **logdetail)
+{
+	char   *p;
+	char	cbind_flag;
+	char   *auth;
+
+	struct oauth_ctx *ctx = opaq;
+
+	*output = NULL;
+	*outputlen = -1;
+
+	/*
+	 * If the client didn't include an "Initial Client Response" in the
+	 * SASLInitialResponse message, send an empty challenge, to which the
+	 * client will respond with the same data that usually comes in the
+	 * Initial Client Response.
+	 */
+	if (input == NULL)
+	{
+		Assert(ctx->state == OAUTH_STATE_INIT);
+
+		*output = pstrdup("");
+		*outputlen = 0;
+		return PG_SASL_EXCHANGE_CONTINUE;
+	}
+
+	/*
+	 * Check that the input length agrees with the string length of the input.
+	 */
+	if (inputlen == 0)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("The message is empty.")));
+	if (inputlen != strlen(input))
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Message length does not match input length.")));
+
+	switch (ctx->state)
+	{
+		case OAUTH_STATE_INIT:
+			/* Handle this case below. */
+			break;
+
+		case OAUTH_STATE_ERROR:
+			/*
+			 * Only one response is valid for the client during authentication
+			 * failure: a single kvsep.
+			 */
+			if (inputlen != 1 || *input != KVSEP)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed OAUTHBEARER message"),
+						 errdetail("Client did not send a kvsep response.")));
+
+			/* The (failed) handshake is now complete. */
+			ctx->state = OAUTH_STATE_FINISHED;
+			return PG_SASL_EXCHANGE_FAILURE;
+
+		default:
+			elog(ERROR, "invalid OAUTHBEARER exchange state");
+			return PG_SASL_EXCHANGE_FAILURE;
+	}
+
+	/* Handle the client's initial message. */
+	p = pstrdup(input);
+
+	/*
+	 * OAUTHBEARER does not currently define a channel binding (so there is no
+	 * OAUTHBEARER-PLUS, and we do not accept a 'p' specifier). We accept a 'y'
+	 * specifier purely for the remote chance that a future specification could
+	 * define one; then future clients can still interoperate with this server
+	 * implementation. 'n' is the expected case.
+	 */
+	cbind_flag = *p;
+	switch (cbind_flag)
+	{
+		case 'p':
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("The server does not support channel binding for OAuth, but the client message includes channel binding data.")));
+			break;
+
+		case 'y': /* fall through */
+		case 'n':
+			p++;
+			if (*p != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed OAUTHBEARER message"),
+						 errdetail("Comma expected, but found character %s.",
+								   sanitize_char(*p))));
+			p++;
+			break;
+
+		default:
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("Unexpected channel-binding flag %s.",
+							   sanitize_char(cbind_flag))));
+	}
+
+	/*
+	 * Forbid optional authzid (authorization identity).  We don't support it.
+	 */
+	if (*p == 'a')
+		ereport(ERROR,
+				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+				 errmsg("client uses authorization identity, but it is not supported")));
+	if (*p != ',')
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Unexpected attribute %s in client-first-message.",
+						   sanitize_char(*p))));
+	p++;
+
+	/* All remaining fields are separated by the RFC's kvsep (\x01). */
+	if (*p != KVSEP)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Key-value separator expected, but found character %s.",
+						   sanitize_char(*p))));
+	p++;
+
+	auth = parse_kvpairs_for_auth(&p);
+	if (!auth)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Message does not contain an auth value.")));
+
+	/* We should be at the end of our message. */
+	if (*p)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Message contains additional data after the final terminator.")));
+
+	if (!validate(ctx->port, auth, logdetail))
+	{
+		generate_error_response(ctx, output, outputlen);
+
+		ctx->state = OAUTH_STATE_ERROR;
+		return PG_SASL_EXCHANGE_CONTINUE;
+	}
+
+	ctx->state = OAUTH_STATE_FINISHED;
+	return PG_SASL_EXCHANGE_SUCCESS;
+}
+
+/*
+ * Convert an arbitrary byte to printable form.  For error messages.
+ *
+ * If it's a printable ASCII character, print it as a single character.
+ * otherwise, print it in hex.
+ *
+ * The returned pointer points to a static buffer.
+ */
+static char *
+sanitize_char(char c)
+{
+	static char buf[5];
+
+	if (c >= 0x21 && c <= 0x7E)
+		snprintf(buf, sizeof(buf), "'%c'", c);
+	else
+		snprintf(buf, sizeof(buf), "0x%02x", (unsigned char) c);
+	return buf;
+}
+
+/*
+ * Consumes all kvpairs in an OAUTHBEARER exchange message. If the "auth" key is
+ * found, its value is returned.
+ */
+static char *
+parse_kvpairs_for_auth(char **input)
+{
+	char   *pos = *input;
+	char   *auth = NULL;
+
+	/*
+	 * The relevant ABNF, from Sec. 3.1:
+	 *
+	 *     kvsep          = %x01
+	 *     key            = 1*(ALPHA)
+	 *     value          = *(VCHAR / SP / HTAB / CR / LF )
+	 *     kvpair         = key "=" value kvsep
+	 *   ;;gs2-header     = See RFC 5801
+	 *     client-resp    = (gs2-header kvsep *kvpair kvsep) / kvsep
+	 *
+	 * By the time we reach this code, the gs2-header and initial kvsep have
+	 * already been validated. We start at the beginning of the first kvpair.
+	 */
+
+	while (*pos)
+	{
+		char   *end;
+		char   *sep;
+		char   *key;
+		char   *value;
+
+		/*
+		 * Find the end of this kvpair. Note that input is null-terminated by
+		 * the SASL code, so the strchr() is bounded.
+		 */
+		end = strchr(pos, KVSEP);
+		if (!end)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("Message contains an unterminated key/value pair.")));
+		*end = '\0';
+
+		if (pos == end)
+		{
+			/* Empty kvpair, signifying the end of the list. */
+			*input = pos + 1;
+			return auth;
+		}
+
+		/*
+		 * Find the end of the key name.
+		 *
+		 * TODO further validate the key/value grammar? empty keys, bad chars...
+		 */
+		sep = strchr(pos, '=');
+		if (!sep)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("Message contains a key without a value.")));
+		*sep = '\0';
+
+		/* Both key and value are now safely terminated. */
+		key = pos;
+		value = sep + 1;
+
+		if (!strcmp(key, AUTH_KEY))
+		{
+			if (auth)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed OAUTHBEARER message"),
+						 errdetail("Message contains multiple auth values.")));
+
+			auth = value;
+		}
+		else
+		{
+			/*
+			 * The RFC also defines the host and port keys, but they are not
+			 * required for OAUTHBEARER and we do not use them. Also, per
+			 * Sec. 3.1, any key/value pairs we don't recognize must be ignored.
+			 */
+		}
+
+		/* Move to the next pair. */
+		pos = end + 1;
+	}
+
+	ereport(ERROR,
+			(errcode(ERRCODE_PROTOCOL_VIOLATION),
+			 errmsg("malformed OAUTHBEARER message"),
+			 errdetail("Message did not contain a final terminator.")));
+
+	return NULL; /* unreachable */
+}
+
+static void
+generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen)
+{
+	StringInfoData	buf;
+
+	/*
+	 * The admin needs to set an issuer and scope for OAuth to work. There's not
+	 * really a way to hide this from the user, either, because we can't choose
+	 * a "default" issuer, so be honest in the failure message.
+	 *
+	 * TODO: see if there's a better place to fail, earlier than this.
+	 */
+	if (!ctx->issuer || !ctx->scope)
+		ereport(FATAL,
+				(errcode(ERRCODE_INTERNAL_ERROR),
+				 errmsg("OAuth is not properly configured for this user"),
+				 errdetail_log("The issuer and scope parameters must be set in pg_hba.conf.")));
+
+
+	initStringInfo(&buf);
+
+	/*
+	 * TODO: JSON escaping
+	 */
+	appendStringInfo(&buf,
+		"{ "
+			"\"status\": \"invalid_token\", "
+			"\"openid-configuration\": \"%s/.well-known/openid-configuration\","
+			"\"scope\": \"%s\" "
+		"}",
+		ctx->issuer, ctx->scope);
+
+	*output = buf.data;
+	*outputlen = buf.len;
+}
+
+static bool
+validate(Port *port, const char *auth, const char **logdetail)
+{
+	static const char * const b64_set = "abcdefghijklmnopqrstuvwxyz"
+										"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+										"0123456789-._~+/";
+
+	const char *token;
+	size_t		span;
+	int			ret;
+
+	/* TODO: handle logdetail when the test framework can check it */
+
+	/*
+	 * Only Bearer tokens are accepted. The ABNF is defined in RFC 6750, Sec.
+	 * 2.1:
+	 *
+	 *      b64token    = 1*( ALPHA / DIGIT /
+	 *                        "-" / "." / "_" / "~" / "+" / "/" ) *"="
+	 *      credentials = "Bearer" 1*SP b64token
+	 *
+	 * The "credentials" construction is what we receive in our auth value.
+	 *
+	 * Since that spec is subordinate to HTTP (i.e. the HTTP Authorization
+	 * header format; RFC 7235 Sec. 2), the "Bearer" scheme string must be
+	 * compared case-insensitively. (This is not mentioned in RFC 6750, but it's
+	 * pointed out in RFC 7628 Sec. 4.)
+	 *
+	 * TODO: handle the Authorization spec, RFC 7235 Sec. 2.1.
+	 */
+	if (strncasecmp(auth, BEARER_SCHEME, strlen(BEARER_SCHEME)))
+		return false;
+
+	/* Pull the bearer token out of the auth value. */
+	token = auth + strlen(BEARER_SCHEME);
+
+	/* Swallow any additional spaces. */
+	while (*token == ' ')
+		token++;
+
+	/*
+	 * Before invoking the validator command, sanity-check the token format to
+	 * avoid any injection attacks later in the chain. Invalid formats are
+	 * technically a protocol violation, but don't reflect any information about
+	 * the sensitive Bearer token back to the client; log at COMMERROR instead.
+	 */
+
+	/* Tokens must not be empty. */
+	if (!*token)
+	{
+		ereport(COMMERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Bearer token is empty.")));
+		return false;
+	}
+
+	/*
+	 * Make sure the token contains only allowed characters. Tokens may end with
+	 * any number of '=' characters.
+	 */
+	span = strspn(token, b64_set);
+	while (token[span] == '=')
+		span++;
+
+	if (token[span] != '\0')
+	{
+		/*
+		 * This error message could be more helpful by printing the problematic
+		 * character(s), but that'd be a bit like printing a piece of someone's
+		 * password into the logs.
+		 */
+		ereport(COMMERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Bearer token is not in the correct format.")));
+		return false;
+	}
+
+	/* Have the validator check the token. */
+	if (!run_validator_command(port, token))
+		return false;
+
+	if (port->hba->oauth_skip_usermap)
+	{
+		/*
+		 * If the validator is our authorization authority, we're done.
+		 * Authentication may or may not have been performed depending on the
+		 * validator implementation; all that matters is that the validator says
+		 * the user can log in with the target role.
+		 */
+		return true;
+	}
+
+	/* Make sure the validator authenticated the user. */
+	if (!port->authn_id)
+	{
+		/* TODO: use logdetail; reduce message duplication */
+		ereport(LOG,
+				(errmsg("OAuth bearer authentication failed for user \"%s\": validator provided no identity",
+						port->user_name)));
+		return false;
+	}
+
+	/* Finally, check the user map. */
+	ret = check_usermap(port->hba->usermap, port->user_name, port->authn_id,
+						false);
+	return (ret == STATUS_OK);
+}
+
+static bool
+run_validator_command(Port *port, const char *token)
+{
+	bool		success = false;
+	int			rc;
+	int			pipefd[2];
+	int			rfd = -1;
+	int			wfd = -1;
+
+	StringInfoData command = { 0 };
+	char	   *p;
+	FILE	   *fh = NULL;
+
+	ssize_t		written;
+	char	   *line = NULL;
+	size_t		size = 0;
+	ssize_t		len;
+
+	Assert(oauth_validator_command);
+
+	if (!oauth_validator_command[0])
+	{
+		ereport(COMMERROR,
+				(errmsg("oauth_validator_command is not set"),
+				 errhint("To allow OAuth authenticated connections, set "
+						 "oauth_validator_command in postgresql.conf.")));
+		return false;
+	}
+
+	/*
+	 * Since popen() is unidirectional, open up a pipe for the other direction.
+	 * Use CLOEXEC to ensure that our write end doesn't accidentally get copied
+	 * into child processes, which would prevent us from closing it cleanly.
+	 *
+	 * XXX this is ugly. We should just read from the child process's stdout,
+	 * but that's a lot more code.
+	 * XXX by bypassing the popen API, we open the potential of process
+	 * deadlock. Clearly document child process requirements (i.e. the child
+	 * MUST read all data off of the pipe before writing anything).
+	 * TODO: port to Windows using _pipe().
+	 */
+	rc = pipe2(pipefd, O_CLOEXEC);
+	if (rc < 0)
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not create child pipe: %m")));
+		return false;
+	}
+
+	rfd = pipefd[0];
+	wfd = pipefd[1];
+
+	/* Allow the read pipe be passed to the child. */
+	if (!unset_cloexec(rfd))
+	{
+		/* error message was already logged */
+		goto cleanup;
+	}
+
+	/*
+	 * Construct the command, substituting any recognized %-specifiers:
+	 *
+	 *   %f: the file descriptor of the input pipe
+	 *   %r: the role that the client wants to assume (port->user_name)
+	 *   %%: a literal '%'
+	 */
+	initStringInfo(&command);
+
+	for (p = oauth_validator_command; *p; p++)
+	{
+		if (p[0] == '%')
+		{
+			switch (p[1])
+			{
+				case 'f':
+					appendStringInfo(&command, "%d", rfd);
+					p++;
+					break;
+				case 'r':
+					/*
+					 * TODO: decide how this string should be escaped. The role
+					 * is controlled by the client, so if we don't escape it,
+					 * command injections are inevitable.
+					 *
+					 * This is probably an indication that the role name needs
+					 * to be communicated to the validator process in some other
+					 * way. For this proof of concept, just be incredibly strict
+					 * about the characters that are allowed in user names.
+					 */
+					if (!username_ok_for_shell(port->user_name))
+						goto cleanup;
+
+					appendStringInfoString(&command, port->user_name);
+					p++;
+					break;
+				case '%':
+					appendStringInfoChar(&command, '%');
+					p++;
+					break;
+				default:
+					appendStringInfoChar(&command, p[0]);
+			}
+		}
+		else
+			appendStringInfoChar(&command, p[0]);
+	}
+
+	/* Execute the command. */
+	fh = OpenPipeStream(command.data, "re");
+	/* TODO: handle failures */
+
+	/* We don't need the read end of the pipe anymore. */
+	close(rfd);
+	rfd = -1;
+
+	/* Give the command the token to validate. */
+	written = write(wfd, token, strlen(token));
+	if (written != strlen(token))
+	{
+		/* TODO must loop for short writes, EINTR et al */
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not write token to child pipe: %m")));
+		goto cleanup;
+	}
+
+	close(wfd);
+	wfd = -1;
+
+	/*
+	 * Read the command's response.
+	 *
+	 * TODO: getline() is probably too new to use, unfortunately.
+	 * TODO: loop over all lines
+	 */
+	if ((len = getline(&line, &size, fh)) >= 0)
+	{
+		/* TODO: fail if the authn_id doesn't end with a newline */
+		if (len > 0)
+			line[len - 1] = '\0';
+
+		set_authn_id(port, line);
+	}
+	else if (ferror(fh))
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not read from command \"%s\": %m",
+						command.data)));
+		goto cleanup;
+	}
+
+	/* Make sure the command exits cleanly. */
+	if (!check_exit(&fh, command.data))
+	{
+		/* error message already logged */
+		goto cleanup;
+	}
+
+	/* Done. */
+	success = true;
+
+cleanup:
+	if (line)
+		free(line);
+
+	/*
+	 * In the successful case, the pipe fds are already closed. For the error
+	 * case, always close out the pipe before waiting for the command, to
+	 * prevent deadlock.
+	 */
+	if (rfd >= 0)
+		close(rfd);
+	if (wfd >= 0)
+		close(wfd);
+
+	if (fh)
+	{
+		Assert(!success);
+		check_exit(&fh, command.data);
+	}
+
+	if (command.data)
+		pfree(command.data);
+
+	return success;
+}
+
+static bool
+check_exit(FILE **fh, const char *command)
+{
+	int rc;
+
+	rc = ClosePipeStream(*fh);
+	*fh = NULL;
+
+	if (rc == -1)
+	{
+		/* pclose() itself failed. */
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not close pipe to command \"%s\": %m",
+						command)));
+	}
+	else if (rc != 0)
+	{
+		char *reason = wait_result_to_str(rc);
+
+		ereport(COMMERROR,
+				(errmsg("failed to execute command \"%s\": %s",
+						command, reason)));
+
+		pfree(reason);
+	}
+
+	return (rc == 0);
+}
+
+static bool
+unset_cloexec(int fd)
+{
+	int			flags;
+	int			rc;
+
+	flags = fcntl(fd, F_GETFD);
+	if (flags == -1)
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not get fd flags for child pipe: %m")));
+		return false;
+	}
+
+	rc = fcntl(fd, F_SETFD, flags & ~FD_CLOEXEC);
+	if (rc < 0)
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not unset FD_CLOEXEC for child pipe: %m")));
+		return false;
+	}
+
+	return true;
+}
+
+/*
+ * XXX This should go away eventually and be replaced with either a proper
+ * escape or a different strategy for communication with the validator command.
+ */
+static bool
+username_ok_for_shell(const char *username)
+{
+	/* This set is borrowed from fe_utils' appendShellStringNoError(). */
+	static const char * const allowed = "abcdefghijklmnopqrstuvwxyz"
+										"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+										"0123456789-_./:";
+	size_t	span;
+
+	Assert(username && username[0]); /* should have already been checked */
+
+	span = strspn(username, allowed);
+	if (username[span] != '\0')
+	{
+		ereport(COMMERROR,
+				(errmsg("PostgreSQL user name contains unsafe characters and cannot be passed to the OAuth validator")));
+		return false;
+	}
+
+	return true;
+}
diff --git a/src/backend/libpq/auth-sasl.c b/src/backend/libpq/auth-sasl.c
index a1d7dbb6d5..0f461a6696 100644
--- a/src/backend/libpq/auth-sasl.c
+++ b/src/backend/libpq/auth-sasl.c
@@ -20,14 +20,6 @@
 #include "libpq/pqformat.h"
 #include "libpq/sasl.h"
 
-/*
- * Maximum accepted size of SASL messages.
- *
- * The messages that the server or libpq generate are much smaller than this,
- * but have some headroom.
- */
-#define PG_MAX_SASL_MESSAGE_LENGTH	1024
-
 /*
  * Perform a SASL exchange with a libpq client, using a specific mechanism
  * implementation.
@@ -103,7 +95,7 @@ CheckSASLAuth(const pg_be_sasl_mech *mech, Port *port, char *shadow_pass,
 
 		/* Get the actual SASL message */
 		initStringInfo(&buf);
-		if (pq_getmessage(&buf, PG_MAX_SASL_MESSAGE_LENGTH))
+		if (pq_getmessage(&buf, mech->max_message_length))
 		{
 			/* EOF - pq_getmessage already logged error */
 			pfree(buf.data);
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index ee7f52218a..4049ace470 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -118,7 +118,9 @@ static int	scram_exchange(void *opaq, const char *input, int inputlen,
 const pg_be_sasl_mech pg_be_scram_mech = {
 	scram_get_mechanisms,
 	scram_init,
-	scram_exchange
+	scram_exchange,
+
+	PG_MAX_SASL_MESSAGE_LENGTH
 };
 
 /*
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 3533b0bc50..5c30904e2b 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -30,6 +30,7 @@
 #include "libpq/auth.h"
 #include "libpq/crypt.h"
 #include "libpq/libpq.h"
+#include "libpq/oauth.h"
 #include "libpq/pqformat.h"
 #include "libpq/sasl.h"
 #include "libpq/scram.h"
@@ -302,6 +303,9 @@ auth_failed(Port *port, int status, const char *logdetail)
 		case uaRADIUS:
 			errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
 			break;
+		case uaOAuth:
+			errstr = gettext_noop("OAuth bearer authentication failed for user \"%s\"");
+			break;
 		case uaCustom:
 			if (CustomAuthenticationError_hook)
 				errstr = CustomAuthenticationError_hook(port);
@@ -627,6 +631,9 @@ ClientAuthentication(Port *port)
 		case uaTrust:
 			status = STATUS_OK;
 			break;
+		case uaOAuth:
+			status = CheckSASLAuth(&pg_be_oauth_mech, port, NULL, NULL);
+			break;
 		case uaCustom:
 			if (CustomAuthenticationCheck_hook)
 				status = CustomAuthenticationCheck_hook(port);
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index ebae992964..f7f3059927 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -135,7 +135,8 @@ static const char *const UserAuthName[] =
 	"cert",
 	"radius",
 	"custom",
-	"peer"
+	"peer",
+	"oauth",
 };
 
 
@@ -1400,6 +1401,8 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 #endif
 	else if (strcmp(token->string, "radius") == 0)
 		parsedline->auth_method = uaRADIUS;
+	else if (strcmp(token->string, "oauth") == 0)
+		parsedline->auth_method = uaOAuth;
 	else if (strcmp(token->string, "custom") == 0)
 		parsedline->auth_method = uaCustom;
 	else
@@ -1728,8 +1731,9 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 			hbaline->auth_method != uaPeer &&
 			hbaline->auth_method != uaGSS &&
 			hbaline->auth_method != uaSSPI &&
+			hbaline->auth_method != uaOAuth &&
 			hbaline->auth_method != uaCert)
-			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert"));
+			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, oauth, and cert"));
 		hbaline->usermap = pstrdup(val);
 	}
 	else if (strcmp(name, "clientcert") == 0)
@@ -2113,6 +2117,27 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 		hbaline->radiusidentifiers = parsed_identifiers;
 		hbaline->radiusidentifiers_s = pstrdup(val);
 	}
+	else if (strcmp(name, "issuer") == 0)
+	{
+		if (hbaline->auth_method != uaOAuth)
+			INVALID_AUTH_OPTION("issuer", gettext_noop("oauth"));
+		hbaline->oauth_issuer = pstrdup(val);
+	}
+	else if (strcmp(name, "scope") == 0)
+	{
+		if (hbaline->auth_method != uaOAuth)
+			INVALID_AUTH_OPTION("scope", gettext_noop("oauth"));
+		hbaline->oauth_scope = pstrdup(val);
+	}
+	else if (strcmp(name, "trust_validator_authz") == 0)
+	{
+		if (hbaline->auth_method != uaOAuth)
+			INVALID_AUTH_OPTION("trust_validator_authz", gettext_noop("oauth"));
+		if (strcmp(val, "1") == 0)
+			hbaline->oauth_skip_usermap = true;
+		else
+			hbaline->oauth_skip_usermap = false;
+	}
 	else if (strcmp(name, "provider") == 0)
 	{
 		REQUIRE_AUTH_OPTION(uaCustom, "provider", "custom");
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 1e3650184b..791c7c83df 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -58,6 +58,7 @@
 #include "libpq/auth.h"
 #include "libpq/libpq.h"
 #include "libpq/pqformat.h"
+#include "libpq/oauth.h"
 #include "miscadmin.h"
 #include "optimizer/cost.h"
 #include "optimizer/geqo.h"
@@ -4662,6 +4663,17 @@ static struct config_string ConfigureNamesString[] =
 		check_backtrace_functions, assign_backtrace_functions, NULL
 	},
 
+	{
+		{"oauth_validator_command", PGC_SIGHUP, CONN_AUTH_AUTH,
+			gettext_noop("Command to validate OAuth v2 bearer tokens."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&oauth_validator_command,
+		"",
+		NULL, NULL, NULL
+	},
+
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index c5aef6994c..d46c2108eb 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -39,8 +39,9 @@ typedef enum UserAuth
 	uaCert,
 	uaRADIUS,
 	uaCustom,
-	uaPeer
-#define USER_AUTH_LAST uaPeer	/* Must be last value of this enum */
+	uaPeer,
+	uaOAuth
+#define USER_AUTH_LAST uaOAuth	/* Must be last value of this enum */
 } UserAuth;
 
 /*
@@ -121,6 +122,9 @@ typedef struct HbaLine
 	char	   *radiusidentifiers_s;
 	List	   *radiusports;
 	char	   *radiusports_s;
+	char	   *oauth_issuer;
+	char	   *oauth_scope;
+	bool		oauth_skip_usermap;
 	char	   *custom_provider;
 } HbaLine;
 
diff --git a/src/include/libpq/oauth.h b/src/include/libpq/oauth.h
new file mode 100644
index 0000000000..870e426af1
--- /dev/null
+++ b/src/include/libpq/oauth.h
@@ -0,0 +1,24 @@
+/*-------------------------------------------------------------------------
+ *
+ * oauth.h
+ *	  Interface to libpq/auth-oauth.c
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/include/libpq/oauth.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef PG_OAUTH_H
+#define PG_OAUTH_H
+
+#include "libpq/libpq-be.h"
+#include "libpq/sasl.h"
+
+extern char *oauth_validator_command;
+
+/* Implementation */
+extern const pg_be_sasl_mech pg_be_oauth_mech;
+
+#endif /* PG_OAUTH_H */
diff --git a/src/include/libpq/sasl.h b/src/include/libpq/sasl.h
index 71cc0dc251..3d481cc807 100644
--- a/src/include/libpq/sasl.h
+++ b/src/include/libpq/sasl.h
@@ -26,6 +26,14 @@
 #define PG_SASL_EXCHANGE_SUCCESS		1
 #define PG_SASL_EXCHANGE_FAILURE		2
 
+/*
+ * Maximum accepted size of SASL messages.
+ *
+ * The messages that the server or libpq generate are much smaller than this,
+ * but have some headroom.
+ */
+#define PG_MAX_SASL_MESSAGE_LENGTH	1024
+
 /*
  * Backend SASL mechanism callbacks.
  *
@@ -127,6 +135,9 @@ typedef struct pg_be_sasl_mech
 							 const char *input, int inputlen,
 							 char **output, int *outputlen,
 							 const char **logdetail);
+
+	/* The maximum size allowed for client SASLResponses. */
+	int			max_message_length;
 } pg_be_sasl_mech;
 
 /* Common implementation for auth.c */
-- 
2.25.1

From 667fbd709f67232155cbaa3e09d1a4b4c02eeb22 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Tue, 18 May 2021 15:01:29 -0700
Subject: [PATCH v3 7/9] Add a very simple authn_id extension

...for retrieving the authn_id from the server in tests.
---
 contrib/authn_id/Makefile          | 19 +++++++++++++++++++
 contrib/authn_id/authn_id--1.0.sql |  8 ++++++++
 contrib/authn_id/authn_id.c        | 28 ++++++++++++++++++++++++++++
 contrib/authn_id/authn_id.control  |  5 +++++
 4 files changed, 60 insertions(+)
 create mode 100644 contrib/authn_id/Makefile
 create mode 100644 contrib/authn_id/authn_id--1.0.sql
 create mode 100644 contrib/authn_id/authn_id.c
 create mode 100644 contrib/authn_id/authn_id.control

diff --git a/contrib/authn_id/Makefile b/contrib/authn_id/Makefile
new file mode 100644
index 0000000000..46026358e0
--- /dev/null
+++ b/contrib/authn_id/Makefile
@@ -0,0 +1,19 @@
+# contrib/authn_id/Makefile
+
+MODULE_big = authn_id
+OBJS = authn_id.o
+
+EXTENSION = authn_id
+DATA = authn_id--1.0.sql
+PGFILEDESC = "authn_id - information about the authenticated user"
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = contrib/authn_id
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/contrib/authn_id/authn_id--1.0.sql b/contrib/authn_id/authn_id--1.0.sql
new file mode 100644
index 0000000000..af2a4d3991
--- /dev/null
+++ b/contrib/authn_id/authn_id--1.0.sql
@@ -0,0 +1,8 @@
+/* contrib/authn_id/authn_id--1.0.sql */
+
+-- complain if script is sourced in psql, rather than via CREATE EXTENSION
+\echo Use "CREATE EXTENSION authn_id" to load this file. \quit
+
+CREATE FUNCTION authn_id() RETURNS text
+AS 'MODULE_PATHNAME', 'authn_id'
+LANGUAGE C IMMUTABLE;
diff --git a/contrib/authn_id/authn_id.c b/contrib/authn_id/authn_id.c
new file mode 100644
index 0000000000..0fecac36a8
--- /dev/null
+++ b/contrib/authn_id/authn_id.c
@@ -0,0 +1,28 @@
+/*
+ * Extension to expose the current user's authn_id.
+ *
+ * contrib/authn_id/authn_id.c
+ */
+
+#include "postgres.h"
+
+#include "fmgr.h"
+#include "libpq/libpq-be.h"
+#include "miscadmin.h"
+#include "utils/builtins.h"
+
+PG_MODULE_MAGIC;
+
+PG_FUNCTION_INFO_V1(authn_id);
+
+/*
+ * Returns the current user's authenticated identity.
+ */
+Datum
+authn_id(PG_FUNCTION_ARGS)
+{
+	if (!MyProcPort->authn_id)
+		PG_RETURN_NULL();
+
+	PG_RETURN_TEXT_P(cstring_to_text(MyProcPort->authn_id));
+}
diff --git a/contrib/authn_id/authn_id.control b/contrib/authn_id/authn_id.control
new file mode 100644
index 0000000000..e0f9e06bed
--- /dev/null
+++ b/contrib/authn_id/authn_id.control
@@ -0,0 +1,5 @@
+# authn_id extension
+comment = 'current user identity'
+default_version = '1.0'
+module_pathname = '$libdir/authn_id'
+relocatable = true
-- 
2.25.1

From 1c24881d4b1e8777ce176d2c276fe8120bd6e648 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 4 Jun 2021 09:06:38 -0700
Subject: [PATCH v3 8/9] Add pytest suite for OAuth

Requires Python 3; on the first run of `make installcheck` the
dependencies will be installed into ./venv for you. See the README for
more details.
---
 src/test/python/.gitignore                 |    2 +
 src/test/python/Makefile                   |   38 +
 src/test/python/README                     |   54 ++
 src/test/python/client/__init__.py         |    0
 src/test/python/client/conftest.py         |  126 +++
 src/test/python/client/test_client.py      |  180 ++++
 src/test/python/client/test_oauth.py       |  936 ++++++++++++++++++
 src/test/python/pq3.py                     |  727 ++++++++++++++
 src/test/python/pytest.ini                 |    4 +
 src/test/python/requirements.txt           |    7 +
 src/test/python/server/__init__.py         |    0
 src/test/python/server/conftest.py         |   45 +
 src/test/python/server/test_oauth.py       | 1012 ++++++++++++++++++++
 src/test/python/server/test_server.py      |   21 +
 src/test/python/server/validate_bearer.py  |  101 ++
 src/test/python/server/validate_reflect.py |   34 +
 src/test/python/test_internals.py          |  138 +++
 src/test/python/test_pq3.py                |  558 +++++++++++
 src/test/python/tls.py                     |  195 ++++
 19 files changed, 4178 insertions(+)
 create mode 100644 src/test/python/.gitignore
 create mode 100644 src/test/python/Makefile
 create mode 100644 src/test/python/README
 create mode 100644 src/test/python/client/__init__.py
 create mode 100644 src/test/python/client/conftest.py
 create mode 100644 src/test/python/client/test_client.py
 create mode 100644 src/test/python/client/test_oauth.py
 create mode 100644 src/test/python/pq3.py
 create mode 100644 src/test/python/pytest.ini
 create mode 100644 src/test/python/requirements.txt
 create mode 100644 src/test/python/server/__init__.py
 create mode 100644 src/test/python/server/conftest.py
 create mode 100644 src/test/python/server/test_oauth.py
 create mode 100644 src/test/python/server/test_server.py
 create mode 100755 src/test/python/server/validate_bearer.py
 create mode 100755 src/test/python/server/validate_reflect.py
 create mode 100644 src/test/python/test_internals.py
 create mode 100644 src/test/python/test_pq3.py
 create mode 100644 src/test/python/tls.py

diff --git a/src/test/python/.gitignore b/src/test/python/.gitignore
new file mode 100644
index 0000000000..0e8f027b2e
--- /dev/null
+++ b/src/test/python/.gitignore
@@ -0,0 +1,2 @@
+__pycache__/
+/venv/
diff --git a/src/test/python/Makefile b/src/test/python/Makefile
new file mode 100644
index 0000000000..b0695b6287
--- /dev/null
+++ b/src/test/python/Makefile
@@ -0,0 +1,38 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+# Only Python 3 is supported, but if it's named something different on your
+# system you can override it with the PYTHON3 variable.
+PYTHON3 := python3
+
+# All dependencies are placed into this directory. The default is .gitignored
+# for you, but you can override it if you'd like.
+VENV := ./venv
+
+override VBIN   := $(VENV)/bin
+override PIP    := $(VBIN)/pip
+override PYTEST := $(VBIN)/py.test
+override ISORT  := $(VBIN)/isort
+override BLACK  := $(VBIN)/black
+
+.PHONY: installcheck indent
+
+installcheck: $(PYTEST)
+	$(PYTEST) -v -rs
+
+indent: $(ISORT) $(BLACK)
+	$(ISORT) --profile black *.py client/*.py server/*.py
+	$(BLACK) *.py client/*.py server/*.py
+
+$(PYTEST) $(ISORT) $(BLACK) &: requirements.txt | $(PIP)
+	$(PIP) install --force-reinstall -r $<
+
+$(PIP):
+	$(PYTHON3) -m venv $(VENV)
+
+# A convenience recipe to rebuild psycopg2 against the local libpq.
+.PHONY: rebuild-psycopg2
+rebuild-psycopg2: | $(PIP)
+	$(PIP) install --force-reinstall --no-binary :all: $(shell grep psycopg2 requirements.txt)
diff --git a/src/test/python/README b/src/test/python/README
new file mode 100644
index 0000000000..0bda582c4b
--- /dev/null
+++ b/src/test/python/README
@@ -0,0 +1,54 @@
+A test suite for exercising both the libpq client and the server backend at the
+protocol level, based on pytest and Construct.
+
+The test suite currently assumes that the standard PG* environment variables
+point to the database under test and are sufficient to log in a superuser on
+that system. In other words, a bare `psql` needs to Just Work before the test
+suite can do its thing. For a newly built dev cluster, typically all that I need
+to do is a
+
+    export PGDATABASE=postgres
+
+but you can adjust as needed for your setup.
+
+## Requirements
+
+A supported version (3.6+) of Python.
+
+The first run of
+
+    make installcheck
+
+will install a local virtual environment and all needed dependencies. During
+development, if libpq changes incompatibly, you can issue
+
+    $ make rebuild-psycopg2
+
+to force a rebuild of the client library.
+
+## Hacking
+
+The code style is enforced by a _very_ opinionated autoformatter. Running the
+
+    make indent
+
+recipe will invoke it for you automatically. Don't fight the tool; part of the
+zen is in knowing that if the formatter makes your code ugly, there's probably a
+cleaner way to write your code.
+
+## Advanced Usage
+
+The Makefile is there for convenience, but you don't have to use it. Activate
+the virtualenv to be able to use pytest directly:
+
+    $ source venv/bin/activate
+    $ py.test -k oauth
+    ...
+    $ py.test ./server/test_server.py
+    ...
+    $ deactivate  # puts the PATH et al back the way it was before
+
+To make quick smoke tests possible, slow tests have been marked explicitly. You
+can skip them by saying e.g.
+
+    $ py.test -m 'not slow'
diff --git a/src/test/python/client/__init__.py b/src/test/python/client/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/test/python/client/conftest.py b/src/test/python/client/conftest.py
new file mode 100644
index 0000000000..f38da7a138
--- /dev/null
+++ b/src/test/python/client/conftest.py
@@ -0,0 +1,126 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import socket
+import sys
+import threading
+
+import psycopg2
+import pytest
+
+import pq3
+
+BLOCKING_TIMEOUT = 2  # the number of seconds to wait for blocking calls
+
+
+@pytest.fixture
+def server_socket(unused_tcp_port_factory):
+    """
+    Returns a listening socket bound to an ephemeral port.
+    """
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+        s.bind(("127.0.0.1", unused_tcp_port_factory()))
+        s.listen(1)
+        s.settimeout(BLOCKING_TIMEOUT)
+        yield s
+
+
+class ClientHandshake(threading.Thread):
+    """
+    A thread that connects to a local Postgres server using psycopg2. Once the
+    opening handshake completes, the connection will be immediately closed.
+    """
+
+    def __init__(self, *, port, **kwargs):
+        super().__init__()
+
+        kwargs["port"] = port
+        self._kwargs = kwargs
+
+        self.exception = None
+
+    def run(self):
+        try:
+            conn = psycopg2.connect(host="127.0.0.1", **self._kwargs)
+            conn.close()
+        except Exception as e:
+            self.exception = e
+
+    def check_completed(self, timeout=BLOCKING_TIMEOUT):
+        """
+        Joins the client thread. Raises an exception if the thread could not be
+        joined, or if it threw an exception itself. (The exception will be
+        cleared, so future calls to check_completed will succeed.)
+        """
+        self.join(timeout)
+
+        if self.is_alive():
+            raise TimeoutError("client thread did not handshake within the timeout")
+        elif self.exception:
+            e = self.exception
+            self.exception = None
+            raise e
+
+
+@pytest.fixture
+def accept(server_socket):
+    """
+    Returns a factory function that, when called, returns a pair (sock, client)
+    where sock is a server socket that has accepted a connection from client,
+    and client is an instance of ClientHandshake. Clients will complete their
+    handshakes and cleanly disconnect.
+
+    The default connstring options may be extended or overridden by passing
+    arbitrary keyword arguments. Keep in mind that you generally should not
+    override the host or port, since they point to the local test server.
+
+    For situations where a client needs to connect more than once to complete a
+    handshake, the accept function may be called more than once. (The client
+    returned for subsequent calls will always be the same client that was
+    returned for the first call.)
+
+    Tests must either complete the handshake so that the client thread can be
+    automatically joined during teardown, or else call client.check_completed()
+    and manually handle any expected errors.
+    """
+    _, port = server_socket.getsockname()
+
+    client = None
+    default_opts = dict(
+        port=port,
+        user=pq3.pguser(),
+        sslmode="disable",
+    )
+
+    def factory(**kwargs):
+        nonlocal client
+
+        if client is None:
+            opts = dict(default_opts)
+            opts.update(kwargs)
+
+            # The server_socket is already listening, so the client thread can
+            # be safely started; it'll block on the connection until we accept.
+            client = ClientHandshake(**opts)
+            client.start()
+
+        sock, _ = server_socket.accept()
+        return sock, client
+
+    yield factory
+    client.check_completed()
+
+
+@pytest.fixture
+def conn(accept):
+    """
+    Returns an accepted, wrapped pq3 connection to a psycopg2 client. The socket
+    will be closed when the test finishes, and the client will be checked for a
+    cleanly completed handshake.
+    """
+    sock, client = accept()
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            yield conn
diff --git a/src/test/python/client/test_client.py b/src/test/python/client/test_client.py
new file mode 100644
index 0000000000..c4c946fda4
--- /dev/null
+++ b/src/test/python/client/test_client.py
@@ -0,0 +1,180 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import base64
+import sys
+
+import psycopg2
+import pytest
+from cryptography.hazmat.primitives import hashes, hmac
+
+import pq3
+
+
+def finish_handshake(conn):
+    """
+    Sends the AuthenticationOK message and the standard opening salvo of server
+    messages, then asserts that the client immediately sends a Terminate message
+    to close the connection cleanly.
+    """
+    pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.OK)
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"client_encoding", value=b"UTF-8")
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"DateStyle", value=b"ISO, MDY")
+    pq3.send(conn, pq3.types.ReadyForQuery, status=b"I")
+
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.Terminate
+
+
+def test_handshake(conn):
+    startup = pq3.recv1(conn, cls=pq3.Startup)
+    assert startup.proto == pq3.protocol(3, 0)
+
+    finish_handshake(conn)
+
+
+def test_aborted_connection(accept):
+    """
+    Make sure the client correctly reports an early close during handshakes.
+    """
+    sock, client = accept()
+    sock.close()
+
+    expected = "server closed the connection unexpectedly"
+    with pytest.raises(psycopg2.OperationalError, match=expected):
+        client.check_completed()
+
+
+#
+# SCRAM-SHA-256 (see RFC 5802: https://tools.ietf.org/html/rfc5802)
+#
+
+
+@pytest.fixture
+def password():
+    """
+    Returns a password for use by both client and server.
+    """
+    # TODO: parameterize this with passwords that require SASLprep.
+    return "secret"
+
+
+@pytest.fixture
+def pwconn(accept, password):
+    """
+    Like the conn fixture, but uses a password in the connection.
+    """
+    sock, client = accept(password=password)
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            yield conn
+
+
+def sha256(data):
+    """The H(str) function from Section 2.2."""
+    digest = hashes.Hash(hashes.SHA256())
+    digest.update(data)
+    return digest.finalize()
+
+
+def hmac_256(key, data):
+    """The HMAC(key, str) function from Section 2.2."""
+    h = hmac.HMAC(key, hashes.SHA256())
+    h.update(data)
+    return h.finalize()
+
+
+def xor(a, b):
+    """The XOR operation from Section 2.2."""
+    res = bytearray(a)
+    for i, byte in enumerate(b):
+        res[i] ^= byte
+    return bytes(res)
+
+
+def h_i(data, salt, i):
+    """The Hi(str, salt, i) function from Section 2.2."""
+    assert i > 0
+
+    acc = hmac_256(data, salt + b"\x00\x00\x00\x01")
+    last = acc
+    i -= 1
+
+    while i:
+        u = hmac_256(data, last)
+        acc = xor(acc, u)
+
+        last = u
+        i -= 1
+
+    return acc
+
+
+def test_scram(pwconn, password):
+    startup = pq3.recv1(pwconn, cls=pq3.Startup)
+    assert startup.proto == pq3.protocol(3, 0)
+
+    pq3.send(
+        pwconn,
+        pq3.types.AuthnRequest,
+        type=pq3.authn.SASL,
+        body=[b"SCRAM-SHA-256", b""],
+    )
+
+    # Get the client-first-message.
+    pkt = pq3.recv1(pwconn)
+    assert pkt.type == pq3.types.PasswordMessage
+
+    initial = pq3.SASLInitialResponse.parse(pkt.payload)
+    assert initial.name == b"SCRAM-SHA-256"
+
+    c_bind, authzid, c_name, c_nonce = initial.data.split(b",")
+    assert c_bind == b"n"  # no channel bindings on a plaintext connection
+    assert authzid == b""  # we don't support authzid currently
+    assert c_name == b"n="  # libpq doesn't honor the GS2 username
+    assert c_nonce.startswith(b"r=")
+
+    # Send the server-first-message.
+    salt = b"12345"
+    iterations = 2
+
+    s_nonce = c_nonce + b"somenonce"
+    s_salt = b"s=" + base64.b64encode(salt)
+    s_iterations = b"i=%d" % iterations
+
+    msg = b",".join([s_nonce, s_salt, s_iterations])
+    pq3.send(pwconn, pq3.types.AuthnRequest, type=pq3.authn.SASLContinue, body=msg)
+
+    # Get the client-final-message.
+    pkt = pq3.recv1(pwconn)
+    assert pkt.type == pq3.types.PasswordMessage
+
+    c_bind_final, c_nonce_final, c_proof = pkt.payload.split(b",")
+    assert c_bind_final == b"c=" + base64.b64encode(c_bind + b"," + authzid + b",")
+    assert c_nonce_final == s_nonce
+
+    # Calculate what the client proof should be.
+    salted_password = h_i(password.encode("ascii"), salt, iterations)
+    client_key = hmac_256(salted_password, b"Client Key")
+    stored_key = sha256(client_key)
+
+    auth_message = b",".join(
+        [c_name, c_nonce, s_nonce, s_salt, s_iterations, c_bind_final, c_nonce_final]
+    )
+    client_signature = hmac_256(stored_key, auth_message)
+    client_proof = xor(client_key, client_signature)
+
+    expected = b"p=" + base64.b64encode(client_proof)
+    assert c_proof == expected
+
+    # Send the correct server signature.
+    server_key = hmac_256(salted_password, b"Server Key")
+    server_signature = hmac_256(server_key, auth_message)
+
+    s_verify = b"v=" + base64.b64encode(server_signature)
+    pq3.send(pwconn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal, body=s_verify)
+
+    # Done!
+    finish_handshake(pwconn)
diff --git a/src/test/python/client/test_oauth.py b/src/test/python/client/test_oauth.py
new file mode 100644
index 0000000000..a754a9c0b6
--- /dev/null
+++ b/src/test/python/client/test_oauth.py
@@ -0,0 +1,936 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import base64
+import http.server
+import json
+import secrets
+import sys
+import threading
+import time
+import urllib.parse
+
+import psycopg2
+import pytest
+
+import pq3
+
+from .conftest import BLOCKING_TIMEOUT
+
+
+def finish_handshake(conn):
+    """
+    Sends the AuthenticationOK message and the standard opening salvo of server
+    messages, then asserts that the client immediately sends a Terminate message
+    to close the connection cleanly.
+    """
+    pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.OK)
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"client_encoding", value=b"UTF-8")
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"DateStyle", value=b"ISO, MDY")
+    pq3.send(conn, pq3.types.ReadyForQuery, status=b"I")
+
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.Terminate
+
+
+#
+# OAUTHBEARER (see RFC 7628: https://tools.ietf.org/html/rfc7628)
+#
+
+
+def start_oauth_handshake(conn):
+    """
+    Negotiates an OAUTHBEARER SASL challenge. Returns the client's initial
+    response data.
+    """
+    startup = pq3.recv1(conn, cls=pq3.Startup)
+    assert startup.proto == pq3.protocol(3, 0)
+
+    pq3.send(
+        conn, pq3.types.AuthnRequest, type=pq3.authn.SASL, body=[b"OAUTHBEARER", b""]
+    )
+
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.PasswordMessage
+
+    initial = pq3.SASLInitialResponse.parse(pkt.payload)
+    assert initial.name == b"OAUTHBEARER"
+
+    return initial.data
+
+
+def get_auth_value(initial):
+    """
+    Finds the auth value (e.g. "Bearer somedata..." in the client's initial SASL
+    response.
+    """
+    kvpairs = initial.split(b"\x01")
+    assert kvpairs[0] == b"n,,"  # no channel binding or authzid
+    assert kvpairs[2] == b""  # ends with an empty kvpair
+    assert kvpairs[3] == b""  # ...and there's nothing after it
+    assert len(kvpairs) == 4
+
+    key, value = kvpairs[1].split(b"=", 2)
+    assert key == b"auth"
+
+    return value
+
+
+def xtest_oauth_success(conn):  # TODO
+    initial = start_oauth_handshake(conn)
+
+    auth = get_auth_value(initial)
+    assert auth.startswith(b"Bearer ")
+
+    # Accept the token. TODO actually validate
+    pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+    finish_handshake(conn)
+
+
+class OpenIDProvider(threading.Thread):
+    """
+    A thread that runs a mock OpenID provider server.
+    """
+
+    def __init__(self, *, port):
+        super().__init__()
+
+        self.exception = None
+
+        addr = ("", port)
+        self.server = self._Server(addr, self._Handler)
+
+        # TODO: allow HTTPS only, somehow
+        oauth = self._OAuthState()
+        oauth.host = f"localhost:{port}"
+        oauth.issuer = f"http://localhost:{port}"
+
+        # The following endpoints are required to be advertised by providers,
+        # even though our chosen client implementation does not actually make
+        # use of them.
+        oauth.register_endpoint(
+            "authorization_endpoint", "POST", "/authorize", self._authorization_handler
+        )
+        oauth.register_endpoint("jwks_uri", "GET", "/keys", self._jwks_handler)
+
+        self.server.oauth = oauth
+
+    def run(self):
+        try:
+            self.server.serve_forever()
+        except Exception as e:
+            self.exception = e
+
+    def stop(self, timeout=BLOCKING_TIMEOUT):
+        """
+        Shuts down the server and joins its thread. Raises an exception if the
+        thread could not be joined, or if it threw an exception itself. Must
+        only be called once, after start().
+        """
+        self.server.shutdown()
+        self.join(timeout)
+
+        if self.is_alive():
+            raise TimeoutError("client thread did not handshake within the timeout")
+        elif self.exception:
+            e = self.exception
+            raise e
+
+    class _OAuthState(object):
+        def __init__(self):
+            self.endpoint_paths = {}
+            self._endpoints = {}
+
+        def register_endpoint(self, name, method, path, func):
+            if method not in self._endpoints:
+                self._endpoints[method] = {}
+
+            self._endpoints[method][path] = func
+            self.endpoint_paths[name] = path
+
+        def endpoint(self, method, path):
+            if method not in self._endpoints:
+                return None
+
+            return self._endpoints[method].get(path)
+
+    class _Server(http.server.HTTPServer):
+        def handle_error(self, request, addr):
+            self.shutdown_request(request)
+            raise
+
+    @staticmethod
+    def _jwks_handler(headers, params):
+        return 200, {"keys": []}
+
+    @staticmethod
+    def _authorization_handler(headers, params):
+        # We don't actually want this to be called during these tests -- we
+        # should be using the device authorization endpoint instead.
+        assert (
+            False
+        ), "authorization handler called instead of device authorization handler"
+
+    class _Handler(http.server.BaseHTTPRequestHandler):
+        timeout = BLOCKING_TIMEOUT
+
+        def _discovery_handler(self, headers, params):
+            oauth = self.server.oauth
+
+            doc = {
+                "issuer": oauth.issuer,
+                "response_types_supported": ["token"],
+                "subject_types_supported": ["public"],
+                "id_token_signing_alg_values_supported": ["RS256"],
+            }
+
+            for name, path in oauth.endpoint_paths.items():
+                doc[name] = oauth.issuer + path
+
+            return 200, doc
+
+        def _handle(self, *, params=None, handler=None):
+            oauth = self.server.oauth
+            assert self.headers["Host"] == oauth.host
+
+            if handler is None:
+                handler = oauth.endpoint(self.command, self.path)
+                assert (
+                    handler is not None
+                ), f"no registered endpoint for {self.command} {self.path}"
+
+            code, resp = handler(self.headers, params)
+
+            self.send_response(code)
+            self.send_header("Content-Type", "application/json")
+            self.end_headers()
+
+            resp = json.dumps(resp)
+            resp = resp.encode("utf-8")
+            self.wfile.write(resp)
+
+            self.close_connection = True
+
+        def do_GET(self):
+            if self.path == "/.well-known/openid-configuration":
+                self._handle(handler=self._discovery_handler)
+                return
+
+            self._handle()
+
+        def _request_body(self):
+            length = self.headers["Content-Length"]
+
+            # Handle only an explicit content-length.
+            assert length is not None
+            length = int(length)
+
+            return self.rfile.read(length).decode("utf-8")
+
+        def do_POST(self):
+            assert self.headers["Content-Type"] == "application/x-www-form-urlencoded"
+
+            body = self._request_body()
+            params = urllib.parse.parse_qs(body)
+
+            self._handle(params=params)
+
+
+@pytest.fixture
+def openid_provider(unused_tcp_port_factory):
+    """
+    A fixture that returns the OAuth state of a running OpenID provider server. The
+    server will be stopped when the fixture is torn down.
+    """
+    thread = OpenIDProvider(port=unused_tcp_port_factory())
+    thread.start()
+
+    try:
+        yield thread.server.oauth
+    finally:
+        thread.stop()
+
+
+@pytest.mark.parametrize("secret", [None, "", "hunter2"])
+@pytest.mark.parametrize("scope", [None, "", "openid email"])
+@pytest.mark.parametrize("retries", [0, 1])
+def test_oauth_with_explicit_issuer(
+    capfd, accept, openid_provider, retries, scope, secret
+):
+    client_id = secrets.token_hex()
+
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id=client_id,
+        oauth_client_secret=secret,
+        oauth_scope=scope,
+    )
+
+    device_code = secrets.token_hex()
+    user_code = f"{secrets.token_hex(2)}-{secrets.token_hex(2)}"
+    verification_url = "https://example.com/device"
+
+    access_token = secrets.token_urlsafe()
+
+    def check_client_authn(headers, params):
+        if not secret:
+            assert params["client_id"] == [client_id]
+            return
+
+        # Require the client to use Basic authn; request-body credentials are
+        # NOT RECOMMENDED (RFC 6749, Sec. 2.3.1).
+        assert "Authorization" in headers
+
+        method, creds = headers["Authorization"].split()
+        assert method == "Basic"
+
+        expected = f"{client_id}:{secret}"
+        assert base64.b64decode(creds) == expected.encode("ascii")
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        check_client_authn(headers, params)
+
+        if scope:
+            assert params["scope"] == [scope]
+        else:
+            assert "scope" not in params
+
+        resp = {
+            "device_code": device_code,
+            "user_code": user_code,
+            "interval": 0,
+            "verification_uri": verification_url,
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    attempts = 0
+    retry_lock = threading.Lock()
+
+    def token_endpoint(headers, params):
+        check_client_authn(headers, params)
+
+        assert params["grant_type"] == ["urn:ietf:params:oauth:grant-type:device_code"]
+        assert params["device_code"] == [device_code]
+
+        now = time.monotonic()
+
+        with retry_lock:
+            nonlocal attempts
+
+            # If the test wants to force the client to retry, return an
+            # authorization_pending response and decrement the retry count.
+            if attempts < retries:
+                attempts += 1
+                return 400, {"error": "authorization_pending"}
+
+        # Successfully finish the request by sending the access bearer token.
+        resp = {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            initial = start_oauth_handshake(conn)
+
+            # Validate and accept the token.
+            auth = get_auth_value(initial)
+            assert auth == f"Bearer {access_token}".encode("ascii")
+
+            pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+            finish_handshake(conn)
+
+    if retries:
+        # Finally, make sure that the client prompted the user with the expected
+        # authorization URL and user code.
+        expected = f"Visit {verification_url} and enter the code: {user_code}"
+        _, stderr = capfd.readouterr()
+        assert expected in stderr
+
+
+def test_oauth_requires_client_id(accept, openid_provider):
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        # Do not set a client ID; this should cause a client error after the
+        # server asks for OAUTHBEARER and the client tries to contact the
+        # issuer.
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake.
+            startup = pq3.recv1(conn, cls=pq3.Startup)
+            assert startup.proto == pq3.protocol(3, 0)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASL,
+                body=[b"OAUTHBEARER", b""],
+            )
+
+            # The client should disconnect at this point.
+            assert not conn.read()
+
+    expected_error = "no oauth_client_id is set"
+    with pytest.raises(psycopg2.OperationalError, match=expected_error):
+        client.check_completed()
+
+
+@pytest.mark.slow
+@pytest.mark.parametrize("error_code", ["authorization_pending", "slow_down"])
+@pytest.mark.parametrize("retries", [1, 2])
+def test_oauth_retry_interval(accept, openid_provider, retries, error_code):
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id="some-id",
+    )
+
+    expected_retry_interval = 1
+    access_token = secrets.token_urlsafe()
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        resp = {
+            "device_code": "my-device-code",
+            "user_code": "my-user-code",
+            "interval": expected_retry_interval,
+            "verification_uri": "https://example.com",
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    attempts = 0
+    last_retry = None
+    retry_lock = threading.Lock()
+
+    def token_endpoint(headers, params):
+        now = time.monotonic()
+
+        with retry_lock:
+            nonlocal attempts, last_retry, expected_retry_interval
+
+            # Make sure the retry interval is being respected by the client.
+            if last_retry is not None:
+                interval = now - last_retry
+                assert interval >= expected_retry_interval
+
+            last_retry = now
+
+            # If the test wants to force the client to retry, return the desired
+            # error response and decrement the retry count.
+            if attempts < retries:
+                attempts += 1
+
+                # A slow_down code requires the client to additionally increase
+                # its interval by five seconds.
+                if error_code == "slow_down":
+                    expected_retry_interval += 5
+
+                return 400, {"error": error_code}
+
+        # Successfully finish the request by sending the access bearer token.
+        resp = {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            initial = start_oauth_handshake(conn)
+
+            # Validate and accept the token.
+            auth = get_auth_value(initial)
+            assert auth == f"Bearer {access_token}".encode("ascii")
+
+            pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+            finish_handshake(conn)
+
+
+@pytest.mark.parametrize(
+    "failure_mode, error_pattern",
+    [
+        pytest.param(
+            {
+                "error": "invalid_client",
+                "error_description": "client authentication failed",
+            },
+            r"client authentication failed \(invalid_client\)",
+            id="authentication failure with description",
+        ),
+        pytest.param(
+            {"error": "invalid_request"},
+            r"\(invalid_request\)",
+            id="invalid request without description",
+        ),
+        pytest.param(
+            {},
+            r"failed to obtain device authorization",
+            id="broken error response",
+        ),
+    ],
+)
+def test_oauth_device_authorization_failures(
+    accept, openid_provider, failure_mode, error_pattern
+):
+    client_id = secrets.token_hex()
+
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id=client_id,
+    )
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        return 400, failure_mode
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    def token_endpoint(headers, params):
+        assert False, "token endpoint was invoked unexpectedly"
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            startup = pq3.recv1(conn, cls=pq3.Startup)
+            assert startup.proto == pq3.protocol(3, 0)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASL,
+                body=[b"OAUTHBEARER", b""],
+            )
+
+            # The client should not continue the connection due to the hardcoded
+            # provider failure; we disconnect here.
+
+    # Now make sure the client correctly failed.
+    with pytest.raises(psycopg2.OperationalError, match=error_pattern):
+        client.check_completed()
+
+
+@pytest.mark.parametrize(
+    "failure_mode, error_pattern",
+    [
+        pytest.param(
+            {
+                "error": "expired_token",
+                "error_description": "the device code has expired",
+            },
+            r"the device code has expired \(expired_token\)",
+            id="expired token with description",
+        ),
+        pytest.param(
+            {"error": "access_denied"},
+            r"\(access_denied\)",
+            id="access denied without description",
+        ),
+        pytest.param(
+            {},
+            r"OAuth token retrieval failed",
+            id="broken error response",
+        ),
+    ],
+)
+@pytest.mark.parametrize("retries", [0, 1])
+def test_oauth_token_failures(
+    accept, openid_provider, retries, failure_mode, error_pattern
+):
+    client_id = secrets.token_hex()
+
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id=client_id,
+    )
+
+    device_code = secrets.token_hex()
+    user_code = f"{secrets.token_hex(2)}-{secrets.token_hex(2)}"
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        assert params["client_id"] == [client_id]
+
+        resp = {
+            "device_code": device_code,
+            "user_code": user_code,
+            "interval": 0,
+            "verification_uri": "https://example.com/device",
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    retry_lock = threading.Lock()
+
+    def token_endpoint(headers, params):
+        with retry_lock:
+            nonlocal retries
+
+            # If the test wants to force the client to retry, return an
+            # authorization_pending response and decrement the retry count.
+            if retries > 0:
+                retries -= 1
+                return 400, {"error": "authorization_pending"}
+
+        return 400, failure_mode
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            startup = pq3.recv1(conn, cls=pq3.Startup)
+            assert startup.proto == pq3.protocol(3, 0)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASL,
+                body=[b"OAUTHBEARER", b""],
+            )
+
+            # The client should not continue the connection due to the hardcoded
+            # provider failure; we disconnect here.
+
+    # Now make sure the client correctly failed.
+    with pytest.raises(psycopg2.OperationalError, match=error_pattern):
+        client.check_completed()
+
+
+@pytest.mark.parametrize("scope", [None, "openid email"])
+@pytest.mark.parametrize(
+    "base_response",
+    [
+        {"status": "invalid_token"},
+        {"extra_object": {"key": "value"}, "status": "invalid_token"},
+        {"extra_object": {"status": 1}, "status": "invalid_token"},
+    ],
+)
+def test_oauth_discovery(accept, openid_provider, base_response, scope):
+    sock, client = accept(oauth_client_id=secrets.token_hex())
+
+    device_code = secrets.token_hex()
+    user_code = f"{secrets.token_hex(2)}-{secrets.token_hex(2)}"
+    verification_url = "https://example.com/device"
+
+    access_token = secrets.token_urlsafe()
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        if scope:
+            assert params["scope"] == [scope]
+        else:
+            assert "scope" not in params
+
+        resp = {
+            "device_code": device_code,
+            "user_code": user_code,
+            "interval": 0,
+            "verification_uri": verification_url,
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    def token_endpoint(headers, params):
+        assert params["grant_type"] == ["urn:ietf:params:oauth:grant-type:device_code"]
+        assert params["device_code"] == [device_code]
+
+        # Successfully finish the request by sending the access bearer token.
+        resp = {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            initial = start_oauth_handshake(conn)
+
+            # For discovery, the client should send an empty auth header. See
+            # RFC 7628, Sec. 4.3.
+            auth = get_auth_value(initial)
+            assert auth == b""
+
+            # We will fail the first SASL exchange. First return a link to the
+            # discovery document, pointing to the test provider server.
+            resp = dict(base_response)
+
+            discovery_uri = f"{openid_provider.issuer}/.well-known/openid-configuration"
+            resp["openid-configuration"] = discovery_uri
+
+            if scope:
+                resp["scope"] = scope
+
+            resp = json.dumps(resp)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASLContinue,
+                body=resp.encode("ascii"),
+            )
+
+            # Per RFC, the client is required to send a dummy ^A response.
+            pkt = pq3.recv1(conn)
+            assert pkt.type == pq3.types.PasswordMessage
+            assert pkt.payload == b"\x01"
+
+            # Now fail the SASL exchange.
+            pq3.send(
+                conn,
+                pq3.types.ErrorResponse,
+                fields=[
+                    b"SFATAL",
+                    b"C28000",
+                    b"Mdoesn't matter",
+                    b"",
+                ],
+            )
+
+    # The client will connect to us a second time, using the parameters we sent
+    # it.
+    sock, _ = accept()
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            initial = start_oauth_handshake(conn)
+
+            # Validate and accept the token.
+            auth = get_auth_value(initial)
+            assert auth == f"Bearer {access_token}".encode("ascii")
+
+            pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+            finish_handshake(conn)
+
+
+@pytest.mark.parametrize(
+    "response,expected_error",
+    [
+        pytest.param(
+            "abcde",
+            'Token "abcde" is invalid',
+            id="bad JSON: invalid syntax",
+        ),
+        pytest.param(
+            '"abcde"',
+            "top-level element must be an object",
+            id="bad JSON: top-level element is a string",
+        ),
+        pytest.param(
+            "[]",
+            "top-level element must be an object",
+            id="bad JSON: top-level element is an array",
+        ),
+        pytest.param(
+            "{}",
+            "server sent error response without a status",
+            id="bad JSON: no status member",
+        ),
+        pytest.param(
+            '{ "status": null }',
+            'field "status" must be a string',
+            id="bad JSON: null status member",
+        ),
+        pytest.param(
+            '{ "status": 0 }',
+            'field "status" must be a string',
+            id="bad JSON: int status member",
+        ),
+        pytest.param(
+            '{ "status": [ "bad" ] }',
+            'field "status" must be a string',
+            id="bad JSON: array status member",
+        ),
+        pytest.param(
+            '{ "status": { "bad": "bad" } }',
+            'field "status" must be a string',
+            id="bad JSON: object status member",
+        ),
+        pytest.param(
+            '{ "nested": { "status": "bad" } }',
+            "server sent error response without a status",
+            id="bad JSON: nested status",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token" ',
+            "The input string ended unexpectedly",
+            id="bad JSON: unterminated object",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token" } { }',
+            'Expected end of input, but found "{"',
+            id="bad JSON: trailing data",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token", "openid-configuration": 1 }',
+            'field "openid-configuration" must be a string',
+            id="bad JSON: int openid-configuration member",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token", "openid-configuration": 1 }',
+            'field "openid-configuration" must be a string',
+            id="bad JSON: int openid-configuration member",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token", "scope": 1 }',
+            'field "scope" must be a string',
+            id="bad JSON: int scope member",
+        ),
+    ],
+)
+def test_oauth_discovery_server_error(accept, response, expected_error):
+    sock, client = accept(oauth_client_id=secrets.token_hex())
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            initial = start_oauth_handshake(conn)
+
+            # Fail the SASL exchange with an invalid JSON response.
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASLContinue,
+                body=response.encode("utf-8"),
+            )
+
+            # The client should disconnect, so the socket is closed here. (If
+            # the client doesn't disconnect, it will report a different error
+            # below and the test will fail.)
+
+    with pytest.raises(psycopg2.OperationalError, match=expected_error):
+        client.check_completed()
+
+
+@pytest.mark.parametrize(
+    "sasl_err,resp_type,resp_payload,expected_error",
+    [
+        pytest.param(
+            {"status": "invalid_request"},
+            pq3.types.ErrorResponse,
+            dict(
+                fields=[b"SFATAL", b"C28000", b"Mexpected error message", b""],
+            ),
+            "expected error message",
+            id="standard server error: invalid_request",
+        ),
+        pytest.param(
+            {"status": "invalid_token"},
+            pq3.types.ErrorResponse,
+            dict(
+                fields=[b"SFATAL", b"C28000", b"Mexpected error message", b""],
+            ),
+            "expected error message",
+            id="standard server error: invalid_token without discovery URI",
+        ),
+        pytest.param(
+            {"status": "invalid_request"},
+            pq3.types.AuthnRequest,
+            dict(type=pq3.authn.SASLContinue, body=b""),
+            "server sent additional OAuth data",
+            id="broken server: additional challenge after error",
+        ),
+        pytest.param(
+            {"status": "invalid_request"},
+            pq3.types.AuthnRequest,
+            dict(type=pq3.authn.SASLFinal),
+            "server sent additional OAuth data",
+            id="broken server: SASL success after error",
+        ),
+    ],
+)
+def test_oauth_server_error(accept, sasl_err, resp_type, resp_payload, expected_error):
+    sock, client = accept()
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            start_oauth_handshake(conn)
+
+            # Ignore the client data. Return an error "challenge".
+            resp = json.dumps(sasl_err)
+            resp = resp.encode("utf-8")
+
+            pq3.send(
+                conn, pq3.types.AuthnRequest, type=pq3.authn.SASLContinue, body=resp
+            )
+
+            # Per RFC, the client is required to send a dummy ^A response.
+            pkt = pq3.recv1(conn)
+            assert pkt.type == pq3.types.PasswordMessage
+            assert pkt.payload == b"\x01"
+
+            # Now fail the SASL exchange (in either a valid way, or an invalid
+            # one, depending on the test).
+            pq3.send(conn, resp_type, **resp_payload)
+
+    with pytest.raises(psycopg2.OperationalError, match=expected_error):
+        client.check_completed()
diff --git a/src/test/python/pq3.py b/src/test/python/pq3.py
new file mode 100644
index 0000000000..3a22dad0b6
--- /dev/null
+++ b/src/test/python/pq3.py
@@ -0,0 +1,727 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import contextlib
+import getpass
+import io
+import os
+import ssl
+import sys
+import textwrap
+
+from construct import *
+
+import tls
+
+
+def protocol(major, minor):
+    """
+    Returns the protocol version, in integer format, corresponding to the given
+    major and minor version numbers.
+    """
+    return (major << 16) | minor
+
+
+# Startup
+
+StringList = GreedyRange(NullTerminated(GreedyBytes))
+
+
+class KeyValueAdapter(Adapter):
+    """
+    Turns a key-value store into a null-terminated list of null-terminated
+    strings, as presented on the wire in the startup packet.
+    """
+
+    def _encode(self, obj, context, path):
+        if isinstance(obj, list):
+            return obj
+
+        l = []
+
+        for k, v in obj.items():
+            if isinstance(k, str):
+                k = k.encode("utf-8")
+            l.append(k)
+
+            if isinstance(v, str):
+                v = v.encode("utf-8")
+            l.append(v)
+
+        l.append(b"")
+        return l
+
+    def _decode(self, obj, context, path):
+        # TODO: turn a list back into a dict
+        return obj
+
+
+KeyValues = KeyValueAdapter(StringList)
+
+_startup_payload = Switch(
+    this.proto,
+    {
+        protocol(3, 0): KeyValues,
+    },
+    default=GreedyBytes,
+)
+
+
+def _default_protocol(this):
+    try:
+        if isinstance(this.payload, (list, dict)):
+            return protocol(3, 0)
+    except AttributeError:
+        pass  # no payload passed during build
+
+    return 0
+
+
+def _startup_payload_len(this):
+    """
+    The payload field has a fixed size based on the length of the packet. But
+    if the caller hasn't supplied an explicit length at build time, we have to
+    build the payload to figure out how long it is, which requires us to know
+    the length first... This function exists solely to break the cycle.
+    """
+    assert this._building, "_startup_payload_len() cannot be called during parsing"
+
+    try:
+        payload = this.payload
+    except AttributeError:
+        return 0  # no payload
+
+    if isinstance(payload, bytes):
+        # already serialized; just use the given length
+        return len(payload)
+
+    try:
+        proto = this.proto
+    except AttributeError:
+        proto = _default_protocol(this)
+
+    data = _startup_payload.build(payload, proto=proto)
+    return len(data)
+
+
+Startup = Struct(
+    "len" / Default(Int32sb, lambda this: _startup_payload_len(this) + 8),
+    "proto" / Default(Hex(Int32sb), _default_protocol),
+    "payload" / FixedSized(this.len - 8, Default(_startup_payload, b"")),
+)
+
+# Pq3
+
+# Adapted from construct.core.EnumIntegerString
+class EnumNamedByte:
+    def __init__(self, val, name):
+        self._val = val
+        self._name = name
+
+    def __int__(self):
+        return ord(self._val)
+
+    def __str__(self):
+        return "(enum) %s %r" % (self._name, self._val)
+
+    def __repr__(self):
+        return "EnumNamedByte(%r)" % self._val
+
+    def __eq__(self, other):
+        if isinstance(other, EnumNamedByte):
+            other = other._val
+        if not isinstance(other, bytes):
+            return NotImplemented
+
+        return self._val == other
+
+    def __hash__(self):
+        return hash(self._val)
+
+
+# Adapted from construct.core.Enum
+class ByteEnum(Adapter):
+    def __init__(self, **mapping):
+        super(ByteEnum, self).__init__(Byte)
+        self.namemapping = {k: EnumNamedByte(v, k) for k, v in mapping.items()}
+        self.decmapping = {v: EnumNamedByte(v, k) for k, v in mapping.items()}
+
+    def __getattr__(self, name):
+        if name in self.namemapping:
+            return self.decmapping[self.namemapping[name]]
+        raise AttributeError
+
+    def _decode(self, obj, context, path):
+        b = bytes([obj])
+        try:
+            return self.decmapping[b]
+        except KeyError:
+            return EnumNamedByte(b, "(unknown)")
+
+    def _encode(self, obj, context, path):
+        if isinstance(obj, int):
+            return obj
+        elif isinstance(obj, bytes):
+            return ord(obj)
+        return int(obj)
+
+
+types = ByteEnum(
+    ErrorResponse=b"E",
+    ReadyForQuery=b"Z",
+    Query=b"Q",
+    EmptyQueryResponse=b"I",
+    AuthnRequest=b"R",
+    PasswordMessage=b"p",
+    BackendKeyData=b"K",
+    CommandComplete=b"C",
+    ParameterStatus=b"S",
+    DataRow=b"D",
+    Terminate=b"X",
+)
+
+
+authn = Enum(
+    Int32ub,
+    OK=0,
+    SASL=10,
+    SASLContinue=11,
+    SASLFinal=12,
+)
+
+
+_authn_body = Switch(
+    this.type,
+    {
+        authn.OK: Terminated,
+        authn.SASL: StringList,
+    },
+    default=GreedyBytes,
+)
+
+
+def _data_len(this):
+    assert this._building, "_data_len() cannot be called during parsing"
+
+    if not hasattr(this, "data") or this.data is None:
+        return -1
+
+    return len(this.data)
+
+
+# The protocol reuses the PasswordMessage for several authentication response
+# types, and there's no good way to figure out which is which without keeping
+# state for the entire stream. So this is a separate Construct that can be
+# explicitly parsed/built by code that knows it's needed.
+SASLInitialResponse = Struct(
+    "name" / NullTerminated(GreedyBytes),
+    "len" / Default(Int32sb, lambda this: _data_len(this)),
+    "data"
+    / IfThenElse(
+        # Allow tests to explicitly pass an incorrect length during testing, by
+        # not enforcing a FixedSized during build. (The len calculation above
+        # defaults to the correct size.)
+        this._building,
+        Optional(GreedyBytes),
+        If(this.len != -1, Default(FixedSized(this.len, GreedyBytes), b"")),
+    ),
+    Terminated,  # make sure the entire response is consumed
+)
+
+
+_column = FocusedSeq(
+    "data",
+    "len" / Default(Int32sb, lambda this: _data_len(this)),
+    "data" / If(this.len != -1, FixedSized(this.len, GreedyBytes)),
+)
+
+
+_payload_map = {
+    types.ErrorResponse: Struct("fields" / StringList),
+    types.ReadyForQuery: Struct("status" / Bytes(1)),
+    types.Query: Struct("query" / NullTerminated(GreedyBytes)),
+    types.EmptyQueryResponse: Terminated,
+    types.AuthnRequest: Struct("type" / authn, "body" / Default(_authn_body, b"")),
+    types.BackendKeyData: Struct("pid" / Int32ub, "key" / Hex(Int32ub)),
+    types.CommandComplete: Struct("tag" / NullTerminated(GreedyBytes)),
+    types.ParameterStatus: Struct(
+        "name" / NullTerminated(GreedyBytes), "value" / NullTerminated(GreedyBytes)
+    ),
+    types.DataRow: Struct("columns" / Default(PrefixedArray(Int16sb, _column), b"")),
+    types.Terminate: Terminated,
+}
+
+
+_payload = FocusedSeq(
+    "_payload",
+    "_payload"
+    / Switch(
+        this._.type,
+        _payload_map,
+        default=GreedyBytes,
+    ),
+    Terminated,  # make sure every payload consumes the entire packet
+)
+
+
+def _payload_len(this):
+    """
+    See _startup_payload_len() for an explanation.
+    """
+    assert this._building, "_payload_len() cannot be called during parsing"
+
+    try:
+        payload = this.payload
+    except AttributeError:
+        return 0  # no payload
+
+    if isinstance(payload, bytes):
+        # already serialized; just use the given length
+        return len(payload)
+
+    data = _payload.build(payload, type=this.type)
+    return len(data)
+
+
+Pq3 = Struct(
+    "type" / types,
+    "len" / Default(Int32ub, lambda this: _payload_len(this) + 4),
+    "payload" / FixedSized(this.len - 4, Default(_payload, b"")),
+)
+
+
+# Environment
+
+
+def pghost():
+    return os.environ.get("PGHOST", default="localhost")
+
+
+def pgport():
+    return int(os.environ.get("PGPORT", default=5432))
+
+
+def pguser():
+    try:
+        return os.environ["PGUSER"]
+    except KeyError:
+        return getpass.getuser()
+
+
+def pgdatabase():
+    return os.environ.get("PGDATABASE", default="postgres")
+
+
+# Connections
+
+
+def _hexdump_translation_map():
+    """
+    For hexdumps. Translates any unprintable or non-ASCII bytes into '.'.
+    """
+    input = bytearray()
+
+    for i in range(128):
+        c = chr(i)
+
+        if not c.isprintable():
+            input += bytes([i])
+
+    input += bytes(range(128, 256))
+
+    return bytes.maketrans(input, b"." * len(input))
+
+
+class _DebugStream(object):
+    """
+    Wraps a file-like object and adds hexdumps of the read and write data. Call
+    end_packet() on a _DebugStream to write the accumulated hexdumps to the
+    output stream, along with the packet that was sent.
+    """
+
+    _translation_map = _hexdump_translation_map()
+
+    def __init__(self, stream, out=sys.stdout):
+        """
+        Creates a new _DebugStream wrapping the given stream (which must have
+        been created by wrap()). All attributes not provided by the _DebugStream
+        are delegated to the wrapped stream. out is the text stream to which
+        hexdumps are written.
+        """
+        self.raw = stream
+        self._out = out
+        self._rbuf = io.BytesIO()
+        self._wbuf = io.BytesIO()
+
+    def __getattr__(self, name):
+        return getattr(self.raw, name)
+
+    def __setattr__(self, name, value):
+        if name in ("raw", "_out", "_rbuf", "_wbuf"):
+            return object.__setattr__(self, name, value)
+
+        setattr(self.raw, name, value)
+
+    def read(self, *args, **kwargs):
+        buf = self.raw.read(*args, **kwargs)
+
+        self._rbuf.write(buf)
+        return buf
+
+    def write(self, b):
+        self._wbuf.write(b)
+        return self.raw.write(b)
+
+    def recv(self, *args):
+        buf = self.raw.recv(*args)
+
+        self._rbuf.write(buf)
+        return buf
+
+    def _flush(self, buf, prefix):
+        width = 16
+        hexwidth = width * 3 - 1
+
+        count = 0
+        buf.seek(0)
+
+        while True:
+            line = buf.read(16)
+
+            if not line:
+                if count:
+                    self._out.write("\n")  # separate the output block with a newline
+                return
+
+            self._out.write("%s %04X:\t" % (prefix, count))
+            self._out.write("%*s\t" % (-hexwidth, line.hex(" ")))
+            self._out.write(line.translate(self._translation_map).decode("ascii"))
+            self._out.write("\n")
+
+            count += 16
+
+    def print_debug(self, obj, *, prefix=""):
+        contents = ""
+        if obj is not None:
+            contents = str(obj)
+
+        for line in contents.splitlines():
+            self._out.write("%s%s\n" % (prefix, line))
+
+        self._out.write("\n")
+
+    def flush_debug(self, *, prefix=""):
+        self._flush(self._rbuf, prefix + "<")
+        self._rbuf = io.BytesIO()
+
+        self._flush(self._wbuf, prefix + ">")
+        self._wbuf = io.BytesIO()
+
+    def end_packet(self, pkt, *, read=False, prefix="", indent="  "):
+        """
+        Marks the end of a logical "packet" of data. A string representation of
+        pkt will be printed, and the debug buffers will be flushed with an
+        indent. All lines can be optionally prefixed.
+
+        If read is True, the packet representation is written after the debug
+        buffers; otherwise the default of False (meaning write) causes the
+        packet representation to be dumped first. This is meant to capture the
+        logical flow of layer translation.
+        """
+        write = not read
+
+        if write:
+            self.print_debug(pkt, prefix=prefix + "> ")
+
+        self.flush_debug(prefix=prefix + indent)
+
+        if read:
+            self.print_debug(pkt, prefix=prefix + "< ")
+
+
+@contextlib.contextmanager
+def wrap(socket, *, debug_stream=None):
+    """
+    Transforms a raw socket into a connection that can be used for Construct
+    building and parsing. The return value is a context manager and can be used
+    in a with statement.
+    """
+    # It is critical that buffering be disabled here, so that we can still
+    # manipulate the raw socket without desyncing the stream.
+    with socket.makefile("rwb", buffering=0) as sfile:
+        # Expose the original socket's recv() on the SocketIO object we return.
+        def recv(self, *args):
+            return socket.recv(*args)
+
+        sfile.recv = recv.__get__(sfile)
+
+        conn = sfile
+        if debug_stream:
+            conn = _DebugStream(conn, debug_stream)
+
+        try:
+            yield conn
+        finally:
+            if debug_stream:
+                conn.flush_debug(prefix="? ")
+
+
+def _send(stream, cls, obj):
+    debugging = hasattr(stream, "flush_debug")
+    out = io.BytesIO()
+
+    # Ideally we would build directly to the passed stream, but because we need
+    # to reparse the generated output for the debugging case, build to an
+    # intermediate BytesIO and send it instead.
+    cls.build_stream(obj, out)
+    buf = out.getvalue()
+
+    stream.write(buf)
+    if debugging:
+        pkt = cls.parse(buf)
+        stream.end_packet(pkt)
+
+    stream.flush()
+
+
+def send(stream, packet_type, payload_data=None, **payloadkw):
+    """
+    Sends a packet on the given pq3 connection. type is the pq3.types member
+    that should be assigned to the packet. If payload_data is given, it will be
+    used as the packet payload; otherwise the key/value pairs in payloadkw will
+    be the payload contents.
+    """
+    data = payloadkw
+
+    if payload_data is not None:
+        if payloadkw:
+            raise ValueError(
+                "payload_data and payload keywords may not be used simultaneously"
+            )
+
+        data = payload_data
+
+    _send(stream, Pq3, dict(type=packet_type, payload=data))
+
+
+def send_startup(stream, proto=None, **kwargs):
+    """
+    Sends a startup packet on the given pq3 connection. In most cases you should
+    use the handshake functions instead, which will do this for you.
+
+    By default, a protocol version 3 packet will be sent. This can be overridden
+    with the proto parameter.
+    """
+    pkt = {}
+
+    if proto is not None:
+        pkt["proto"] = proto
+    if kwargs:
+        pkt["payload"] = kwargs
+
+    _send(stream, Startup, pkt)
+
+
+def recv1(stream, *, cls=Pq3):
+    """
+    Receives a single pq3 packet from the given stream and returns it.
+    """
+    resp = cls.parse_stream(stream)
+
+    debugging = hasattr(stream, "flush_debug")
+    if debugging:
+        stream.end_packet(resp, read=True)
+
+    return resp
+
+
+def handshake(stream, **kwargs):
+    """
+    Performs a libpq v3 startup handshake. kwargs should contain the key/value
+    parameters to send to the server in the startup packet.
+    """
+    # Send our startup parameters.
+    send_startup(stream, **kwargs)
+
+    # Receive and dump packets until the server indicates it's ready for our
+    # first query.
+    while True:
+        resp = recv1(stream)
+        if resp is None:
+            raise RuntimeError("server closed connection during handshake")
+
+        if resp.type == types.ReadyForQuery:
+            return
+        elif resp.type == types.ErrorResponse:
+            raise RuntimeError(
+                f"received error response from peer: {resp.payload.fields!r}"
+            )
+
+
+# TLS
+
+
+class _TLSStream(object):
+    """
+    A file-like object that performs TLS encryption/decryption on a wrapped
+    stream. Differs from ssl.SSLSocket in that we have full visibility and
+    control over the TLS layer.
+    """
+
+    def __init__(self, stream, context):
+        self._stream = stream
+        self._debugging = hasattr(stream, "flush_debug")
+
+        self._in = ssl.MemoryBIO()
+        self._out = ssl.MemoryBIO()
+        self._ssl = context.wrap_bio(self._in, self._out)
+
+    def handshake(self):
+        try:
+            self._pump(lambda: self._ssl.do_handshake())
+        finally:
+            self._flush_debug(prefix="? ")
+
+    def read(self, *args):
+        return self._pump(lambda: self._ssl.read(*args))
+
+    def write(self, *args):
+        return self._pump(lambda: self._ssl.write(*args))
+
+    def _decode(self, buf):
+        """
+        Attempts to decode a buffer of TLS data into a packet representation
+        that can be printed.
+
+        TODO: handle buffers (and record fragments) that don't align with packet
+        boundaries.
+        """
+        end = len(buf)
+        bio = io.BytesIO(buf)
+
+        ret = io.StringIO()
+
+        while bio.tell() < end:
+            record = tls.Plaintext.parse_stream(bio)
+
+            if ret.tell() > 0:
+                ret.write("\n")
+            ret.write("[Record] ")
+            ret.write(str(record))
+            ret.write("\n")
+
+            if record.type == tls.ContentType.handshake:
+                record_cls = tls.Handshake
+            else:
+                continue
+
+            innerlen = len(record.fragment)
+            inner = io.BytesIO(record.fragment)
+
+            while inner.tell() < innerlen:
+                msg = record_cls.parse_stream(inner)
+
+                indented = "[Message] " + str(msg)
+                indented = textwrap.indent(indented, "    ")
+
+                ret.write("\n")
+                ret.write(indented)
+                ret.write("\n")
+
+        return ret.getvalue()
+
+    def flush(self):
+        if not self._out.pending:
+            self._stream.flush()
+            return
+
+        buf = self._out.read()
+        self._stream.write(buf)
+
+        if self._debugging:
+            pkt = self._decode(buf)
+            self._stream.end_packet(pkt, prefix="  ")
+
+        self._stream.flush()
+
+    def _pump(self, operation):
+        while True:
+            try:
+                return operation()
+            except (ssl.SSLWantReadError, ssl.SSLWantWriteError) as e:
+                want = e
+            self._read_write(want)
+
+    def _recv(self, maxsize):
+        buf = self._stream.recv(4096)
+        if not buf:
+            self._in.write_eof()
+            return
+
+        self._in.write(buf)
+
+        if not self._debugging:
+            return
+
+        pkt = self._decode(buf)
+        self._stream.end_packet(pkt, read=True, prefix="  ")
+
+    def _read_write(self, want):
+        # XXX This needs work. So many corner cases yet to handle. For one,
+        # doing blocking writes in flush may lead to distributed deadlock if the
+        # peer is already blocking on its writes.
+
+        if isinstance(want, ssl.SSLWantWriteError):
+            assert self._out.pending, "SSL backend wants write without data"
+
+        self.flush()
+
+        if isinstance(want, ssl.SSLWantReadError):
+            self._recv(4096)
+
+    def _flush_debug(self, prefix):
+        if not self._debugging:
+            return
+
+        self._stream.flush_debug(prefix=prefix)
+
+
+@contextlib.contextmanager
+def tls_handshake(stream, context):
+    """
+    Performs a TLS handshake over the given stream (which must have been created
+    via a call to wrap()), and returns a new stream which transparently tunnels
+    data over the TLS connection.
+
+    If the passed stream has debugging enabled, the returned stream will also
+    have debugging, using the same output IO.
+    """
+    debugging = hasattr(stream, "flush_debug")
+
+    # Send our startup parameters.
+    send_startup(stream, proto=protocol(1234, 5679))
+
+    # Look at the SSL response.
+    resp = stream.read(1)
+    if debugging:
+        stream.flush_debug(prefix="  ")
+
+    if resp == b"N":
+        raise RuntimeError("server does not support SSLRequest")
+    if resp != b"S":
+        raise RuntimeError(f"unexpected response of type {resp!r} during TLS startup")
+
+    tls = _TLSStream(stream, context)
+    tls.handshake()
+
+    if debugging:
+        tls = _DebugStream(tls, stream._out)
+
+    try:
+        yield tls
+        # TODO: teardown/unwrap the connection?
+    finally:
+        if debugging:
+            tls.flush_debug(prefix="? ")
diff --git a/src/test/python/pytest.ini b/src/test/python/pytest.ini
new file mode 100644
index 0000000000..ab7a6e7fb9
--- /dev/null
+++ b/src/test/python/pytest.ini
@@ -0,0 +1,4 @@
+[pytest]
+
+markers =
+    slow: mark test as slow
diff --git a/src/test/python/requirements.txt b/src/test/python/requirements.txt
new file mode 100644
index 0000000000..32f105ea84
--- /dev/null
+++ b/src/test/python/requirements.txt
@@ -0,0 +1,7 @@
+black
+cryptography~=3.4.6
+construct~=2.10.61
+isort~=5.6
+psycopg2~=2.8.6
+pytest~=6.1
+pytest-asyncio~=0.14.0
diff --git a/src/test/python/server/__init__.py b/src/test/python/server/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/test/python/server/conftest.py b/src/test/python/server/conftest.py
new file mode 100644
index 0000000000..ba7342a453
--- /dev/null
+++ b/src/test/python/server/conftest.py
@@ -0,0 +1,45 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import contextlib
+import socket
+import sys
+
+import pytest
+
+import pq3
+
+
+@pytest.fixture
+def connect():
+    """
+    A factory fixture that, when called, returns a socket connected to a
+    Postgres server, wrapped in a pq3 connection. The calling test will be
+    skipped automatically if a server is not running at PGHOST:PGPORT, so it's
+    best to connect as soon as possible after the test case begins, to avoid
+    doing unnecessary work.
+    """
+    # Set up an ExitStack to handle safe cleanup of all of the moving pieces.
+    with contextlib.ExitStack() as stack:
+
+        def conn_factory():
+            addr = (pq3.pghost(), pq3.pgport())
+
+            try:
+                sock = socket.create_connection(addr, timeout=2)
+            except ConnectionError as e:
+                pytest.skip(f"unable to connect to {addr}: {e}")
+
+            # Have ExitStack close our socket.
+            stack.enter_context(sock)
+
+            # Wrap the connection in a pq3 layer and have ExitStack clean it up
+            # too.
+            wrap_ctx = pq3.wrap(sock, debug_stream=sys.stdout)
+            conn = stack.enter_context(wrap_ctx)
+
+            return conn
+
+        yield conn_factory
diff --git a/src/test/python/server/test_oauth.py b/src/test/python/server/test_oauth.py
new file mode 100644
index 0000000000..cb5ca7fa23
--- /dev/null
+++ b/src/test/python/server/test_oauth.py
@@ -0,0 +1,1012 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import base64
+import contextlib
+import json
+import os
+import pathlib
+import secrets
+import shlex
+import shutil
+import socket
+import struct
+from multiprocessing import shared_memory
+
+import psycopg2
+import pytest
+from psycopg2 import sql
+
+import pq3
+
+MAX_SASL_MESSAGE_LENGTH = 65535
+
+INVALID_AUTHORIZATION_ERRCODE = b"28000"
+PROTOCOL_VIOLATION_ERRCODE = b"08P01"
+FEATURE_NOT_SUPPORTED_ERRCODE = b"0A000"
+
+SHARED_MEM_NAME = "oauth-pytest"
+MAX_TOKEN_SIZE = 4096
+MAX_UINT16 = 2 ** 16 - 1
+
+
+def skip_if_no_postgres():
+    """
+    Used by the oauth_ctx fixture to skip this test module if no Postgres server
+    is running.
+
+    This logic is nearly duplicated with the conn fixture. Ideally oauth_ctx
+    would depend on that, but a module-scope fixture can't depend on a
+    test-scope fixture, and we haven't reached the rule of three yet.
+    """
+    addr = (pq3.pghost(), pq3.pgport())
+
+    try:
+        with socket.create_connection(addr, timeout=2):
+            pass
+    except ConnectionError as e:
+        pytest.skip(f"unable to connect to {addr}: {e}")
+
+
+@contextlib.contextmanager
+def prepend_file(path, lines):
+    """
+    A context manager that prepends a file on disk with the desired lines of
+    text. When the context manager is exited, the file will be restored to its
+    original contents.
+    """
+    # First make a backup of the original file.
+    bak = path + ".bak"
+    shutil.copy2(path, bak)
+
+    try:
+        # Write the new lines, followed by the original file content.
+        with open(path, "w") as new, open(bak, "r") as orig:
+            new.writelines(lines)
+            shutil.copyfileobj(orig, new)
+
+        # Return control to the calling code.
+        yield
+
+    finally:
+        # Put the backup back into place.
+        os.replace(bak, path)
+
+
+@pytest.fixture(scope="module")
+def oauth_ctx():
+    """
+    Creates a database and user that use the oauth auth method. The context
+    object contains the dbname and user attributes as strings to be used during
+    connection, as well as the issuer and scope that have been set in the HBA
+    configuration.
+
+    This fixture assumes that the standard PG* environment variables point to a
+    server running on a local machine, and that the PGUSER has rights to create
+    databases and roles.
+    """
+    skip_if_no_postgres()  # don't bother running these tests without a server
+
+    id = secrets.token_hex(4)
+
+    class Context:
+        dbname = "oauth_test_" + id
+
+        user = "oauth_user_" + id
+        map_user = "oauth_map_user_" + id
+        authz_user = "oauth_authz_user_" + id
+
+        issuer = "https://example.com/" + id
+        scope = "openid " + id
+
+    ctx = Context()
+    hba_lines = (
+        f'host {ctx.dbname} {ctx.map_user}   samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}" map=oauth\n',
+        f'host {ctx.dbname} {ctx.authz_user} samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}" trust_validator_authz=1\n',
+        f'host {ctx.dbname} all              samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}"\n',
+    )
+    ident_lines = (r"oauth /^(.*)@example\.com$ \1",)
+
+    conn = psycopg2.connect("")
+    conn.autocommit = True
+
+    with contextlib.closing(conn):
+        c = conn.cursor()
+
+        # Create our roles and database.
+        user = sql.Identifier(ctx.user)
+        map_user = sql.Identifier(ctx.map_user)
+        authz_user = sql.Identifier(ctx.authz_user)
+        dbname = sql.Identifier(ctx.dbname)
+
+        c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(user))
+        c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(map_user))
+        c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(authz_user))
+        c.execute(sql.SQL("CREATE DATABASE {};").format(dbname))
+
+        # Make this test script the server's oauth_validator.
+        path = pathlib.Path(__file__).parent / "validate_bearer.py"
+        path = str(path.absolute())
+
+        cmd = f"{shlex.quote(path)} {SHARED_MEM_NAME} <&%f"
+        c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (cmd,))
+
+        # Replace pg_hba and pg_ident.
+        c.execute("SHOW hba_file;")
+        hba = c.fetchone()[0]
+
+        c.execute("SHOW ident_file;")
+        ident = c.fetchone()[0]
+
+        with prepend_file(hba, hba_lines), prepend_file(ident, ident_lines):
+            c.execute("SELECT pg_reload_conf();")
+
+            # Use the new database and user.
+            yield ctx
+
+        # Put things back the way they were.
+        c.execute("SELECT pg_reload_conf();")
+
+        c.execute("ALTER SYSTEM RESET oauth_validator_command;")
+        c.execute(sql.SQL("DROP DATABASE {};").format(dbname))
+        c.execute(sql.SQL("DROP ROLE {};").format(authz_user))
+        c.execute(sql.SQL("DROP ROLE {};").format(map_user))
+        c.execute(sql.SQL("DROP ROLE {};").format(user))
+
+
+@pytest.fixture()
+def conn(oauth_ctx, connect):
+    """
+    A convenience wrapper for connect(). The main purpose of this fixture is to
+    make sure oauth_ctx runs its setup code before the connection is made.
+    """
+    return connect()
+
+
+@pytest.fixture(scope="module", autouse=True)
+def authn_id_extension(oauth_ctx):
+    """
+    Performs a `CREATE EXTENSION authn_id` in the test database. This fixture is
+    autoused, so tests don't need to rely on it.
+    """
+    conn = psycopg2.connect(database=oauth_ctx.dbname)
+    conn.autocommit = True
+
+    with contextlib.closing(conn):
+        c = conn.cursor()
+        c.execute("CREATE EXTENSION authn_id;")
+
+
+@pytest.fixture(scope="session")
+def shared_mem():
+    """
+    Yields a shared memory segment that can be used for communication between
+    the bearer_token fixture and ./validate_bearer.py.
+    """
+    size = MAX_TOKEN_SIZE + 2  # two byte length prefix
+    mem = shared_memory.SharedMemory(SHARED_MEM_NAME, create=True, size=size)
+
+    try:
+        with contextlib.closing(mem):
+            yield mem
+    finally:
+        mem.unlink()
+
+
+@pytest.fixture()
+def bearer_token(shared_mem):
+    """
+    Returns a factory function that, when called, will store a Bearer token in
+    shared_mem. If token is None (the default), a new token will be generated
+    using secrets.token_urlsafe() and returned; otherwise the passed token will
+    be used as-is.
+
+    When token is None, the generated token size in bytes may be specified as an
+    argument; if unset, a small 16-byte token will be generated. The token size
+    may not exceed MAX_TOKEN_SIZE in any case.
+
+    The return value is the token, converted to a bytes object.
+
+    As a special case for testing failure modes, accept_any may be set to True.
+    This signals to the validator command that any bearer token should be
+    accepted. The returned token in this case may be used or discarded as needed
+    by the test.
+    """
+
+    def set_token(token=None, *, size=16, accept_any=False):
+        if token is not None:
+            size = len(token)
+
+        if size > MAX_TOKEN_SIZE:
+            raise ValueError(f"token size {size} exceeds maximum size {MAX_TOKEN_SIZE}")
+
+        if token is None:
+            if size % 4:
+                raise ValueError(f"requested token size {size} is not a multiple of 4")
+
+            token = secrets.token_urlsafe(size // 4 * 3)
+            assert len(token) == size
+
+        try:
+            token = token.encode("ascii")
+        except AttributeError:
+            pass  # already encoded
+
+        if accept_any:
+            # Two-byte magic value.
+            shared_mem.buf[:2] = struct.pack("H", MAX_UINT16)
+        else:
+            # Two-byte length prefix, then the token data.
+            shared_mem.buf[:2] = struct.pack("H", len(token))
+            shared_mem.buf[2 : size + 2] = token
+
+        return token
+
+    return set_token
+
+
+def begin_oauth_handshake(conn, oauth_ctx, *, user=None):
+    if user is None:
+        user = oauth_ctx.authz_user
+
+    pq3.send_startup(conn, user=user, database=oauth_ctx.dbname)
+
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.AuthnRequest
+
+    # The server should advertise exactly one mechanism.
+    assert resp.payload.type == pq3.authn.SASL
+    assert resp.payload.body == [b"OAUTHBEARER", b""]
+
+
+def send_initial_response(conn, *, auth=None, bearer=None):
+    """
+    Sends the OAUTHBEARER initial response on the connection, using the given
+    bearer token. Alternatively to a bearer token, the initial response's auth
+    field may be explicitly specified to test corner cases.
+    """
+    if bearer is not None and auth is not None:
+        raise ValueError("exactly one of the auth and bearer kwargs must be set")
+
+    if bearer is not None:
+        auth = b"Bearer " + bearer
+
+    if auth is None:
+        raise ValueError("exactly one of the auth and bearer kwargs must be set")
+
+    initial = pq3.SASLInitialResponse.build(
+        dict(
+            name=b"OAUTHBEARER",
+            data=b"n,,\x01auth=" + auth + b"\x01\x01",
+        )
+    )
+    pq3.send(conn, pq3.types.PasswordMessage, initial)
+
+
+def expect_handshake_success(conn):
+    """
+    Validates that the server responds with an AuthnOK message, and then drains
+    the connection until a ReadyForQuery message is received.
+    """
+    resp = pq3.recv1(conn)
+
+    assert resp.type == pq3.types.AuthnRequest
+    assert resp.payload.type == pq3.authn.OK
+    assert not resp.payload.body
+
+    receive_until(conn, pq3.types.ReadyForQuery)
+
+
+def expect_handshake_failure(conn, oauth_ctx):
+    """
+    Performs the OAUTHBEARER SASL failure "handshake" and validates the server's
+    side of the conversation, including the final ErrorResponse.
+    """
+
+    # We expect a discovery "challenge" back from the server before the authn
+    # failure message.
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.AuthnRequest
+
+    req = resp.payload
+    assert req.type == pq3.authn.SASLContinue
+
+    body = json.loads(req.body)
+    assert body["status"] == "invalid_token"
+    assert body["scope"] == oauth_ctx.scope
+
+    expected_config = oauth_ctx.issuer + "/.well-known/openid-configuration"
+    assert body["openid-configuration"] == expected_config
+
+    # Send the dummy response to complete the failed handshake.
+    pq3.send(conn, pq3.types.PasswordMessage, b"\x01")
+    resp = pq3.recv1(conn)
+
+    err = ExpectedError(INVALID_AUTHORIZATION_ERRCODE, "bearer authentication failed")
+    err.match(resp)
+
+
+def receive_until(conn, type):
+    """
+    receive_until pulls packets off the pq3 connection until a packet with the
+    desired type is found, or an error response is received.
+    """
+    while True:
+        pkt = pq3.recv1(conn)
+
+        if pkt.type == type:
+            return pkt
+        elif pkt.type == pq3.types.ErrorResponse:
+            raise RuntimeError(
+                f"received error response from peer: {pkt.payload.fields!r}"
+            )
+
+
+@pytest.mark.parametrize("token_len", [16, 1024, 4096])
+@pytest.mark.parametrize(
+    "auth_prefix",
+    [
+        b"Bearer ",
+        b"bearer ",
+        b"Bearer    ",
+    ],
+)
+def test_oauth(conn, oauth_ctx, bearer_token, auth_prefix, token_len):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Generate our bearer token with the desired length.
+    token = bearer_token(size=token_len)
+    auth = auth_prefix + token
+
+    send_initial_response(conn, auth=auth)
+    expect_handshake_success(conn)
+
+    # Make sure that the server has not set an authenticated ID.
+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
+    resp = receive_until(conn, pq3.types.DataRow)
+
+    row = resp.payload
+    assert row.columns == [None]
+
+
+@pytest.mark.parametrize(
+    "token_value",
+    [
+        "abcdzA==",
+        "123456M=",
+        "x-._~+/x",
+    ],
+)
+def test_oauth_bearer_corner_cases(conn, oauth_ctx, bearer_token, token_value):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    send_initial_response(conn, bearer=bearer_token(token_value))
+
+    expect_handshake_success(conn)
+
+
+@pytest.mark.parametrize(
+    "user,authn_id,should_succeed",
+    [
+        pytest.param(
+            lambda ctx: ctx.user,
+            lambda ctx: ctx.user,
+            True,
+            id="validator authn: succeeds when authn_id == username",
+        ),
+        pytest.param(
+            lambda ctx: ctx.user,
+            lambda ctx: None,
+            False,
+            id="validator authn: fails when authn_id is not set",
+        ),
+        pytest.param(
+            lambda ctx: ctx.user,
+            lambda ctx: ctx.authz_user,
+            False,
+            id="validator authn: fails when authn_id != username",
+        ),
+        pytest.param(
+            lambda ctx: ctx.map_user,
+            lambda ctx: ctx.map_user + "@example.com",
+            True,
+            id="validator with map: succeeds when authn_id matches map",
+        ),
+        pytest.param(
+            lambda ctx: ctx.map_user,
+            lambda ctx: None,
+            False,
+            id="validator with map: fails when authn_id is not set",
+        ),
+        pytest.param(
+            lambda ctx: ctx.map_user,
+            lambda ctx: ctx.map_user + "@example.net",
+            False,
+            id="validator with map: fails when authn_id doesn't match map",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: None,
+            True,
+            id="validator authz: succeeds with no authn_id",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: "",
+            True,
+            id="validator authz: succeeds with empty authn_id",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: "postgres",
+            True,
+            id="validator authz: succeeds with basic username",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: "me@example.com",
+            True,
+            id="validator authz: succeeds with email address",
+        ),
+    ],
+)
+def test_oauth_authn_id(conn, oauth_ctx, bearer_token, user, authn_id, should_succeed):
+    token = None
+
+    authn_id = authn_id(oauth_ctx)
+    if authn_id is not None:
+        authn_id = authn_id.encode("ascii")
+
+        # As a hack to get the validator to reflect arbitrary output from this
+        # test, encode the desired output as a base64 token. The validator will
+        # key on the leading "output=" to differentiate this from the random
+        # tokens generated by secrets.token_urlsafe().
+        output = b"output=" + authn_id + b"\n"
+        token = base64.urlsafe_b64encode(output)
+
+    token = bearer_token(token)
+    username = user(oauth_ctx)
+
+    begin_oauth_handshake(conn, oauth_ctx, user=username)
+    send_initial_response(conn, bearer=token)
+
+    if not should_succeed:
+        expect_handshake_failure(conn, oauth_ctx)
+        return
+
+    expect_handshake_success(conn)
+
+    # Check the reported authn_id.
+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
+    resp = receive_until(conn, pq3.types.DataRow)
+
+    row = resp.payload
+    assert row.columns == [authn_id]
+
+
+class ExpectedError(object):
+    def __init__(self, code, msg=None, detail=None):
+        self.code = code
+        self.msg = msg
+        self.detail = detail
+
+        # Protect against the footgun of an accidental empty string, which will
+        # "match" anything. If you don't want to match message or detail, just
+        # don't pass them.
+        if self.msg == "":
+            raise ValueError("msg must be non-empty or None")
+        if self.detail == "":
+            raise ValueError("detail must be non-empty or None")
+
+    def _getfield(self, resp, type):
+        """
+        Searches an ErrorResponse for a single field of the given type (e.g.
+        "M", "C", "D") and returns its value. Asserts if it doesn't find exactly
+        one field.
+        """
+        prefix = type.encode("ascii")
+        fields = [f for f in resp.payload.fields if f.startswith(prefix)]
+
+        assert len(fields) == 1
+        return fields[0][1:]  # strip off the type byte
+
+    def match(self, resp):
+        """
+        Checks that the given response matches the expected code, message, and
+        detail (if given). The error code must match exactly. The expected
+        message and detail must be contained within the actual strings.
+        """
+        assert resp.type == pq3.types.ErrorResponse
+
+        code = self._getfield(resp, "C")
+        assert code == self.code
+
+        if self.msg:
+            msg = self._getfield(resp, "M")
+            expected = self.msg.encode("utf-8")
+            assert expected in msg
+
+        if self.detail:
+            detail = self._getfield(resp, "D")
+            expected = self.detail.encode("utf-8")
+            assert expected in detail
+
+
+def test_oauth_rejected_bearer(conn, oauth_ctx, bearer_token):
+    # Generate a new bearer token, which we will proceed not to use.
+    _ = bearer_token()
+
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Send a bearer token that doesn't match what the validator expects. It
+    # should fail the connection.
+    send_initial_response(conn, bearer=b"xxxxxx")
+
+    expect_handshake_failure(conn, oauth_ctx)
+
+
+@pytest.mark.parametrize(
+    "bad_bearer",
+    [
+        b"Bearer    ",
+        b"Bearer a===b",
+        b"Bearer hello!",
+        b"Bearer me@example.com",
+        b'OAuth realm="Example"',
+        b"",
+    ],
+)
+def test_oauth_invalid_bearer(conn, oauth_ctx, bearer_token, bad_bearer):
+    # Tell the validator to accept any token. This ensures that the invalid
+    # bearer tokens are rejected before the validation step.
+    _ = bearer_token(accept_any=True)
+
+    begin_oauth_handshake(conn, oauth_ctx)
+    send_initial_response(conn, auth=bad_bearer)
+
+    expect_handshake_failure(conn, oauth_ctx)
+
+
+@pytest.mark.slow
+@pytest.mark.parametrize(
+    "resp_type,resp,err",
+    [
+        pytest.param(
+            None,
+            None,
+            None,
+            marks=pytest.mark.slow,
+            id="no response (expect timeout)",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            b"hello",
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not send a kvsep response",
+            ),
+            id="bad dummy response",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            b"\x01\x01",
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not send a kvsep response",
+            ),
+            id="multiple kvseps",
+        ),
+        pytest.param(
+            pq3.types.Query,
+            dict(query=b""),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "expected SASL response"),
+            id="bad response message type",
+        ),
+    ],
+)
+def test_oauth_bad_response_to_error_challenge(conn, oauth_ctx, resp_type, resp, err):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Send an empty auth initial response, which will force an authn failure.
+    send_initial_response(conn, auth=b"")
+
+    # We expect a discovery "challenge" back from the server before the authn
+    # failure message.
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.AuthnRequest
+
+    req = pkt.payload
+    assert req.type == pq3.authn.SASLContinue
+
+    body = json.loads(req.body)
+    assert body["status"] == "invalid_token"
+
+    if resp_type is None:
+        # Do not send the dummy response. We should time out and not get a
+        # response from the server.
+        with pytest.raises(socket.timeout):
+            conn.read(1)
+
+        # Done with the test.
+        return
+
+    # Send the bad response.
+    pq3.send(conn, resp_type, resp)
+
+    # Make sure the server fails the connection correctly.
+    pkt = pq3.recv1(conn)
+    err.match(pkt)
+
+
+@pytest.mark.parametrize(
+    "type,payload,err",
+    [
+        pytest.param(
+            pq3.types.ErrorResponse,
+            dict(fields=[b""]),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "expected SASL response"),
+            id="error response in initial message",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            b"x" * (MAX_SASL_MESSAGE_LENGTH + 1),
+            ExpectedError(
+                INVALID_AUTHORIZATION_ERRCODE, "bearer authentication failed"
+            ),
+            id="overlong initial response data",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"SCRAM-SHA-256")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE, "invalid SASL authentication mechanism"
+            ),
+            id="bad SASL mechanism selection",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", len=2, data=b"x")),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "insufficient data"),
+            id="SASL data underflow",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", len=0, data=b"x")),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "invalid message format"),
+            id="SASL data overflow",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "message is empty",
+            ),
+            id="empty",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"n,,\x01auth=\x01\x01\0")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "length does not match input length",
+            ),
+            id="contains null byte",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"\x01")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected channel-binding flag",  # XXX this is a bit strange
+            ),
+            id="initial error response",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"p=tls-server-end-point,,\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "server does not support channel binding",
+            ),
+            id="uses channel binding",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"x,,\x01")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected channel-binding flag",
+            ),
+            id="invalid channel binding specifier",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Comma expected",
+            ),
+            id="bad GS2 header: missing channel binding terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,a")),
+            ExpectedError(
+                FEATURE_NOT_SUPPORTED_ERRCODE,
+                "client uses authorization identity",
+            ),
+            id="bad GS2 header: authzid in use",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,b,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected attribute",
+            ),
+            id="bad GS2 header: extra attribute",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected attribute 0x00",  # XXX this is a bit strange
+            ),
+            id="bad GS2 header: missing authzid terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Key-value separator expected",
+            ),
+            id="missing initial kvsep",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Key-value separator expected",
+            ),
+            id="missing initial kvsep",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "does not contain an auth value",
+            ),
+            id="missing auth value: empty key-value list",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01host=example.com\x01\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "does not contain an auth value",
+            ),
+            id="missing auth value: other keys present",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01host=example.com")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "unterminated key/value pair",
+            ),
+            id="missing value terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,,\x01")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not contain a final terminator",
+            ),
+            id="missing list terminator: empty list",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01auth=Bearer 0\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not contain a final terminator",
+            ),
+            id="missing list terminator: with auth value",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01auth=Bearer 0\x01\x01blah")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "additional data after the final terminator",
+            ),
+            id="additional key after terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01key\x01\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "key without a value",
+            ),
+            id="key without value",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(
+                    name=b"OAUTHBEARER",
+                    data=b"y,,\x01auth=Bearer 0\x01auth=Bearer 1\x01\x01",
+                )
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "contains multiple auth values",
+            ),
+            id="multiple auth values",
+        ),
+    ],
+)
+def test_oauth_bad_initial_response(conn, oauth_ctx, type, payload, err):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # The server expects a SASL response; give it something else instead.
+    if not isinstance(payload, dict):
+        payload = dict(payload_data=payload)
+    pq3.send(conn, type, **payload)
+
+    resp = pq3.recv1(conn)
+    err.match(resp)
+
+
+def test_oauth_empty_initial_response(conn, oauth_ctx, bearer_token):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Send an initial response without data.
+    initial = pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER"))
+    pq3.send(conn, pq3.types.PasswordMessage, initial)
+
+    # The server should respond with an empty challenge so we can send the data
+    # it wants.
+    pkt = pq3.recv1(conn)
+
+    assert pkt.type == pq3.types.AuthnRequest
+    assert pkt.payload.type == pq3.authn.SASLContinue
+    assert not pkt.payload.body
+
+    # Now send the initial data.
+    data = b"n,,\x01auth=Bearer " + bearer_token() + b"\x01\x01"
+    pq3.send(conn, pq3.types.PasswordMessage, data)
+
+    # Server should now complete the handshake.
+    expect_handshake_success(conn)
+
+
+@pytest.fixture()
+def set_validator():
+    """
+    A per-test fixture that allows a test to override the setting of
+    oauth_validator_command for the cluster. The setting will be reverted during
+    teardown.
+
+    Passing None will perform an ALTER SYSTEM RESET.
+    """
+    conn = psycopg2.connect("")
+    conn.autocommit = True
+
+    with contextlib.closing(conn):
+        c = conn.cursor()
+
+        # Save the previous value.
+        c.execute("SHOW oauth_validator_command;")
+        prev_cmd = c.fetchone()[0]
+
+        def setter(cmd):
+            c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (cmd,))
+            c.execute("SELECT pg_reload_conf();")
+
+        yield setter
+
+        # Restore the previous value.
+        c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (prev_cmd,))
+        c.execute("SELECT pg_reload_conf();")
+
+
+def test_oauth_no_validator(oauth_ctx, set_validator, connect, bearer_token):
+    # Clear out our validator command, then establish a new connection.
+    set_validator("")
+    conn = connect()
+
+    begin_oauth_handshake(conn, oauth_ctx)
+    send_initial_response(conn, bearer=bearer_token())
+
+    # The server should fail the connection.
+    expect_handshake_failure(conn, oauth_ctx)
+
+
+def test_oauth_validator_role(oauth_ctx, set_validator, connect):
+    # Switch the validator implementation. This validator will reflect the
+    # PGUSER as the authenticated identity.
+    path = pathlib.Path(__file__).parent / "validate_reflect.py"
+    path = str(path.absolute())
+
+    set_validator(f"{shlex.quote(path)} '%r' <&%f")
+    conn = connect()
+
+    # Log in. Note that the reflection validator ignores the bearer token.
+    begin_oauth_handshake(conn, oauth_ctx, user=oauth_ctx.user)
+    send_initial_response(conn, bearer=b"dontcare")
+    expect_handshake_success(conn)
+
+    # Check the user identity.
+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
+    resp = receive_until(conn, pq3.types.DataRow)
+
+    row = resp.payload
+    expected = oauth_ctx.user.encode("utf-8")
+    assert row.columns == [expected]
+
+
+def test_oauth_role_with_shell_unsafe_characters(oauth_ctx, set_validator, connect):
+    """
+    XXX This test pins undesirable behavior. We should be able to handle any
+    valid Postgres role name.
+    """
+    # Switch the validator implementation. This validator will reflect the
+    # PGUSER as the authenticated identity.
+    path = pathlib.Path(__file__).parent / "validate_reflect.py"
+    path = str(path.absolute())
+
+    set_validator(f"{shlex.quote(path)} '%r' <&%f")
+    conn = connect()
+
+    unsafe_username = "hello'there"
+    begin_oauth_handshake(conn, oauth_ctx, user=unsafe_username)
+
+    # The server should reject the handshake.
+    send_initial_response(conn, bearer=b"dontcare")
+    expect_handshake_failure(conn, oauth_ctx)
diff --git a/src/test/python/server/test_server.py b/src/test/python/server/test_server.py
new file mode 100644
index 0000000000..02126dba79
--- /dev/null
+++ b/src/test/python/server/test_server.py
@@ -0,0 +1,21 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import pq3
+
+
+def test_handshake(connect):
+    """Basic sanity check."""
+    conn = connect()
+
+    pq3.handshake(conn, user=pq3.pguser(), database=pq3.pgdatabase())
+
+    pq3.send(conn, pq3.types.Query, query=b"")
+
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.EmptyQueryResponse
+
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.ReadyForQuery
diff --git a/src/test/python/server/validate_bearer.py b/src/test/python/server/validate_bearer.py
new file mode 100755
index 0000000000..2cc73ff154
--- /dev/null
+++ b/src/test/python/server/validate_bearer.py
@@ -0,0 +1,101 @@
+#! /usr/bin/env python3
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+# DO NOT USE THIS OAUTH VALIDATOR IN PRODUCTION. It doesn't actually validate
+# anything, and it logs the bearer token data, which is sensitive.
+#
+# This executable is used as an oauth_validator_command in concert with
+# test_oauth.py. Memory is shared and communicated from that test module's
+# bearer_token() fixture.
+#
+# This script must run under the Postgres server environment; keep the
+# dependency list fairly standard.
+
+import base64
+import binascii
+import contextlib
+import struct
+import sys
+from multiprocessing import shared_memory
+
+MAX_UINT16 = 2 ** 16 - 1
+
+
+def remove_shm_from_resource_tracker():
+    """
+    Monkey-patch multiprocessing.resource_tracker so SharedMemory won't be
+    tracked. Pulled from this thread, where there are more details:
+
+        https://bugs.python.org/issue38119
+
+    TL;DR: all clients of shared memory segments automatically destroy them on
+    process exit, which makes shared memory segments much less useful. This
+    monkeypatch removes that behavior so that we can defer to the test to manage
+    the segment lifetime.
+
+    Ideally a future Python patch will pull in this fix and then the entire
+    function can go away.
+    """
+    from multiprocessing import resource_tracker
+
+    def fix_register(name, rtype):
+        if rtype == "shared_memory":
+            return
+        return resource_tracker._resource_tracker.register(self, name, rtype)
+
+    resource_tracker.register = fix_register
+
+    def fix_unregister(name, rtype):
+        if rtype == "shared_memory":
+            return
+        return resource_tracker._resource_tracker.unregister(self, name, rtype)
+
+    resource_tracker.unregister = fix_unregister
+
+    if "shared_memory" in resource_tracker._CLEANUP_FUNCS:
+        del resource_tracker._CLEANUP_FUNCS["shared_memory"]
+
+
+def main(args):
+    remove_shm_from_resource_tracker()  # XXX remove some day
+
+    # Get the expected token from the currently running test.
+    shared_mem_name = args[0]
+
+    mem = shared_memory.SharedMemory(shared_mem_name)
+    with contextlib.closing(mem):
+        # First two bytes are the token length.
+        size = struct.unpack("H", mem.buf[:2])[0]
+
+        if size == MAX_UINT16:
+            # Special case: the test wants us to accept any token.
+            sys.stderr.write("accepting token without validation\n")
+            return
+
+        # The remainder of the buffer contains the expected token.
+        assert size <= (mem.size - 2)
+        expected_token = mem.buf[2 : size + 2].tobytes()
+
+        mem.buf[:] = b"\0" * mem.size  # scribble over the token
+
+    token = sys.stdin.buffer.read()
+    if token != expected_token:
+        sys.exit(f"failed to match Bearer token ({token!r} != {expected_token!r})")
+
+    # See if the test wants us to print anything. If so, it will have encoded
+    # the desired output in the token with an "output=" prefix.
+    try:
+        # altchars="-_" corresponds to the urlsafe alphabet.
+        data = base64.b64decode(token, altchars="-_", validate=True)
+
+        if data.startswith(b"output="):
+            sys.stdout.buffer.write(data[7:])
+
+    except binascii.Error:
+        pass
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])
diff --git a/src/test/python/server/validate_reflect.py b/src/test/python/server/validate_reflect.py
new file mode 100755
index 0000000000..24c3a7e715
--- /dev/null
+++ b/src/test/python/server/validate_reflect.py
@@ -0,0 +1,34 @@
+#! /usr/bin/env python3
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+# DO NOT USE THIS OAUTH VALIDATOR IN PRODUCTION. It ignores the bearer token
+# entirely and automatically logs the user in.
+#
+# This executable is used as an oauth_validator_command in concert with
+# test_oauth.py. It expects the user's desired role name as an argument; the
+# actual token will be discarded and the user will be logged in with the role
+# name as the authenticated identity.
+#
+# This script must run under the Postgres server environment; keep the
+# dependency list fairly standard.
+
+import sys
+
+
+def main(args):
+    # We have to read the entire token as our first action to unblock the
+    # server, but we won't actually use it.
+    _ = sys.stdin.buffer.read()
+
+    if len(args) != 1:
+        sys.exit("usage: ./validate_reflect.py ROLE")
+
+    # Log the user in as the provided role.
+    role = args[0]
+    print(role)
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])
diff --git a/src/test/python/test_internals.py b/src/test/python/test_internals.py
new file mode 100644
index 0000000000..dee4855fc0
--- /dev/null
+++ b/src/test/python/test_internals.py
@@ -0,0 +1,138 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import io
+
+from pq3 import _DebugStream
+
+
+def test_DebugStream_read():
+    under = io.BytesIO(b"abcdefghijklmnopqrstuvwxyz")
+    out = io.StringIO()
+
+    stream = _DebugStream(under, out)
+
+    res = stream.read(5)
+    assert res == b"abcde"
+
+    res = stream.read(16)
+    assert res == b"fghijklmnopqrstu"
+
+    stream.flush_debug()
+
+    res = stream.read()
+    assert res == b"vwxyz"
+
+    stream.flush_debug()
+
+    expected = (
+        "< 0000:\t61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70\tabcdefghijklmnop\n"
+        "< 0010:\t71 72 73 74 75                                 \tqrstu\n"
+        "\n"
+        "< 0000:\t76 77 78 79 7a                                 \tvwxyz\n"
+        "\n"
+    )
+    assert out.getvalue() == expected
+
+
+def test_DebugStream_write():
+    under = io.BytesIO()
+    out = io.StringIO()
+
+    stream = _DebugStream(under, out)
+
+    stream.write(b"\x00\x01\x02")
+    stream.flush()
+
+    assert under.getvalue() == b"\x00\x01\x02"
+
+    stream.write(b"\xc0\xc1\xc2")
+    stream.flush()
+
+    assert under.getvalue() == b"\x00\x01\x02\xc0\xc1\xc2"
+
+    stream.flush_debug()
+
+    expected = "> 0000:\t00 01 02 c0 c1 c2                              \t......\n\n"
+    assert out.getvalue() == expected
+
+
+def test_DebugStream_read_write():
+    under = io.BytesIO(b"abcdefghijklmnopqrstuvwxyz")
+    out = io.StringIO()
+    stream = _DebugStream(under, out)
+
+    res = stream.read(5)
+    assert res == b"abcde"
+
+    stream.write(b"xxxxx")
+    stream.flush()
+
+    assert under.getvalue() == b"abcdexxxxxklmnopqrstuvwxyz"
+
+    res = stream.read(5)
+    assert res == b"klmno"
+
+    stream.write(b"xxxxx")
+    stream.flush()
+
+    assert under.getvalue() == b"abcdexxxxxklmnoxxxxxuvwxyz"
+
+    stream.flush_debug()
+
+    expected = (
+        "< 0000:\t61 62 63 64 65 6b 6c 6d 6e 6f                  \tabcdeklmno\n"
+        "\n"
+        "> 0000:\t78 78 78 78 78 78 78 78 78 78                  \txxxxxxxxxx\n"
+        "\n"
+    )
+    assert out.getvalue() == expected
+
+
+def test_DebugStream_end_packet():
+    under = io.BytesIO(b"abcdefghijklmnopqrstuvwxyz")
+    out = io.StringIO()
+    stream = _DebugStream(under, out)
+
+    stream.read(5)
+    stream.end_packet("read description", read=True, indent=" ")
+
+    stream.write(b"xxxxx")
+    stream.flush()
+    stream.end_packet("write description", indent=" ")
+
+    stream.read(5)
+    stream.write(b"xxxxx")
+    stream.flush()
+    stream.end_packet("read/write combo for read", read=True, indent=" ")
+
+    stream.read(5)
+    stream.write(b"xxxxx")
+    stream.flush()
+    stream.end_packet("read/write combo for write", indent=" ")
+
+    expected = (
+        " < 0000:\t61 62 63 64 65                                 \tabcde\n"
+        "\n"
+        "< read description\n"
+        "\n"
+        "> write description\n"
+        "\n"
+        " > 0000:\t78 78 78 78 78                                 \txxxxx\n"
+        "\n"
+        " < 0000:\t6b 6c 6d 6e 6f                                 \tklmno\n"
+        "\n"
+        " > 0000:\t78 78 78 78 78                                 \txxxxx\n"
+        "\n"
+        "< read/write combo for read\n"
+        "\n"
+        "> read/write combo for write\n"
+        "\n"
+        " < 0000:\t75 76 77 78 79                                 \tuvwxy\n"
+        "\n"
+        " > 0000:\t78 78 78 78 78                                 \txxxxx\n"
+        "\n"
+    )
+    assert out.getvalue() == expected
diff --git a/src/test/python/test_pq3.py b/src/test/python/test_pq3.py
new file mode 100644
index 0000000000..e0c0e0568d
--- /dev/null
+++ b/src/test/python/test_pq3.py
@@ -0,0 +1,558 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import contextlib
+import getpass
+import io
+import struct
+import sys
+
+import pytest
+from construct import Container, PaddingError, StreamError, TerminatedError
+
+import pq3
+
+
+@pytest.mark.parametrize(
+    "raw,expected,extra",
+    [
+        pytest.param(
+            b"\x00\x00\x00\x10\x00\x04\x00\x00abcdefgh",
+            Container(len=16, proto=0x40000, payload=b"abcdefgh"),
+            b"",
+            id="8-byte payload",
+        ),
+        pytest.param(
+            b"\x00\x00\x00\x08\x00\x04\x00\x00",
+            Container(len=8, proto=0x40000, payload=b""),
+            b"",
+            id="no payload",
+        ),
+        pytest.param(
+            b"\x00\x00\x00\x09\x00\x04\x00\x00abcde",
+            Container(len=9, proto=0x40000, payload=b"a"),
+            b"bcde",
+            id="1-byte payload and extra padding",
+        ),
+        pytest.param(
+            b"\x00\x00\x00\x0B\x00\x03\x00\x00hi\x00",
+            Container(len=11, proto=pq3.protocol(3, 0), payload=[b"hi"]),
+            b"",
+            id="implied parameter list when using proto version 3.0",
+        ),
+    ],
+)
+def test_Startup_parse(raw, expected, extra):
+    with io.BytesIO(raw) as stream:
+        actual = pq3.Startup.parse_stream(stream)
+
+        assert actual == expected
+        assert stream.read() == extra
+
+
+@pytest.mark.parametrize(
+    "packet,expected_bytes",
+    [
+        pytest.param(
+            dict(),
+            b"\x00\x00\x00\x08\x00\x00\x00\x00",
+            id="nothing set",
+        ),
+        pytest.param(
+            dict(len=10, proto=0x12345678),
+            b"\x00\x00\x00\x0A\x12\x34\x56\x78\x00\x00",
+            id="len and proto set explicitly",
+        ),
+        pytest.param(
+            dict(proto=0x12345678),
+            b"\x00\x00\x00\x08\x12\x34\x56\x78",
+            id="implied len with no payload",
+        ),
+        pytest.param(
+            dict(proto=0x12345678, payload=b"abcd"),
+            b"\x00\x00\x00\x0C\x12\x34\x56\x78abcd",
+            id="implied len with payload",
+        ),
+        pytest.param(
+            dict(payload=[b""]),
+            b"\x00\x00\x00\x09\x00\x03\x00\x00\x00",
+            id="implied proto version 3 when sending parameters",
+        ),
+        pytest.param(
+            dict(payload=[b"hi", b""]),
+            b"\x00\x00\x00\x0C\x00\x03\x00\x00hi\x00\x00",
+            id="implied proto version 3 and len when sending more than one parameter",
+        ),
+        pytest.param(
+            dict(payload=dict(user="jsmith", database="postgres")),
+            b"\x00\x00\x00\x27\x00\x03\x00\x00user\x00jsmith\x00database\x00postgres\x00\x00",
+            id="auto-serialization of dict parameters",
+        ),
+    ],
+)
+def test_Startup_build(packet, expected_bytes):
+    actual = pq3.Startup.build(packet)
+    assert actual == expected_bytes
+
+
+@pytest.mark.parametrize(
+    "raw,expected,extra",
+    [
+        pytest.param(
+            b"*\x00\x00\x00\x08abcd",
+            dict(type=b"*", len=8, payload=b"abcd"),
+            b"",
+            id="4-byte payload",
+        ),
+        pytest.param(
+            b"*\x00\x00\x00\x04",
+            dict(type=b"*", len=4, payload=b""),
+            b"",
+            id="no payload",
+        ),
+        pytest.param(
+            b"*\x00\x00\x00\x05xabcd",
+            dict(type=b"*", len=5, payload=b"x"),
+            b"abcd",
+            id="1-byte payload with extra padding",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x08\x00\x00\x00\x00",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=8,
+                payload=dict(type=pq3.authn.OK, body=None),
+            ),
+            b"",
+            id="AuthenticationOk",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x12\x00\x00\x00\x0AEXTERNAL\x00\x00",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=18,
+                payload=dict(type=pq3.authn.SASL, body=[b"EXTERNAL", b""]),
+            ),
+            b"",
+            id="AuthenticationSASL",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0B12345",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=13,
+                payload=dict(type=pq3.authn.SASLContinue, body=b"12345"),
+            ),
+            b"",
+            id="AuthenticationSASLContinue",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0C12345",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=13,
+                payload=dict(type=pq3.authn.SASLFinal, body=b"12345"),
+            ),
+            b"",
+            id="AuthenticationSASLFinal",
+        ),
+        pytest.param(
+            b"p\x00\x00\x00\x0Bhunter2",
+            dict(
+                type=pq3.types.PasswordMessage,
+                len=11,
+                payload=b"hunter2",
+            ),
+            b"",
+            id="PasswordMessage",
+        ),
+        pytest.param(
+            b"K\x00\x00\x00\x0C\x00\x00\x00\x00\x12\x34\x56\x78",
+            dict(
+                type=pq3.types.BackendKeyData,
+                len=12,
+                payload=dict(pid=0, key=0x12345678),
+            ),
+            b"",
+            id="BackendKeyData",
+        ),
+        pytest.param(
+            b"C\x00\x00\x00\x08SET\x00",
+            dict(
+                type=pq3.types.CommandComplete,
+                len=8,
+                payload=dict(tag=b"SET"),
+            ),
+            b"",
+            id="CommandComplete",
+        ),
+        pytest.param(
+            b"E\x00\x00\x00\x11Mbad!\x00Mdog!\x00\x00",
+            dict(type=b"E", len=17, payload=dict(fields=[b"Mbad!", b"Mdog!", b""])),
+            b"",
+            id="ErrorResponse",
+        ),
+        pytest.param(
+            b"S\x00\x00\x00\x08a\x00b\x00",
+            dict(
+                type=pq3.types.ParameterStatus,
+                len=8,
+                payload=dict(name=b"a", value=b"b"),
+            ),
+            b"",
+            id="ParameterStatus",
+        ),
+        pytest.param(
+            b"Z\x00\x00\x00\x05x",
+            dict(type=b"Z", len=5, payload=dict(status=b"x")),
+            b"",
+            id="ReadyForQuery",
+        ),
+        pytest.param(
+            b"Q\x00\x00\x00\x06!\x00",
+            dict(type=pq3.types.Query, len=6, payload=dict(query=b"!")),
+            b"",
+            id="Query",
+        ),
+        pytest.param(
+            b"D\x00\x00\x00\x0B\x00\x01\x00\x00\x00\x01!",
+            dict(type=pq3.types.DataRow, len=11, payload=dict(columns=[b"!"])),
+            b"",
+            id="DataRow",
+        ),
+        pytest.param(
+            b"D\x00\x00\x00\x06\x00\x00extra",
+            dict(type=pq3.types.DataRow, len=6, payload=dict(columns=[])),
+            b"extra",
+            id="DataRow with extra data",
+        ),
+        pytest.param(
+            b"I\x00\x00\x00\x04",
+            dict(type=pq3.types.EmptyQueryResponse, len=4, payload=None),
+            b"",
+            id="EmptyQueryResponse",
+        ),
+        pytest.param(
+            b"I\x00\x00\x00\x04\xFF",
+            dict(type=b"I", len=4, payload=None),
+            b"\xFF",
+            id="EmptyQueryResponse with extra bytes",
+        ),
+        pytest.param(
+            b"X\x00\x00\x00\x04",
+            dict(type=pq3.types.Terminate, len=4, payload=None),
+            b"",
+            id="Terminate",
+        ),
+    ],
+)
+def test_Pq3_parse(raw, expected, extra):
+    with io.BytesIO(raw) as stream:
+        actual = pq3.Pq3.parse_stream(stream)
+
+        assert actual == expected
+        assert stream.read() == extra
+
+
+@pytest.mark.parametrize(
+    "fields,expected",
+    [
+        pytest.param(
+            dict(type=b"*", len=5),
+            b"*\x00\x00\x00\x05\x00",
+            id="type and len set explicitly",
+        ),
+        pytest.param(
+            dict(type=b"*"),
+            b"*\x00\x00\x00\x04",
+            id="implied len with no payload",
+        ),
+        pytest.param(
+            dict(type=b"*", payload=b"1234"),
+            b"*\x00\x00\x00\x081234",
+            id="implied len with payload",
+        ),
+        pytest.param(
+            dict(type=pq3.types.AuthnRequest, payload=dict(type=pq3.authn.OK)),
+            b"R\x00\x00\x00\x08\x00\x00\x00\x00",
+            id="implied len/type for AuthenticationOK",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.AuthnRequest,
+                payload=dict(
+                    type=pq3.authn.SASL,
+                    body=[b"SCRAM-SHA-256-PLUS", b"SCRAM-SHA-256", b""],
+                ),
+            ),
+            b"R\x00\x00\x00\x2A\x00\x00\x00\x0ASCRAM-SHA-256-PLUS\x00SCRAM-SHA-256\x00\x00",
+            id="implied len/type for AuthenticationSASL",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.AuthnRequest,
+                payload=dict(type=pq3.authn.SASLContinue, body=b"12345"),
+            ),
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0B12345",
+            id="implied len/type for AuthenticationSASLContinue",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.AuthnRequest,
+                payload=dict(type=pq3.authn.SASLFinal, body=b"12345"),
+            ),
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0C12345",
+            id="implied len/type for AuthenticationSASLFinal",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.PasswordMessage,
+                payload=b"hunter2",
+            ),
+            b"p\x00\x00\x00\x0Bhunter2",
+            id="implied len/type for PasswordMessage",
+        ),
+        pytest.param(
+            dict(type=pq3.types.BackendKeyData, payload=dict(pid=1, key=7)),
+            b"K\x00\x00\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x07",
+            id="implied len/type for BackendKeyData",
+        ),
+        pytest.param(
+            dict(type=pq3.types.CommandComplete, payload=dict(tag=b"SET")),
+            b"C\x00\x00\x00\x08SET\x00",
+            id="implied len/type for CommandComplete",
+        ),
+        pytest.param(
+            dict(type=pq3.types.ErrorResponse, payload=dict(fields=[b"error", b""])),
+            b"E\x00\x00\x00\x0Berror\x00\x00",
+            id="implied len/type for ErrorResponse",
+        ),
+        pytest.param(
+            dict(type=pq3.types.ParameterStatus, payload=dict(name=b"a", value=b"b")),
+            b"S\x00\x00\x00\x08a\x00b\x00",
+            id="implied len/type for ParameterStatus",
+        ),
+        pytest.param(
+            dict(type=pq3.types.ReadyForQuery, payload=dict(status=b"I")),
+            b"Z\x00\x00\x00\x05I",
+            id="implied len/type for ReadyForQuery",
+        ),
+        pytest.param(
+            dict(type=pq3.types.Query, payload=dict(query=b"SELECT 1;")),
+            b"Q\x00\x00\x00\x0eSELECT 1;\x00",
+            id="implied len/type for Query",
+        ),
+        pytest.param(
+            dict(type=pq3.types.DataRow, payload=dict(columns=[b"abcd"])),
+            b"D\x00\x00\x00\x0E\x00\x01\x00\x00\x00\x04abcd",
+            id="implied len/type for DataRow",
+        ),
+        pytest.param(
+            dict(type=pq3.types.EmptyQueryResponse),
+            b"I\x00\x00\x00\x04",
+            id="implied len for EmptyQueryResponse",
+        ),
+        pytest.param(
+            dict(type=pq3.types.Terminate),
+            b"X\x00\x00\x00\x04",
+            id="implied len for Terminate",
+        ),
+    ],
+)
+def test_Pq3_build(fields, expected):
+    actual = pq3.Pq3.build(fields)
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "raw,expected,extra",
+    [
+        pytest.param(
+            b"\x00\x00",
+            dict(columns=[]),
+            b"",
+            id="no columns",
+        ),
+        pytest.param(
+            b"\x00\x01\x00\x00\x00\x04abcd",
+            dict(columns=[b"abcd"]),
+            b"",
+            id="one column",
+        ),
+        pytest.param(
+            b"\x00\x02\x00\x00\x00\x04abcd\x00\x00\x00\x01x",
+            dict(columns=[b"abcd", b"x"]),
+            b"",
+            id="multiple columns",
+        ),
+        pytest.param(
+            b"\x00\x02\x00\x00\x00\x00\x00\x00\x00\x01x",
+            dict(columns=[b"", b"x"]),
+            b"",
+            id="empty column value",
+        ),
+        pytest.param(
+            b"\x00\x02\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",
+            dict(columns=[None, None]),
+            b"",
+            id="null columns",
+        ),
+    ],
+)
+def test_DataRow_parse(raw, expected, extra):
+    pkt = b"D" + struct.pack("!i", len(raw) + 4) + raw
+    with io.BytesIO(pkt) as stream:
+        actual = pq3.Pq3.parse_stream(stream)
+
+        assert actual.type == pq3.types.DataRow
+        assert actual.payload == expected
+        assert stream.read() == extra
+
+
+@pytest.mark.parametrize(
+    "fields,expected",
+    [
+        pytest.param(
+            dict(),
+            b"\x00\x00",
+            id="no columns",
+        ),
+        pytest.param(
+            dict(columns=[None, None]),
+            b"\x00\x02\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",
+            id="null columns",
+        ),
+    ],
+)
+def test_DataRow_build(fields, expected):
+    actual = pq3.Pq3.build(dict(type=pq3.types.DataRow, payload=fields))
+
+    expected = b"D" + struct.pack("!i", len(expected) + 4) + expected
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "raw,expected,exception",
+    [
+        pytest.param(
+            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            dict(name=b"EXTERNAL", len=-1, data=None),
+            None,
+            id="no initial response",
+        ),
+        pytest.param(
+            b"EXTERNAL\x00\x00\x00\x00\x02me",
+            dict(name=b"EXTERNAL", len=2, data=b"me"),
+            None,
+            id="initial response",
+        ),
+        pytest.param(
+            b"EXTERNAL\x00\x00\x00\x00\x02meextra",
+            None,
+            TerminatedError,
+            id="extra data",
+        ),
+        pytest.param(
+            b"EXTERNAL\x00\x00\x00\x00\xFFme",
+            None,
+            StreamError,
+            id="underflow",
+        ),
+    ],
+)
+def test_SASLInitialResponse_parse(raw, expected, exception):
+    ctx = contextlib.nullcontext()
+    if exception:
+        ctx = pytest.raises(exception)
+
+    with ctx:
+        actual = pq3.SASLInitialResponse.parse(raw)
+        assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "fields,expected",
+    [
+        pytest.param(
+            dict(name=b"EXTERNAL"),
+            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            id="no initial response",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", data=None),
+            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            id="no initial response (explicit None)",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", data=b""),
+            b"EXTERNAL\x00\x00\x00\x00\x00",
+            id="empty response",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", data=b"me@example.com"),
+            b"EXTERNAL\x00\x00\x00\x00\x0Eme@example.com",
+            id="initial response",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", len=2, data=b"me@example.com"),
+            b"EXTERNAL\x00\x00\x00\x00\x02me@example.com",
+            id="data overflow",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", len=14, data=b"me"),
+            b"EXTERNAL\x00\x00\x00\x00\x0Eme",
+            id="data underflow",
+        ),
+    ],
+)
+def test_SASLInitialResponse_build(fields, expected):
+    actual = pq3.SASLInitialResponse.build(fields)
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "version,expected_bytes",
+    [
+        pytest.param((3, 0), b"\x00\x03\x00\x00", id="version 3"),
+        pytest.param((1234, 5679), b"\x04\xd2\x16\x2f", id="SSLRequest"),
+    ],
+)
+def test_protocol(version, expected_bytes):
+    # Make sure the integer returned by protocol is correctly serialized on the
+    # wire.
+    assert struct.pack("!i", pq3.protocol(*version)) == expected_bytes
+
+
+@pytest.mark.parametrize(
+    "envvar,func,expected",
+    [
+        ("PGHOST", pq3.pghost, "localhost"),
+        ("PGPORT", pq3.pgport, 5432),
+        ("PGUSER", pq3.pguser, getpass.getuser()),
+        ("PGDATABASE", pq3.pgdatabase, "postgres"),
+    ],
+)
+def test_env_defaults(monkeypatch, envvar, func, expected):
+    monkeypatch.delenv(envvar, raising=False)
+
+    actual = func()
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "envvars,func,expected",
+    [
+        (dict(PGHOST="otherhost"), pq3.pghost, "otherhost"),
+        (dict(PGPORT="6789"), pq3.pgport, 6789),
+        (dict(PGUSER="postgres"), pq3.pguser, "postgres"),
+        (dict(PGDATABASE="template1"), pq3.pgdatabase, "template1"),
+    ],
+)
+def test_env(monkeypatch, envvars, func, expected):
+    for k, v in envvars.items():
+        monkeypatch.setenv(k, v)
+
+    actual = func()
+    assert actual == expected
diff --git a/src/test/python/tls.py b/src/test/python/tls.py
new file mode 100644
index 0000000000..075c02c1ca
--- /dev/null
+++ b/src/test/python/tls.py
@@ -0,0 +1,195 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+from construct import *
+
+#
+# TLS 1.3
+#
+# Most of the types below are transcribed from RFC 8446:
+#
+#     https://tools.ietf.org/html/rfc8446
+#
+
+
+def _Vector(size_field, element):
+    return Prefixed(size_field, GreedyRange(element))
+
+
+# Alerts
+
+AlertLevel = Enum(
+    Byte,
+    warning=1,
+    fatal=2,
+)
+
+AlertDescription = Enum(
+    Byte,
+    close_notify=0,
+    unexpected_message=10,
+    bad_record_mac=20,
+    decryption_failed_RESERVED=21,
+    record_overflow=22,
+    decompression_failure=30,
+    handshake_failure=40,
+    no_certificate_RESERVED=41,
+    bad_certificate=42,
+    unsupported_certificate=43,
+    certificate_revoked=44,
+    certificate_expired=45,
+    certificate_unknown=46,
+    illegal_parameter=47,
+    unknown_ca=48,
+    access_denied=49,
+    decode_error=50,
+    decrypt_error=51,
+    export_restriction_RESERVED=60,
+    protocol_version=70,
+    insufficient_security=71,
+    internal_error=80,
+    user_canceled=90,
+    no_renegotiation=100,
+    unsupported_extension=110,
+)
+
+Alert = Struct(
+    "level" / AlertLevel,
+    "description" / AlertDescription,
+)
+
+
+# Extensions
+
+ExtensionType = Enum(
+    Int16ub,
+    server_name=0,
+    max_fragment_length=1,
+    status_request=5,
+    supported_groups=10,
+    signature_algorithms=13,
+    use_srtp=14,
+    heartbeat=15,
+    application_layer_protocol_negotiation=16,
+    signed_certificate_timestamp=18,
+    client_certificate_type=19,
+    server_certificate_type=20,
+    padding=21,
+    pre_shared_key=41,
+    early_data=42,
+    supported_versions=43,
+    cookie=44,
+    psk_key_exchange_modes=45,
+    certificate_authorities=47,
+    oid_filters=48,
+    post_handshake_auth=49,
+    signature_algorithms_cert=50,
+    key_share=51,
+)
+
+Extension = Struct(
+    "extension_type" / ExtensionType,
+    "extension_data" / Prefixed(Int16ub, GreedyBytes),
+)
+
+
+# ClientHello
+
+
+class _CipherSuiteAdapter(Adapter):
+    class _hextuple(tuple):
+        def __repr__(self):
+            return f"(0x{self[0]:02X}, 0x{self[1]:02X})"
+
+    def _encode(self, obj, context, path):
+        return bytes(obj)
+
+    def _decode(self, obj, context, path):
+        assert len(obj) == 2
+        return self._hextuple(obj)
+
+
+ProtocolVersion = Hex(Int16ub)
+
+Random = Hex(Bytes(32))
+
+CipherSuite = _CipherSuiteAdapter(Byte[2])
+
+ClientHello = Struct(
+    "legacy_version" / ProtocolVersion,
+    "random" / Random,
+    "legacy_session_id" / Prefixed(Byte, Hex(GreedyBytes)),
+    "cipher_suites" / _Vector(Int16ub, CipherSuite),
+    "legacy_compression_methods" / Prefixed(Byte, GreedyBytes),
+    "extensions" / _Vector(Int16ub, Extension),
+)
+
+# ServerHello
+
+ServerHello = Struct(
+    "legacy_version" / ProtocolVersion,
+    "random" / Random,
+    "legacy_session_id_echo" / Prefixed(Byte, Hex(GreedyBytes)),
+    "cipher_suite" / CipherSuite,
+    "legacy_compression_method" / Hex(Byte),
+    "extensions" / _Vector(Int16ub, Extension),
+)
+
+# Handshake
+
+HandshakeType = Enum(
+    Byte,
+    client_hello=1,
+    server_hello=2,
+    new_session_ticket=4,
+    end_of_early_data=5,
+    encrypted_extensions=8,
+    certificate=11,
+    certificate_request=13,
+    certificate_verify=15,
+    finished=20,
+    key_update=24,
+    message_hash=254,
+)
+
+Handshake = Struct(
+    "msg_type" / HandshakeType,
+    "length" / Int24ub,
+    "payload"
+    / Switch(
+        this.msg_type,
+        {
+            HandshakeType.client_hello: ClientHello,
+            HandshakeType.server_hello: ServerHello,
+            # HandshakeType.end_of_early_data: EndOfEarlyData,
+            # HandshakeType.encrypted_extensions: EncryptedExtensions,
+            # HandshakeType.certificate_request: CertificateRequest,
+            # HandshakeType.certificate: Certificate,
+            # HandshakeType.certificate_verify: CertificateVerify,
+            # HandshakeType.finished: Finished,
+            # HandshakeType.new_session_ticket: NewSessionTicket,
+            # HandshakeType.key_update: KeyUpdate,
+        },
+        default=FixedSized(this.length, GreedyBytes),
+    ),
+)
+
+# Records
+
+ContentType = Enum(
+    Byte,
+    invalid=0,
+    change_cipher_spec=20,
+    alert=21,
+    handshake=22,
+    application_data=23,
+)
+
+Plaintext = Struct(
+    "type" / ContentType,
+    "legacy_record_version" / ProtocolVersion,
+    "length" / Int16ub,
+    "fragment" / FixedSized(this.length, GreedyBytes),
+)
-- 
2.25.1

From d275b329aaed6c6ef2403e4c313725a1ae88fa40 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 4 Mar 2022 08:48:47 -0800
Subject: [PATCH v3 9/9] contrib/oauth: switch to pluggable auth API

Move the core server implementation to contrib/oauth as a pluggable
provider, using the RegisterAuthProvider() API. oauth_validator_command
has been moved from core to a custom GUC. Tests have been updated to
handle the new implementations.

Some server modifications remain:
- Adding new HBA options for custom providers
- Registering support for usermaps
- Allowing custom SASL mechanisms to declare their own maximum message
  length

This patch is optional; you can apply/revert it to compare the two
approaches.
---
 contrib/oauth/Makefile                        | 16 +++++++
 .../auth-oauth.c => contrib/oauth/oauth.c     | 47 +++++++++++++++----
 src/backend/libpq/Makefile                    |  1 -
 src/backend/libpq/auth.c                      |  7 ---
 src/backend/libpq/hba.c                       | 21 +++++----
 src/backend/utils/misc/guc.c                  | 12 -----
 src/include/libpq/hba.h                       |  3 +-
 src/include/libpq/oauth.h                     | 24 ----------
 src/test/python/server/test_oauth.py          | 20 ++++----
 9 files changed, 78 insertions(+), 73 deletions(-)
 create mode 100644 contrib/oauth/Makefile
 rename src/backend/libpq/auth-oauth.c => contrib/oauth/oauth.c (95%)
 delete mode 100644 src/include/libpq/oauth.h

diff --git a/contrib/oauth/Makefile b/contrib/oauth/Makefile
new file mode 100644
index 0000000000..880bc1fef3
--- /dev/null
+++ b/contrib/oauth/Makefile
@@ -0,0 +1,16 @@
+# contrib/oauth/Makefile
+
+MODULE_big = oauth
+OBJS = oauth.o
+PGFILEDESC = "oauth - auth provider supporting OAuth 2.0/OIDC"
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = contrib/oauth
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/src/backend/libpq/auth-oauth.c b/contrib/oauth/oauth.c
similarity index 95%
rename from src/backend/libpq/auth-oauth.c
rename to contrib/oauth/oauth.c
index c1232a31a0..3a6dab19d9 100644
--- a/src/backend/libpq/auth-oauth.c
+++ b/contrib/oauth/oauth.c
@@ -1,33 +1,39 @@
-/*-------------------------------------------------------------------------
+/* -------------------------------------------------------------------------
  *
- * auth-oauth.c
+ * oauth.c
  *	  Server-side implementation of the SASL OAUTHBEARER mechanism.
  *
  * See the following RFC for more details:
  * - RFC 7628: https://tools.ietf.org/html/rfc7628
  *
- * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * src/backend/libpq/auth-oauth.c
+ * contrib/oauth/oauth.c
  *
- *-------------------------------------------------------------------------
+ * -------------------------------------------------------------------------
  */
+
 #include "postgres.h"
 
 #include <unistd.h>
 #include <fcntl.h>
 
 #include "common/oauth-common.h"
+#include "fmgr.h"
 #include "lib/stringinfo.h"
 #include "libpq/auth.h"
 #include "libpq/hba.h"
-#include "libpq/oauth.h"
 #include "libpq/sasl.h"
 #include "storage/fd.h"
+#include "utils/guc.h"
+
+PG_MODULE_MAGIC;
+
+void _PG_init(void);
 
 /* GUC */
-char *oauth_validator_command;
+static char *oauth_validator_command;
 
 static void  oauth_get_mechanisms(Port *port, StringInfo buf);
 static void *oauth_init(Port *port, const char *selected_mech, const char *shadow_pass);
@@ -35,7 +41,7 @@ static int   oauth_exchange(void *opaq, const char *input, int inputlen,
 							char **output, int *outputlen, const char **logdetail);
 
 /* Mechanism declaration */
-const pg_be_sasl_mech pg_be_oauth_mech = {
+static const pg_be_sasl_mech oauth_mech = {
 	oauth_get_mechanisms,
 	oauth_init,
 	oauth_exchange,
@@ -795,3 +801,28 @@ username_ok_for_shell(const char *username)
 
 	return true;
 }
+
+static int CheckOAuth(Port *port)
+{
+	return CheckSASLAuth(&oauth_mech, port, NULL, NULL);
+}
+
+static const char *OAuthError(Port *port)
+{
+	return psprintf("OAuth bearer authentication failed for user \"%s\"",
+					port->user_name);
+}
+
+void
+_PG_init(void)
+{
+	RegisterAuthProvider("oauth", CheckOAuth, OAuthError);
+
+	DefineCustomStringVariable("oauth.validator_command",
+							   gettext_noop("Command to validate OAuth v2 bearer tokens."),
+							   NULL,
+							   &oauth_validator_command,
+							   "",
+							   PGC_SIGHUP, GUC_SUPERUSER_ONLY,
+							   NULL, NULL, NULL);
+}
diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile
index 98eb2a8242..6d385fd6a4 100644
--- a/src/backend/libpq/Makefile
+++ b/src/backend/libpq/Makefile
@@ -15,7 +15,6 @@ include $(top_builddir)/src/Makefile.global
 # be-fsstubs is here for historical reasons, probably belongs elsewhere
 
 OBJS = \
-	auth-oauth.o \
 	auth-sasl.o \
 	auth-scram.o \
 	auth.o \
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 5c30904e2b..3533b0bc50 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -30,7 +30,6 @@
 #include "libpq/auth.h"
 #include "libpq/crypt.h"
 #include "libpq/libpq.h"
-#include "libpq/oauth.h"
 #include "libpq/pqformat.h"
 #include "libpq/sasl.h"
 #include "libpq/scram.h"
@@ -303,9 +302,6 @@ auth_failed(Port *port, int status, const char *logdetail)
 		case uaRADIUS:
 			errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
 			break;
-		case uaOAuth:
-			errstr = gettext_noop("OAuth bearer authentication failed for user \"%s\"");
-			break;
 		case uaCustom:
 			if (CustomAuthenticationError_hook)
 				errstr = CustomAuthenticationError_hook(port);
@@ -631,9 +627,6 @@ ClientAuthentication(Port *port)
 		case uaTrust:
 			status = STATUS_OK;
 			break;
-		case uaOAuth:
-			status = CheckSASLAuth(&pg_be_oauth_mech, port, NULL, NULL);
-			break;
 		case uaCustom:
 			if (CustomAuthenticationCheck_hook)
 				status = CustomAuthenticationCheck_hook(port);
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f7f3059927..fb51c53cc0 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -136,7 +136,6 @@ static const char *const UserAuthName[] =
 	"radius",
 	"custom",
 	"peer",
-	"oauth",
 };
 
 
@@ -1401,8 +1400,6 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 #endif
 	else if (strcmp(token->string, "radius") == 0)
 		parsedline->auth_method = uaRADIUS;
-	else if (strcmp(token->string, "oauth") == 0)
-		parsedline->auth_method = uaOAuth;
 	else if (strcmp(token->string, "custom") == 0)
 		parsedline->auth_method = uaCustom;
 	else
@@ -1731,9 +1728,9 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 			hbaline->auth_method != uaPeer &&
 			hbaline->auth_method != uaGSS &&
 			hbaline->auth_method != uaSSPI &&
-			hbaline->auth_method != uaOAuth &&
-			hbaline->auth_method != uaCert)
-			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, oauth, and cert"));
+			hbaline->auth_method != uaCert &&
+			hbaline->auth_method != uaCustom)
+			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, cert, and custom"));
 		hbaline->usermap = pstrdup(val);
 	}
 	else if (strcmp(name, "clientcert") == 0)
@@ -2119,19 +2116,25 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 	}
 	else if (strcmp(name, "issuer") == 0)
 	{
-		if (hbaline->auth_method != uaOAuth)
+		if (hbaline->auth_method != uaCustom
+			&& (custom_provider_name != NULL
+				&& strcmp(custom_provider_name, "oauth")))
 			INVALID_AUTH_OPTION("issuer", gettext_noop("oauth"));
 		hbaline->oauth_issuer = pstrdup(val);
 	}
 	else if (strcmp(name, "scope") == 0)
 	{
-		if (hbaline->auth_method != uaOAuth)
+		if (hbaline->auth_method != uaCustom
+			&& (custom_provider_name != NULL
+				&& strcmp(custom_provider_name, "oauth")))
 			INVALID_AUTH_OPTION("scope", gettext_noop("oauth"));
 		hbaline->oauth_scope = pstrdup(val);
 	}
 	else if (strcmp(name, "trust_validator_authz") == 0)
 	{
-		if (hbaline->auth_method != uaOAuth)
+		if (hbaline->auth_method != uaCustom
+			&& (custom_provider_name != NULL
+				&& strcmp(custom_provider_name, "oauth")))
 			INVALID_AUTH_OPTION("trust_validator_authz", gettext_noop("oauth"));
 		if (strcmp(val, "1") == 0)
 			hbaline->oauth_skip_usermap = true;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 791c7c83df..1e3650184b 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -58,7 +58,6 @@
 #include "libpq/auth.h"
 #include "libpq/libpq.h"
 #include "libpq/pqformat.h"
-#include "libpq/oauth.h"
 #include "miscadmin.h"
 #include "optimizer/cost.h"
 #include "optimizer/geqo.h"
@@ -4663,17 +4662,6 @@ static struct config_string ConfigureNamesString[] =
 		check_backtrace_functions, assign_backtrace_functions, NULL
 	},
 
-	{
-		{"oauth_validator_command", PGC_SIGHUP, CONN_AUTH_AUTH,
-			gettext_noop("Command to validate OAuth v2 bearer tokens."),
-			NULL,
-			GUC_SUPERUSER_ONLY
-		},
-		&oauth_validator_command,
-		"",
-		NULL, NULL, NULL
-	},
-
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index d46c2108eb..0c6a7dd823 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -40,8 +40,7 @@ typedef enum UserAuth
 	uaRADIUS,
 	uaCustom,
 	uaPeer,
-	uaOAuth
-#define USER_AUTH_LAST uaOAuth	/* Must be last value of this enum */
+#define USER_AUTH_LAST uaPeer	/* Must be last value of this enum */
 } UserAuth;
 
 /*
diff --git a/src/include/libpq/oauth.h b/src/include/libpq/oauth.h
deleted file mode 100644
index 870e426af1..0000000000
--- a/src/include/libpq/oauth.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/*-------------------------------------------------------------------------
- *
- * oauth.h
- *	  Interface to libpq/auth-oauth.c
- *
- * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
- * Portions Copyright (c) 1994, Regents of the University of California
- *
- * src/include/libpq/oauth.h
- *
- *-------------------------------------------------------------------------
- */
-#ifndef PG_OAUTH_H
-#define PG_OAUTH_H
-
-#include "libpq/libpq-be.h"
-#include "libpq/sasl.h"
-
-extern char *oauth_validator_command;
-
-/* Implementation */
-extern const pg_be_sasl_mech pg_be_oauth_mech;
-
-#endif /* PG_OAUTH_H */
diff --git a/src/test/python/server/test_oauth.py b/src/test/python/server/test_oauth.py
index cb5ca7fa23..07fc25edc2 100644
--- a/src/test/python/server/test_oauth.py
+++ b/src/test/python/server/test_oauth.py
@@ -103,9 +103,9 @@ def oauth_ctx():
 
     ctx = Context()
     hba_lines = (
-        f'host {ctx.dbname} {ctx.map_user}   samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}" map=oauth\n',
-        f'host {ctx.dbname} {ctx.authz_user} samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}" trust_validator_authz=1\n',
-        f'host {ctx.dbname} all              samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}"\n',
+        f'host {ctx.dbname} {ctx.map_user}   samehost custom provider=oauth issuer="{ctx.issuer}" scope="{ctx.scope}" map=oauth\n',
+        f'host {ctx.dbname} {ctx.authz_user} samehost custom provider=oauth issuer="{ctx.issuer}" scope="{ctx.scope}" trust_validator_authz=1\n',
+        f'host {ctx.dbname} all              samehost custom provider=oauth issuer="{ctx.issuer}" scope="{ctx.scope}"\n',
     )
     ident_lines = (r"oauth /^(.*)@example\.com$ \1",)
 
@@ -126,12 +126,12 @@ def oauth_ctx():
         c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(authz_user))
         c.execute(sql.SQL("CREATE DATABASE {};").format(dbname))
 
-        # Make this test script the server's oauth_validator.
+        # Make this test script the server's oauth validator.
         path = pathlib.Path(__file__).parent / "validate_bearer.py"
         path = str(path.absolute())
 
         cmd = f"{shlex.quote(path)} {SHARED_MEM_NAME} <&%f"
-        c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (cmd,))
+        c.execute("ALTER SYSTEM SET oauth.validator_command TO %s;", (cmd,))
 
         # Replace pg_hba and pg_ident.
         c.execute("SHOW hba_file;")
@@ -149,7 +149,7 @@ def oauth_ctx():
         # Put things back the way they were.
         c.execute("SELECT pg_reload_conf();")
 
-        c.execute("ALTER SYSTEM RESET oauth_validator_command;")
+        c.execute("ALTER SYSTEM RESET oauth.validator_command;")
         c.execute(sql.SQL("DROP DATABASE {};").format(dbname))
         c.execute(sql.SQL("DROP ROLE {};").format(authz_user))
         c.execute(sql.SQL("DROP ROLE {};").format(map_user))
@@ -930,7 +930,7 @@ def test_oauth_empty_initial_response(conn, oauth_ctx, bearer_token):
 def set_validator():
     """
     A per-test fixture that allows a test to override the setting of
-    oauth_validator_command for the cluster. The setting will be reverted during
+    oauth.validator_command for the cluster. The setting will be reverted during
     teardown.
 
     Passing None will perform an ALTER SYSTEM RESET.
@@ -942,17 +942,17 @@ def set_validator():
         c = conn.cursor()
 
         # Save the previous value.
-        c.execute("SHOW oauth_validator_command;")
+        c.execute("SHOW oauth.validator_command;")
         prev_cmd = c.fetchone()[0]
 
         def setter(cmd):
-            c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (cmd,))
+            c.execute("ALTER SYSTEM SET oauth.validator_command TO %s;", (cmd,))
             c.execute("SELECT pg_reload_conf();")
 
         yield setter
 
         # Restore the previous value.
-        c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (prev_cmd,))
+        c.execute("ALTER SYSTEM SET oauth.validator_command TO %s;", (prev_cmd,))
         c.execute("SELECT pg_reload_conf();")
 
 
-- 
2.25.1

From b3ceda62e9cc6cbbc24c63c05c5ce072ae771c1b Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Tue, 4 May 2021 16:21:11 -0700
Subject: [PATCH v4 07/10] backend: add OAUTHBEARER SASL mechanism

DO NOT USE THIS PROOF OF CONCEPT IN PRODUCTION.

Implement OAUTHBEARER (RFC 7628) on the server side. This adds a new
auth method, oauth, to pg_hba.

Because OAuth implementations vary so wildly, and bearer token
validation is heavily dependent on the issuing party, authn/z is done by
communicating with an external program: the oauth_validator_command.
This command must do the following:

1. Receive the bearer token by reading its contents from a file
   descriptor passed from the server. (The numeric value of this
   descriptor may be inserted into the oauth_validator_command using the
   %f specifier.)

   This MUST be the first action the command performs. The server will
   not begin reading stdout from the command until the token has been
   read in full, so if the command tries to print anything and hits a
   buffer limit, the backend will deadlock and time out.

2. Validate the bearer token. The correct way to do this depends on the
   issuer, but it generally involves either cryptographic operations to
   prove that the token was issued by a trusted party, or the
   presentation of the bearer token to some other party so that _it_ can
   perform validation.

   The command MUST maintain confidentiality of the bearer token, since
   in most cases it can be used just like a password. (There are ways to
   cryptographically bind tokens to client certificates, but they are
   way beyond the scope of this commit message.)

   If the token cannot be validated, the command must exit with a
   non-zero status. Further authentication/authorization is pointless if
   the bearer token wasn't issued by someone you trust.

3. Authenticate the user, authorize the user, or both:

   a. To authenticate the user, use the bearer token to retrieve some
      trusted identifier string for the end user. The exact process for
      this is, again, issuer-dependent. The command should print the
      authenticated identity string to stdout, followed by a newline.

      If the user cannot be authenticated, the validator should not
      print anything to stdout. It should also exit with a non-zero
      status, unless the token may be used to authorize the connection
      through some other means (see below).

      On a success, the command may then exit with a zero success code.
      By default, the server will then check to make sure the identity
      string matches the role that is being used (or matches a usermap
      entry, if one is in use).

   b. To optionally authorize the user, in combination with the HBA
      option trust_validator_authz=1 (see below), the validator simply
      returns a zero exit code if the client should be allowed to
      connect with its presented role (which can be passed to the
      command using the %r specifier), or a non-zero code otherwise.

      The hard part is in determining whether the given token truly
      authorizes the client to use the given role, which must
      unfortunately be left as an exercise to the reader.

      This obviously requires some care, as a poorly implemented token
      validator may silently open the entire database to anyone with a
      bearer token. But it may be a more portable approach, since OAuth
      is designed as an authorization framework, not an authentication
      framework. For example, the user's bearer token could carry an
      "allow_superuser_access" claim, which would authorize pseudonymous
      database access as any role. It's then up to the OAuth system
      administrators to ensure that allow_superuser_access is doled out
      only to the proper users.

   c. It's possible that the user can be successfully authenticated but
      isn't authorized to connect. In this case, the command may print
      the authenticated ID and then fail with a non-zero exit code.
      (This makes it easier to see what's going on in the Postgres
      logs.)

4. Token validators may optionally log to stderr. This will be printed
   verbatim into the Postgres server logs.

The oauth method supports the following HBA options (but note that two
of them are not optional, since we have no way of choosing sensible
defaults):

  issuer: Required. The URL of the OAuth issuing party, which the client
          must contact to receive a bearer token.

          Some real-world examples as of time of writing:
          - https://accounts.google.com
          - https://login.microsoft.com/[tenant-id]/v2.0

  scope:  Required. The OAuth scope(s) required for the server to
          authenticate and/or authorize the user. This is heavily
          deployment-specific, but a simple example is "openid email".

  map:    Optional. Specify a standard PostgreSQL user map; this works
          the same as with other auth methods such as peer. If a map is
          not specified, the user ID returned by the token validator
          must exactly match the role that's being requested (but see
          trust_validator_authz, below).

  trust_validator_authz:
          Optional. When set to 1, this allows the token validator to
          take full control of the authorization process. Standard user
          mapping is skipped: if the validator command succeeds, the
          client is allowed to connect under its desired role and no
          further checks are done.

Unlike the client, servers support OAuth without needing to be built
against libiddawc (since the responsibility for "speaking" OAuth/OIDC
correctly is delegated entirely to the oauth_validator_command).

Several TODOs:
- port to platforms other than "modern Linux"
- overhaul the communication with oauth_validator_command, which is
  currently a bad hack on OpenPipeStream()
- implement more sanity checks on the OAUTHBEARER message format and
  tokens sent by the client
- implement more helpful handling of HBA misconfigurations
- properly interpolate JSON when generating error responses
- use logdetail during auth failures
- deal with role names that can't be safely passed to system() without
  shell-escaping
- allow passing the configured issuer to the oauth_validator_command, to
  deal with multi-issuer setups
- ...and more.
---
 src/backend/libpq/Makefile     |   1 +
 src/backend/libpq/auth-oauth.c | 797 +++++++++++++++++++++++++++++++++
 src/backend/libpq/auth-sasl.c  |  10 +-
 src/backend/libpq/auth-scram.c |   4 +-
 src/backend/libpq/auth.c       |   7 +
 src/backend/libpq/hba.c        |  29 +-
 src/backend/utils/misc/guc.c   |  12 +
 src/include/libpq/hba.h        |   8 +-
 src/include/libpq/oauth.h      |  24 +
 src/include/libpq/sasl.h       |  11 +
 10 files changed, 889 insertions(+), 14 deletions(-)
 create mode 100644 src/backend/libpq/auth-oauth.c
 create mode 100644 src/include/libpq/oauth.h

diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile
index 6d385fd6a4..98eb2a8242 100644
--- a/src/backend/libpq/Makefile
+++ b/src/backend/libpq/Makefile
@@ -15,6 +15,7 @@ include $(top_builddir)/src/Makefile.global
 # be-fsstubs is here for historical reasons, probably belongs elsewhere
 
 OBJS = \
+	auth-oauth.o \
 	auth-sasl.o \
 	auth-scram.o \
 	auth.o \
diff --git a/src/backend/libpq/auth-oauth.c b/src/backend/libpq/auth-oauth.c
new file mode 100644
index 0000000000..c1232a31a0
--- /dev/null
+++ b/src/backend/libpq/auth-oauth.c
@@ -0,0 +1,797 @@
+/*-------------------------------------------------------------------------
+ *
+ * auth-oauth.c
+ *	  Server-side implementation of the SASL OAUTHBEARER mechanism.
+ *
+ * See the following RFC for more details:
+ * - RFC 7628: https://tools.ietf.org/html/rfc7628
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/backend/libpq/auth-oauth.c
+ *
+ *-------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include <unistd.h>
+#include <fcntl.h>
+
+#include "common/oauth-common.h"
+#include "lib/stringinfo.h"
+#include "libpq/auth.h"
+#include "libpq/hba.h"
+#include "libpq/oauth.h"
+#include "libpq/sasl.h"
+#include "storage/fd.h"
+
+/* GUC */
+char *oauth_validator_command;
+
+static void  oauth_get_mechanisms(Port *port, StringInfo buf);
+static void *oauth_init(Port *port, const char *selected_mech, const char *shadow_pass);
+static int   oauth_exchange(void *opaq, const char *input, int inputlen,
+							char **output, int *outputlen, const char **logdetail);
+
+/* Mechanism declaration */
+const pg_be_sasl_mech pg_be_oauth_mech = {
+	oauth_get_mechanisms,
+	oauth_init,
+	oauth_exchange,
+
+	PG_MAX_AUTH_TOKEN_LENGTH,
+};
+
+
+typedef enum
+{
+	OAUTH_STATE_INIT = 0,
+	OAUTH_STATE_ERROR,
+	OAUTH_STATE_FINISHED,
+} oauth_state;
+
+struct oauth_ctx
+{
+	oauth_state	state;
+	Port	   *port;
+	const char *issuer;
+	const char *scope;
+};
+
+static char *sanitize_char(char c);
+static char *parse_kvpairs_for_auth(char **input);
+static void generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen);
+static bool validate(Port *port, const char *auth, const char **logdetail);
+static bool run_validator_command(Port *port, const char *token);
+static bool check_exit(FILE **fh, const char *command);
+static bool unset_cloexec(int fd);
+static bool username_ok_for_shell(const char *username);
+
+#define KVSEP 0x01
+#define AUTH_KEY "auth"
+#define BEARER_SCHEME "Bearer "
+
+static void
+oauth_get_mechanisms(Port *port, StringInfo buf)
+{
+	/* Only OAUTHBEARER is supported. */
+	appendStringInfoString(buf, OAUTHBEARER_NAME);
+	appendStringInfoChar(buf, '\0');
+}
+
+static void *
+oauth_init(Port *port, const char *selected_mech, const char *shadow_pass)
+{
+	struct oauth_ctx *ctx;
+
+	if (strcmp(selected_mech, OAUTHBEARER_NAME))
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("client selected an invalid SASL authentication mechanism")));
+
+	ctx = palloc0(sizeof(*ctx));
+
+	ctx->state = OAUTH_STATE_INIT;
+	ctx->port = port;
+
+	Assert(port->hba);
+	ctx->issuer = port->hba->oauth_issuer;
+	ctx->scope = port->hba->oauth_scope;
+
+	return ctx;
+}
+
+static int
+oauth_exchange(void *opaq, const char *input, int inputlen,
+			   char **output, int *outputlen, const char **logdetail)
+{
+	char   *p;
+	char	cbind_flag;
+	char   *auth;
+
+	struct oauth_ctx *ctx = opaq;
+
+	*output = NULL;
+	*outputlen = -1;
+
+	/*
+	 * If the client didn't include an "Initial Client Response" in the
+	 * SASLInitialResponse message, send an empty challenge, to which the
+	 * client will respond with the same data that usually comes in the
+	 * Initial Client Response.
+	 */
+	if (input == NULL)
+	{
+		Assert(ctx->state == OAUTH_STATE_INIT);
+
+		*output = pstrdup("");
+		*outputlen = 0;
+		return PG_SASL_EXCHANGE_CONTINUE;
+	}
+
+	/*
+	 * Check that the input length agrees with the string length of the input.
+	 */
+	if (inputlen == 0)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("The message is empty.")));
+	if (inputlen != strlen(input))
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Message length does not match input length.")));
+
+	switch (ctx->state)
+	{
+		case OAUTH_STATE_INIT:
+			/* Handle this case below. */
+			break;
+
+		case OAUTH_STATE_ERROR:
+			/*
+			 * Only one response is valid for the client during authentication
+			 * failure: a single kvsep.
+			 */
+			if (inputlen != 1 || *input != KVSEP)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed OAUTHBEARER message"),
+						 errdetail("Client did not send a kvsep response.")));
+
+			/* The (failed) handshake is now complete. */
+			ctx->state = OAUTH_STATE_FINISHED;
+			return PG_SASL_EXCHANGE_FAILURE;
+
+		default:
+			elog(ERROR, "invalid OAUTHBEARER exchange state");
+			return PG_SASL_EXCHANGE_FAILURE;
+	}
+
+	/* Handle the client's initial message. */
+	p = pstrdup(input);
+
+	/*
+	 * OAUTHBEARER does not currently define a channel binding (so there is no
+	 * OAUTHBEARER-PLUS, and we do not accept a 'p' specifier). We accept a 'y'
+	 * specifier purely for the remote chance that a future specification could
+	 * define one; then future clients can still interoperate with this server
+	 * implementation. 'n' is the expected case.
+	 */
+	cbind_flag = *p;
+	switch (cbind_flag)
+	{
+		case 'p':
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("The server does not support channel binding for OAuth, but the client message includes channel binding data.")));
+			break;
+
+		case 'y': /* fall through */
+		case 'n':
+			p++;
+			if (*p != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed OAUTHBEARER message"),
+						 errdetail("Comma expected, but found character %s.",
+								   sanitize_char(*p))));
+			p++;
+			break;
+
+		default:
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("Unexpected channel-binding flag %s.",
+							   sanitize_char(cbind_flag))));
+	}
+
+	/*
+	 * Forbid optional authzid (authorization identity).  We don't support it.
+	 */
+	if (*p == 'a')
+		ereport(ERROR,
+				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+				 errmsg("client uses authorization identity, but it is not supported")));
+	if (*p != ',')
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Unexpected attribute %s in client-first-message.",
+						   sanitize_char(*p))));
+	p++;
+
+	/* All remaining fields are separated by the RFC's kvsep (\x01). */
+	if (*p != KVSEP)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Key-value separator expected, but found character %s.",
+						   sanitize_char(*p))));
+	p++;
+
+	auth = parse_kvpairs_for_auth(&p);
+	if (!auth)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Message does not contain an auth value.")));
+
+	/* We should be at the end of our message. */
+	if (*p)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Message contains additional data after the final terminator.")));
+
+	if (!validate(ctx->port, auth, logdetail))
+	{
+		generate_error_response(ctx, output, outputlen);
+
+		ctx->state = OAUTH_STATE_ERROR;
+		return PG_SASL_EXCHANGE_CONTINUE;
+	}
+
+	ctx->state = OAUTH_STATE_FINISHED;
+	return PG_SASL_EXCHANGE_SUCCESS;
+}
+
+/*
+ * Convert an arbitrary byte to printable form.  For error messages.
+ *
+ * If it's a printable ASCII character, print it as a single character.
+ * otherwise, print it in hex.
+ *
+ * The returned pointer points to a static buffer.
+ */
+static char *
+sanitize_char(char c)
+{
+	static char buf[5];
+
+	if (c >= 0x21 && c <= 0x7E)
+		snprintf(buf, sizeof(buf), "'%c'", c);
+	else
+		snprintf(buf, sizeof(buf), "0x%02x", (unsigned char) c);
+	return buf;
+}
+
+/*
+ * Consumes all kvpairs in an OAUTHBEARER exchange message. If the "auth" key is
+ * found, its value is returned.
+ */
+static char *
+parse_kvpairs_for_auth(char **input)
+{
+	char   *pos = *input;
+	char   *auth = NULL;
+
+	/*
+	 * The relevant ABNF, from Sec. 3.1:
+	 *
+	 *     kvsep          = %x01
+	 *     key            = 1*(ALPHA)
+	 *     value          = *(VCHAR / SP / HTAB / CR / LF )
+	 *     kvpair         = key "=" value kvsep
+	 *   ;;gs2-header     = See RFC 5801
+	 *     client-resp    = (gs2-header kvsep *kvpair kvsep) / kvsep
+	 *
+	 * By the time we reach this code, the gs2-header and initial kvsep have
+	 * already been validated. We start at the beginning of the first kvpair.
+	 */
+
+	while (*pos)
+	{
+		char   *end;
+		char   *sep;
+		char   *key;
+		char   *value;
+
+		/*
+		 * Find the end of this kvpair. Note that input is null-terminated by
+		 * the SASL code, so the strchr() is bounded.
+		 */
+		end = strchr(pos, KVSEP);
+		if (!end)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("Message contains an unterminated key/value pair.")));
+		*end = '\0';
+
+		if (pos == end)
+		{
+			/* Empty kvpair, signifying the end of the list. */
+			*input = pos + 1;
+			return auth;
+		}
+
+		/*
+		 * Find the end of the key name.
+		 *
+		 * TODO further validate the key/value grammar? empty keys, bad chars...
+		 */
+		sep = strchr(pos, '=');
+		if (!sep)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 errmsg("malformed OAUTHBEARER message"),
+					 errdetail("Message contains a key without a value.")));
+		*sep = '\0';
+
+		/* Both key and value are now safely terminated. */
+		key = pos;
+		value = sep + 1;
+
+		if (!strcmp(key, AUTH_KEY))
+		{
+			if (auth)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed OAUTHBEARER message"),
+						 errdetail("Message contains multiple auth values.")));
+
+			auth = value;
+		}
+		else
+		{
+			/*
+			 * The RFC also defines the host and port keys, but they are not
+			 * required for OAUTHBEARER and we do not use them. Also, per
+			 * Sec. 3.1, any key/value pairs we don't recognize must be ignored.
+			 */
+		}
+
+		/* Move to the next pair. */
+		pos = end + 1;
+	}
+
+	ereport(ERROR,
+			(errcode(ERRCODE_PROTOCOL_VIOLATION),
+			 errmsg("malformed OAUTHBEARER message"),
+			 errdetail("Message did not contain a final terminator.")));
+
+	return NULL; /* unreachable */
+}
+
+static void
+generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen)
+{
+	StringInfoData	buf;
+
+	/*
+	 * The admin needs to set an issuer and scope for OAuth to work. There's not
+	 * really a way to hide this from the user, either, because we can't choose
+	 * a "default" issuer, so be honest in the failure message.
+	 *
+	 * TODO: see if there's a better place to fail, earlier than this.
+	 */
+	if (!ctx->issuer || !ctx->scope)
+		ereport(FATAL,
+				(errcode(ERRCODE_INTERNAL_ERROR),
+				 errmsg("OAuth is not properly configured for this user"),
+				 errdetail_log("The issuer and scope parameters must be set in pg_hba.conf.")));
+
+
+	initStringInfo(&buf);
+
+	/*
+	 * TODO: JSON escaping
+	 */
+	appendStringInfo(&buf,
+		"{ "
+			"\"status\": \"invalid_token\", "
+			"\"openid-configuration\": \"%s/.well-known/openid-configuration\","
+			"\"scope\": \"%s\" "
+		"}",
+		ctx->issuer, ctx->scope);
+
+	*output = buf.data;
+	*outputlen = buf.len;
+}
+
+static bool
+validate(Port *port, const char *auth, const char **logdetail)
+{
+	static const char * const b64_set = "abcdefghijklmnopqrstuvwxyz"
+										"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+										"0123456789-._~+/";
+
+	const char *token;
+	size_t		span;
+	int			ret;
+
+	/* TODO: handle logdetail when the test framework can check it */
+
+	/*
+	 * Only Bearer tokens are accepted. The ABNF is defined in RFC 6750, Sec.
+	 * 2.1:
+	 *
+	 *      b64token    = 1*( ALPHA / DIGIT /
+	 *                        "-" / "." / "_" / "~" / "+" / "/" ) *"="
+	 *      credentials = "Bearer" 1*SP b64token
+	 *
+	 * The "credentials" construction is what we receive in our auth value.
+	 *
+	 * Since that spec is subordinate to HTTP (i.e. the HTTP Authorization
+	 * header format; RFC 7235 Sec. 2), the "Bearer" scheme string must be
+	 * compared case-insensitively. (This is not mentioned in RFC 6750, but it's
+	 * pointed out in RFC 7628 Sec. 4.)
+	 *
+	 * TODO: handle the Authorization spec, RFC 7235 Sec. 2.1.
+	 */
+	if (strncasecmp(auth, BEARER_SCHEME, strlen(BEARER_SCHEME)))
+		return false;
+
+	/* Pull the bearer token out of the auth value. */
+	token = auth + strlen(BEARER_SCHEME);
+
+	/* Swallow any additional spaces. */
+	while (*token == ' ')
+		token++;
+
+	/*
+	 * Before invoking the validator command, sanity-check the token format to
+	 * avoid any injection attacks later in the chain. Invalid formats are
+	 * technically a protocol violation, but don't reflect any information about
+	 * the sensitive Bearer token back to the client; log at COMMERROR instead.
+	 */
+
+	/* Tokens must not be empty. */
+	if (!*token)
+	{
+		ereport(COMMERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Bearer token is empty.")));
+		return false;
+	}
+
+	/*
+	 * Make sure the token contains only allowed characters. Tokens may end with
+	 * any number of '=' characters.
+	 */
+	span = strspn(token, b64_set);
+	while (token[span] == '=')
+		span++;
+
+	if (token[span] != '\0')
+	{
+		/*
+		 * This error message could be more helpful by printing the problematic
+		 * character(s), but that'd be a bit like printing a piece of someone's
+		 * password into the logs.
+		 */
+		ereport(COMMERROR,
+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
+				 errmsg("malformed OAUTHBEARER message"),
+				 errdetail("Bearer token is not in the correct format.")));
+		return false;
+	}
+
+	/* Have the validator check the token. */
+	if (!run_validator_command(port, token))
+		return false;
+
+	if (port->hba->oauth_skip_usermap)
+	{
+		/*
+		 * If the validator is our authorization authority, we're done.
+		 * Authentication may or may not have been performed depending on the
+		 * validator implementation; all that matters is that the validator says
+		 * the user can log in with the target role.
+		 */
+		return true;
+	}
+
+	/* Make sure the validator authenticated the user. */
+	if (!port->authn_id)
+	{
+		/* TODO: use logdetail; reduce message duplication */
+		ereport(LOG,
+				(errmsg("OAuth bearer authentication failed for user \"%s\": validator provided no identity",
+						port->user_name)));
+		return false;
+	}
+
+	/* Finally, check the user map. */
+	ret = check_usermap(port->hba->usermap, port->user_name, port->authn_id,
+						false);
+	return (ret == STATUS_OK);
+}
+
+static bool
+run_validator_command(Port *port, const char *token)
+{
+	bool		success = false;
+	int			rc;
+	int			pipefd[2];
+	int			rfd = -1;
+	int			wfd = -1;
+
+	StringInfoData command = { 0 };
+	char	   *p;
+	FILE	   *fh = NULL;
+
+	ssize_t		written;
+	char	   *line = NULL;
+	size_t		size = 0;
+	ssize_t		len;
+
+	Assert(oauth_validator_command);
+
+	if (!oauth_validator_command[0])
+	{
+		ereport(COMMERROR,
+				(errmsg("oauth_validator_command is not set"),
+				 errhint("To allow OAuth authenticated connections, set "
+						 "oauth_validator_command in postgresql.conf.")));
+		return false;
+	}
+
+	/*
+	 * Since popen() is unidirectional, open up a pipe for the other direction.
+	 * Use CLOEXEC to ensure that our write end doesn't accidentally get copied
+	 * into child processes, which would prevent us from closing it cleanly.
+	 *
+	 * XXX this is ugly. We should just read from the child process's stdout,
+	 * but that's a lot more code.
+	 * XXX by bypassing the popen API, we open the potential of process
+	 * deadlock. Clearly document child process requirements (i.e. the child
+	 * MUST read all data off of the pipe before writing anything).
+	 * TODO: port to Windows using _pipe().
+	 */
+	rc = pipe2(pipefd, O_CLOEXEC);
+	if (rc < 0)
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not create child pipe: %m")));
+		return false;
+	}
+
+	rfd = pipefd[0];
+	wfd = pipefd[1];
+
+	/* Allow the read pipe be passed to the child. */
+	if (!unset_cloexec(rfd))
+	{
+		/* error message was already logged */
+		goto cleanup;
+	}
+
+	/*
+	 * Construct the command, substituting any recognized %-specifiers:
+	 *
+	 *   %f: the file descriptor of the input pipe
+	 *   %r: the role that the client wants to assume (port->user_name)
+	 *   %%: a literal '%'
+	 */
+	initStringInfo(&command);
+
+	for (p = oauth_validator_command; *p; p++)
+	{
+		if (p[0] == '%')
+		{
+			switch (p[1])
+			{
+				case 'f':
+					appendStringInfo(&command, "%d", rfd);
+					p++;
+					break;
+				case 'r':
+					/*
+					 * TODO: decide how this string should be escaped. The role
+					 * is controlled by the client, so if we don't escape it,
+					 * command injections are inevitable.
+					 *
+					 * This is probably an indication that the role name needs
+					 * to be communicated to the validator process in some other
+					 * way. For this proof of concept, just be incredibly strict
+					 * about the characters that are allowed in user names.
+					 */
+					if (!username_ok_for_shell(port->user_name))
+						goto cleanup;
+
+					appendStringInfoString(&command, port->user_name);
+					p++;
+					break;
+				case '%':
+					appendStringInfoChar(&command, '%');
+					p++;
+					break;
+				default:
+					appendStringInfoChar(&command, p[0]);
+			}
+		}
+		else
+			appendStringInfoChar(&command, p[0]);
+	}
+
+	/* Execute the command. */
+	fh = OpenPipeStream(command.data, "re");
+	/* TODO: handle failures */
+
+	/* We don't need the read end of the pipe anymore. */
+	close(rfd);
+	rfd = -1;
+
+	/* Give the command the token to validate. */
+	written = write(wfd, token, strlen(token));
+	if (written != strlen(token))
+	{
+		/* TODO must loop for short writes, EINTR et al */
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not write token to child pipe: %m")));
+		goto cleanup;
+	}
+
+	close(wfd);
+	wfd = -1;
+
+	/*
+	 * Read the command's response.
+	 *
+	 * TODO: getline() is probably too new to use, unfortunately.
+	 * TODO: loop over all lines
+	 */
+	if ((len = getline(&line, &size, fh)) >= 0)
+	{
+		/* TODO: fail if the authn_id doesn't end with a newline */
+		if (len > 0)
+			line[len - 1] = '\0';
+
+		set_authn_id(port, line);
+	}
+	else if (ferror(fh))
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not read from command \"%s\": %m",
+						command.data)));
+		goto cleanup;
+	}
+
+	/* Make sure the command exits cleanly. */
+	if (!check_exit(&fh, command.data))
+	{
+		/* error message already logged */
+		goto cleanup;
+	}
+
+	/* Done. */
+	success = true;
+
+cleanup:
+	if (line)
+		free(line);
+
+	/*
+	 * In the successful case, the pipe fds are already closed. For the error
+	 * case, always close out the pipe before waiting for the command, to
+	 * prevent deadlock.
+	 */
+	if (rfd >= 0)
+		close(rfd);
+	if (wfd >= 0)
+		close(wfd);
+
+	if (fh)
+	{
+		Assert(!success);
+		check_exit(&fh, command.data);
+	}
+
+	if (command.data)
+		pfree(command.data);
+
+	return success;
+}
+
+static bool
+check_exit(FILE **fh, const char *command)
+{
+	int rc;
+
+	rc = ClosePipeStream(*fh);
+	*fh = NULL;
+
+	if (rc == -1)
+	{
+		/* pclose() itself failed. */
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not close pipe to command \"%s\": %m",
+						command)));
+	}
+	else if (rc != 0)
+	{
+		char *reason = wait_result_to_str(rc);
+
+		ereport(COMMERROR,
+				(errmsg("failed to execute command \"%s\": %s",
+						command, reason)));
+
+		pfree(reason);
+	}
+
+	return (rc == 0);
+}
+
+static bool
+unset_cloexec(int fd)
+{
+	int			flags;
+	int			rc;
+
+	flags = fcntl(fd, F_GETFD);
+	if (flags == -1)
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not get fd flags for child pipe: %m")));
+		return false;
+	}
+
+	rc = fcntl(fd, F_SETFD, flags & ~FD_CLOEXEC);
+	if (rc < 0)
+	{
+		ereport(COMMERROR,
+				(errcode_for_file_access(),
+				 errmsg("could not unset FD_CLOEXEC for child pipe: %m")));
+		return false;
+	}
+
+	return true;
+}
+
+/*
+ * XXX This should go away eventually and be replaced with either a proper
+ * escape or a different strategy for communication with the validator command.
+ */
+static bool
+username_ok_for_shell(const char *username)
+{
+	/* This set is borrowed from fe_utils' appendShellStringNoError(). */
+	static const char * const allowed = "abcdefghijklmnopqrstuvwxyz"
+										"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+										"0123456789-_./:";
+	size_t	span;
+
+	Assert(username && username[0]); /* should have already been checked */
+
+	span = strspn(username, allowed);
+	if (username[span] != '\0')
+	{
+		ereport(COMMERROR,
+				(errmsg("PostgreSQL user name contains unsafe characters and cannot be passed to the OAuth validator")));
+		return false;
+	}
+
+	return true;
+}
diff --git a/src/backend/libpq/auth-sasl.c b/src/backend/libpq/auth-sasl.c
index a1d7dbb6d5..0f461a6696 100644
--- a/src/backend/libpq/auth-sasl.c
+++ b/src/backend/libpq/auth-sasl.c
@@ -20,14 +20,6 @@
 #include "libpq/pqformat.h"
 #include "libpq/sasl.h"
 
-/*
- * Maximum accepted size of SASL messages.
- *
- * The messages that the server or libpq generate are much smaller than this,
- * but have some headroom.
- */
-#define PG_MAX_SASL_MESSAGE_LENGTH	1024
-
 /*
  * Perform a SASL exchange with a libpq client, using a specific mechanism
  * implementation.
@@ -103,7 +95,7 @@ CheckSASLAuth(const pg_be_sasl_mech *mech, Port *port, char *shadow_pass,
 
 		/* Get the actual SASL message */
 		initStringInfo(&buf);
-		if (pq_getmessage(&buf, PG_MAX_SASL_MESSAGE_LENGTH))
+		if (pq_getmessage(&buf, mech->max_message_length))
 		{
 			/* EOF - pq_getmessage already logged error */
 			pfree(buf.data);
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index ee7f52218a..4049ace470 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -118,7 +118,9 @@ static int	scram_exchange(void *opaq, const char *input, int inputlen,
 const pg_be_sasl_mech pg_be_scram_mech = {
 	scram_get_mechanisms,
 	scram_init,
-	scram_exchange
+	scram_exchange,
+
+	PG_MAX_SASL_MESSAGE_LENGTH
 };
 
 /*
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 4a8a63922a..17042d84ad 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -30,6 +30,7 @@
 #include "libpq/auth.h"
 #include "libpq/crypt.h"
 #include "libpq/libpq.h"
+#include "libpq/oauth.h"
 #include "libpq/pqformat.h"
 #include "libpq/sasl.h"
 #include "libpq/scram.h"
@@ -298,6 +299,9 @@ auth_failed(Port *port, int status, const char *logdetail)
 		case uaRADIUS:
 			errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
 			break;
+		case uaOAuth:
+			errstr = gettext_noop("OAuth bearer authentication failed for user \"%s\"");
+			break;
 		case uaCustom:
 			{
 				CustomAuthProvider *provider = get_provider_by_name(port->hba->custom_provider);
@@ -626,6 +630,9 @@ ClientAuthentication(Port *port)
 		case uaTrust:
 			status = STATUS_OK;
 			break;
+		case uaOAuth:
+			status = CheckSASLAuth(&pg_be_oauth_mech, port, NULL, NULL);
+			break;
 		case uaCustom:
 			{
 				CustomAuthProvider *provider = get_provider_by_name(port->hba->custom_provider);
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 42cb1ce51d..cd3b1cc140 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -136,7 +136,8 @@ static const char *const UserAuthName[] =
 	"cert",
 	"radius",
 	"custom",
-	"peer"
+	"peer",
+	"oauth",
 };
 
 
@@ -1401,6 +1402,8 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 #endif
 	else if (strcmp(token->string, "radius") == 0)
 		parsedline->auth_method = uaRADIUS;
+	else if (strcmp(token->string, "oauth") == 0)
+		parsedline->auth_method = uaOAuth;
 	else if (strcmp(token->string, "custom") == 0)
 		parsedline->auth_method = uaCustom;
 	else
@@ -1730,8 +1733,9 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 			hbaline->auth_method != uaGSS &&
 			hbaline->auth_method != uaSSPI &&
 			hbaline->auth_method != uaCert &&
+			hbaline->auth_method != uaOAuth &&
 			hbaline->auth_method != uaCustom)
-			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, cert and custom"));
+			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, cert, oauth, and custom"));
 		hbaline->usermap = pstrdup(val);
 	}
 	else if (strcmp(name, "clientcert") == 0)
@@ -2115,6 +2119,27 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 		hbaline->radiusidentifiers = parsed_identifiers;
 		hbaline->radiusidentifiers_s = pstrdup(val);
 	}
+	else if (strcmp(name, "issuer") == 0)
+	{
+		if (hbaline->auth_method != uaOAuth)
+			INVALID_AUTH_OPTION("issuer", gettext_noop("oauth"));
+		hbaline->oauth_issuer = pstrdup(val);
+	}
+	else if (strcmp(name, "scope") == 0)
+	{
+		if (hbaline->auth_method != uaOAuth)
+			INVALID_AUTH_OPTION("scope", gettext_noop("oauth"));
+		hbaline->oauth_scope = pstrdup(val);
+	}
+	else if (strcmp(name, "trust_validator_authz") == 0)
+	{
+		if (hbaline->auth_method != uaOAuth)
+			INVALID_AUTH_OPTION("trust_validator_authz", gettext_noop("oauth"));
+		if (strcmp(val, "1") == 0)
+			hbaline->oauth_skip_usermap = true;
+		else
+			hbaline->oauth_skip_usermap = false;
+	}
 	else if (strcmp(name, "provider") == 0)
 	{
 		REQUIRE_AUTH_OPTION(uaCustom, "provider", "custom");
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index f70f7f5c01..9a5b2aa496 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -59,6 +59,7 @@
 #include "libpq/auth.h"
 #include "libpq/libpq.h"
 #include "libpq/pqformat.h"
+#include "libpq/oauth.h"
 #include "miscadmin.h"
 #include "optimizer/cost.h"
 #include "optimizer/geqo.h"
@@ -4666,6 +4667,17 @@ static struct config_string ConfigureNamesString[] =
 		check_backtrace_functions, assign_backtrace_functions, NULL
 	},
 
+	{
+		{"oauth_validator_command", PGC_SIGHUP, CONN_AUTH_AUTH,
+			gettext_noop("Command to validate OAuth v2 bearer tokens."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&oauth_validator_command,
+		"",
+		NULL, NULL, NULL
+	},
+
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 31a00c4b71..e405103a2e 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -39,8 +39,9 @@ typedef enum UserAuth
 	uaCert,
 	uaRADIUS,
 	uaCustom,
-	uaPeer
-#define USER_AUTH_LAST uaPeer	/* Must be last value of this enum */
+	uaPeer,
+	uaOAuth
+#define USER_AUTH_LAST uaOAuth	/* Must be last value of this enum */
 } UserAuth;
 
 /*
@@ -128,6 +129,9 @@ typedef struct HbaLine
 	char	   *radiusidentifiers_s;
 	List	   *radiusports;
 	char	   *radiusports_s;
+	char	   *oauth_issuer;
+	char	   *oauth_scope;
+	bool		oauth_skip_usermap;
 	char	   *custom_provider;
 	List	   *custom_auth_options;
 } HbaLine;
diff --git a/src/include/libpq/oauth.h b/src/include/libpq/oauth.h
new file mode 100644
index 0000000000..870e426af1
--- /dev/null
+++ b/src/include/libpq/oauth.h
@@ -0,0 +1,24 @@
+/*-------------------------------------------------------------------------
+ *
+ * oauth.h
+ *	  Interface to libpq/auth-oauth.c
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/include/libpq/oauth.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef PG_OAUTH_H
+#define PG_OAUTH_H
+
+#include "libpq/libpq-be.h"
+#include "libpq/sasl.h"
+
+extern char *oauth_validator_command;
+
+/* Implementation */
+extern const pg_be_sasl_mech pg_be_oauth_mech;
+
+#endif /* PG_OAUTH_H */
diff --git a/src/include/libpq/sasl.h b/src/include/libpq/sasl.h
index 39ccf8f0e3..f7d905591a 100644
--- a/src/include/libpq/sasl.h
+++ b/src/include/libpq/sasl.h
@@ -26,6 +26,14 @@
 #define PG_SASL_EXCHANGE_SUCCESS		1
 #define PG_SASL_EXCHANGE_FAILURE		2
 
+/*
+ * Maximum accepted size of SASL messages.
+ *
+ * The messages that the server or libpq generate are much smaller than this,
+ * but have some headroom.
+ */
+#define PG_MAX_SASL_MESSAGE_LENGTH	1024
+
 /*
  * Backend SASL mechanism callbacks.
  *
@@ -127,6 +135,9 @@ typedef struct pg_be_sasl_mech
 							 const char *input, int inputlen,
 							 char **output, int *outputlen,
 							 const char **logdetail);
+
+	/* The maximum size allowed for client SASLResponses. */
+	int			max_message_length;
 } pg_be_sasl_mech;
 
 /* Common implementation for auth.c */
-- 
2.25.1

From 9dd8e024fde29239829e822b8f2b82028044cd8b Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Tue, 18 May 2021 15:01:29 -0700
Subject: [PATCH v4 08/10] Add a very simple authn_id extension

...for retrieving the authn_id from the server in tests.
---
 contrib/authn_id/Makefile          | 19 +++++++++++++++++++
 contrib/authn_id/authn_id--1.0.sql |  8 ++++++++
 contrib/authn_id/authn_id.c        | 28 ++++++++++++++++++++++++++++
 contrib/authn_id/authn_id.control  |  5 +++++
 4 files changed, 60 insertions(+)
 create mode 100644 contrib/authn_id/Makefile
 create mode 100644 contrib/authn_id/authn_id--1.0.sql
 create mode 100644 contrib/authn_id/authn_id.c
 create mode 100644 contrib/authn_id/authn_id.control

diff --git a/contrib/authn_id/Makefile b/contrib/authn_id/Makefile
new file mode 100644
index 0000000000..46026358e0
--- /dev/null
+++ b/contrib/authn_id/Makefile
@@ -0,0 +1,19 @@
+# contrib/authn_id/Makefile
+
+MODULE_big = authn_id
+OBJS = authn_id.o
+
+EXTENSION = authn_id
+DATA = authn_id--1.0.sql
+PGFILEDESC = "authn_id - information about the authenticated user"
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = contrib/authn_id
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/contrib/authn_id/authn_id--1.0.sql b/contrib/authn_id/authn_id--1.0.sql
new file mode 100644
index 0000000000..af2a4d3991
--- /dev/null
+++ b/contrib/authn_id/authn_id--1.0.sql
@@ -0,0 +1,8 @@
+/* contrib/authn_id/authn_id--1.0.sql */
+
+-- complain if script is sourced in psql, rather than via CREATE EXTENSION
+\echo Use "CREATE EXTENSION authn_id" to load this file. \quit
+
+CREATE FUNCTION authn_id() RETURNS text
+AS 'MODULE_PATHNAME', 'authn_id'
+LANGUAGE C IMMUTABLE;
diff --git a/contrib/authn_id/authn_id.c b/contrib/authn_id/authn_id.c
new file mode 100644
index 0000000000..0fecac36a8
--- /dev/null
+++ b/contrib/authn_id/authn_id.c
@@ -0,0 +1,28 @@
+/*
+ * Extension to expose the current user's authn_id.
+ *
+ * contrib/authn_id/authn_id.c
+ */
+
+#include "postgres.h"
+
+#include "fmgr.h"
+#include "libpq/libpq-be.h"
+#include "miscadmin.h"
+#include "utils/builtins.h"
+
+PG_MODULE_MAGIC;
+
+PG_FUNCTION_INFO_V1(authn_id);
+
+/*
+ * Returns the current user's authenticated identity.
+ */
+Datum
+authn_id(PG_FUNCTION_ARGS)
+{
+	if (!MyProcPort->authn_id)
+		PG_RETURN_NULL();
+
+	PG_RETURN_TEXT_P(cstring_to_text(MyProcPort->authn_id));
+}
diff --git a/contrib/authn_id/authn_id.control b/contrib/authn_id/authn_id.control
new file mode 100644
index 0000000000..e0f9e06bed
--- /dev/null
+++ b/contrib/authn_id/authn_id.control
@@ -0,0 +1,5 @@
+# authn_id extension
+comment = 'current user identity'
+default_version = '1.0'
+module_pathname = '$libdir/authn_id'
+relocatable = true
-- 
2.25.1

From 575431b4e035c266b55a25414f802fbf8ba16b97 Mon Sep 17 00:00:00 2001
From: Samay Sharma <smilingsamay@gmail.com>
Date: Tue, 15 Feb 2022 22:23:29 -0800
Subject: [PATCH v4 01/10] Add support for custom authentication methods

Currently, PostgreSQL supports only a set of pre-defined authentication
methods. This patch adds support for 2 hooks which allow users to add
their custom authentication methods by defining a check function and an
error function. Users can then use these methods by using a new "custom"
keyword in pg_hba.conf and specifying the authentication provider they
want to use.
---
 src/backend/libpq/auth.c | 108 ++++++++++++++++++++++++++++++++-------
 src/backend/libpq/hba.c  |  44 ++++++++++++++++
 src/include/libpq/auth.h |  37 ++++++++++++++
 src/include/libpq/hba.h  |   2 +
 4 files changed, 172 insertions(+), 19 deletions(-)

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index efc53f3135..375ee33892 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -47,8 +47,6 @@
  *----------------------------------------------------------------
  */
 static void auth_failed(Port *port, int status, const char *logdetail);
-static char *recv_password_packet(Port *port);
-static void set_authn_id(Port *port, const char *id);
 
 
 /*----------------------------------------------------------------
@@ -206,22 +204,11 @@ static int	pg_SSPI_make_upn(char *accountname,
 static int	CheckRADIUSAuth(Port *port);
 static int	PerformRadiusTransaction(const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd);
 
-
-/*
- * Maximum accepted size of GSS and SSPI authentication tokens.
- * We also use this as a limit on ordinary password packet lengths.
- *
- * Kerberos tickets are usually quite small, but the TGTs issued by Windows
- * domain controllers include an authorization field known as the Privilege
- * Attribute Certificate (PAC), which contains the user's Windows permissions
- * (group memberships etc.). The PAC is copied into all tickets obtained on
- * the basis of this TGT (even those issued by Unix realms which the Windows
- * realm trusts), and can be several kB in size. The maximum token size
- * accepted by Windows systems is determined by the MaxAuthToken Windows
- * registry setting. Microsoft recommends that it is not set higher than
- * 65535 bytes, so that seems like a reasonable limit for us as well.
+/*----------------------------------------------------------------
+ * Custom Authentication
+ *----------------------------------------------------------------
  */
-#define PG_MAX_AUTH_TOKEN_LENGTH	65535
+static List *custom_auth_providers = NIL;
 
 /*----------------------------------------------------------------
  * Global authentication functions
@@ -311,6 +298,15 @@ auth_failed(Port *port, int status, const char *logdetail)
 		case uaRADIUS:
 			errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
 			break;
+		case uaCustom:
+			{
+				CustomAuthProvider *provider = get_provider_by_name(port->hba->custom_provider);
+				if (provider->auth_error_hook)
+					errstr = provider->auth_error_hook(port);
+				else
+					errstr = gettext_noop("Custom authentication failed for user \"%s\"");
+				break;
+			}
 		default:
 			errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
 			break;
@@ -345,7 +341,7 @@ auth_failed(Port *port, int status, const char *logdetail)
  * lifetime of the Port, so it is safe to pass a string that is managed by an
  * external library.
  */
-static void
+void
 set_authn_id(Port *port, const char *id)
 {
 	Assert(id);
@@ -630,6 +626,13 @@ ClientAuthentication(Port *port)
 		case uaTrust:
 			status = STATUS_OK;
 			break;
+		case uaCustom:
+			{
+				CustomAuthProvider *provider = get_provider_by_name(port->hba->custom_provider);
+				if (provider->auth_check_hook)
+					status = provider->auth_check_hook(port);
+				break;
+			}
 	}
 
 	if ((status == STATUS_OK && port->hba->clientcert == clientCertFull)
@@ -689,7 +692,7 @@ sendAuthRequest(Port *port, AuthRequest areq, const char *extradata, int extrale
  *
  * Returns NULL if couldn't get password, else palloc'd string.
  */
-static char *
+char *
 recv_password_packet(Port *port)
 {
 	StringInfoData buf;
@@ -3343,3 +3346,70 @@ PerformRadiusTransaction(const char *server, const char *secret, const char *por
 		}
 	}							/* while (true) */
 }
+
+/*----------------------------------------------------------------
+ * Custom authentication
+ *----------------------------------------------------------------
+ */
+
+/*
+ * RegisterAuthProvider registers a custom authentication provider to be
+ * used for authentication. It validates the inputs and adds the provider
+ * name and it's hooks to a list of loaded providers. The right provider's
+ * hooks can then be called based on the provider name specified in
+ * pg_hba.conf.
+ *
+ * This function should be called in _PG_init() by any extension looking to
+ * add a custom authentication method.
+ */
+void RegisterAuthProvider(const char *provider_name,
+		CustomAuthenticationCheck_hook_type AuthenticationCheckFunction,
+		CustomAuthenticationError_hook_type AuthenticationErrorFunction)
+{
+	CustomAuthProvider *provider = NULL;
+	MemoryContext old_context;
+
+	if (provider_name == NULL)
+	{
+		ereport(ERROR,
+				(errmsg("cannot register authentication provider without name")));
+	}
+
+	if (AuthenticationCheckFunction == NULL)
+	{
+		ereport(ERROR,
+				(errmsg("cannot register authentication provider without a check function")));
+	}
+
+	/*
+	 * Allocate in top memory context as we need to read this whenever
+	 * we parse pg_hba.conf
+	 */
+	old_context = MemoryContextSwitchTo(TopMemoryContext);
+	provider = palloc(sizeof(CustomAuthProvider));
+	provider->name = MemoryContextStrdup(TopMemoryContext,provider_name);
+	provider->auth_check_hook = AuthenticationCheckFunction;
+	provider->auth_error_hook = AuthenticationErrorFunction;
+	custom_auth_providers = lappend(custom_auth_providers, provider);
+	MemoryContextSwitchTo(old_context);
+}
+
+/*
+ * Returns the authentication provider (which includes it's
+ * callback functions) based on name specified.
+ */
+CustomAuthProvider *get_provider_by_name(const char *name)
+{
+	ListCell *lc;
+
+	foreach(lc, custom_auth_providers)
+	{
+		CustomAuthProvider *provider = (CustomAuthProvider *) lfirst(lc);
+		if (strcmp(provider->name,name) == 0)
+		{
+			return provider;
+		}
+	}
+
+	return NULL;
+}
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 90953c38f3..9f15252789 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -31,6 +31,7 @@
 #include "common/ip.h"
 #include "common/string.h"
 #include "funcapi.h"
+#include "libpq/auth.h"
 #include "libpq/ifaddr.h"
 #include "libpq/libpq.h"
 #include "miscadmin.h"
@@ -134,6 +135,7 @@ static const char *const UserAuthName[] =
 	"ldap",
 	"cert",
 	"radius",
+	"custom",
 	"peer"
 };
 
@@ -1399,6 +1401,8 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 #endif
 	else if (strcmp(token->string, "radius") == 0)
 		parsedline->auth_method = uaRADIUS;
+	else if (strcmp(token->string, "custom") == 0)
+		parsedline->auth_method = uaCustom;
 	else
 	{
 		ereport(elevel,
@@ -1691,6 +1695,14 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 		parsedline->clientcert = clientCertFull;
 	}
 
+	/*
+	 * Ensure that the provider name is specified for custom authentication method.
+	 */
+	if (parsedline->auth_method == uaCustom)
+	{
+		MANDATORY_AUTH_ARG(parsedline->custom_provider, "provider", "custom");
+	}
+
 	return parsedline;
 }
 
@@ -2102,6 +2114,31 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 		hbaline->radiusidentifiers = parsed_identifiers;
 		hbaline->radiusidentifiers_s = pstrdup(val);
 	}
+	else if (strcmp(name, "provider") == 0)
+	{
+		REQUIRE_AUTH_OPTION(uaCustom, "provider", "custom");
+
+		/*
+		 * Verify that the provider mentioned is loaded via shared_preload_libraries.
+		 */
+
+		if (get_provider_by_name(val) == NULL)
+		{
+			ereport(elevel,
+					(errcode(ERRCODE_CONFIG_FILE_ERROR),
+					 errmsg("cannot use authentication provider %s",val),
+					 errhint("Load authentication provider via shared_preload_libraries."),
+					 errcontext("line %d of configuration file \"%s\"",
+							line_num, HbaFileName)));
+			*err_msg = psprintf("cannot use authentication provider %s", val);
+
+			return false;
+		}
+		else
+		{
+			hbaline->custom_provider = pstrdup(val);
+		}
+	}
 	else
 	{
 		ereport(elevel,
@@ -2442,6 +2479,13 @@ gethba_options(HbaLine *hba)
 				CStringGetTextDatum(psprintf("radiusports=%s", hba->radiusports_s));
 	}
 
+	if (hba->auth_method == uaCustom)
+	{
+		if (hba->custom_provider)
+			options[noptions++] =
+				CStringGetTextDatum(psprintf("provider=%s",hba->custom_provider));
+	}
+
 	/* If you add more options, consider increasing MAX_HBA_OPTIONS. */
 	Assert(noptions <= MAX_HBA_OPTIONS);
 
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 6d7ee1acb9..7aff98d919 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -23,9 +23,46 @@ extern char *pg_krb_realm;
 extern void ClientAuthentication(Port *port);
 extern void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata,
 							int extralen);
+extern void set_authn_id(Port *port, const char *id);
+extern char *recv_password_packet(Port *port);
 
 /* Hook for plugins to get control in ClientAuthentication() */
+typedef int (*CustomAuthenticationCheck_hook_type) (Port *);
 typedef void (*ClientAuthentication_hook_type) (Port *, int);
 extern PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook;
 
+/* Hook for plugins to report error messages in auth_failed() */
+typedef const char * (*CustomAuthenticationError_hook_type) (Port *);
+
+extern void RegisterAuthProvider
+		(const char *provider_name,
+		 CustomAuthenticationCheck_hook_type CustomAuthenticationCheck_hook,
+		 CustomAuthenticationError_hook_type CustomAuthenticationError_hook);
+
+/* Declarations for custom authentication providers */
+typedef struct CustomAuthProvider
+{
+	const char *name;
+	CustomAuthenticationCheck_hook_type auth_check_hook;
+	CustomAuthenticationError_hook_type auth_error_hook;
+} CustomAuthProvider;
+
+extern CustomAuthProvider *get_provider_by_name(const char *name);
+
+/*
+ * Maximum accepted size of GSS and SSPI authentication tokens.
+ * We also use this as a limit on ordinary password packet lengths.
+ *
+ * Kerberos tickets are usually quite small, but the TGTs issued by Windows
+ * domain controllers include an authorization field known as the Privilege
+ * Attribute Certificate (PAC), which contains the user's Windows permissions
+ * (group memberships etc.). The PAC is copied into all tickets obtained on
+ * the basis of this TGT (even those issued by Unix realms which the Windows
+ * realm trusts), and can be several kB in size. The maximum token size
+ * accepted by Windows systems is determined by the MaxAuthToken Windows
+ * registry setting. Microsoft recommends that it is not set higher than
+ * 65535 bytes, so that seems like a reasonable limit for us as well.
+ */
+#define PG_MAX_AUTH_TOKEN_LENGTH	65535
+
 #endif							/* AUTH_H */
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 8d9f3821b1..48490c44ed 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -38,6 +38,7 @@ typedef enum UserAuth
 	uaLDAP,
 	uaCert,
 	uaRADIUS,
+	uaCustom,
 	uaPeer
 #define USER_AUTH_LAST uaPeer	/* Must be last value of this enum */
 } UserAuth;
@@ -120,6 +121,7 @@ typedef struct HbaLine
 	char	   *radiusidentifiers_s;
 	List	   *radiusports;
 	char	   *radiusports_s;
+	char	   *custom_provider;
 } HbaLine;
 
 typedef struct IdentLine
-- 
2.25.1

From cb4131d8424861826e443708bc0f4e6baa76c871 Mon Sep 17 00:00:00 2001
From: Samay Sharma <smilingsamay@gmail.com>
Date: Tue, 15 Feb 2022 22:28:40 -0800
Subject: [PATCH v4 02/10] Add sample extension to test custom auth provider
 hooks

This change adds a new extension to src/test/modules to
test the custom authentication provider hooks. In this
extension, we use an array to define which users to
authenticate and what passwords to use. We then get
encrypted passwords from the client and match them with
the encrypted version of the password in the array.
---
 src/include/libpq/scram.h                     |  2 +-
 src/test/modules/test_auth_provider/Makefile  | 16 ++++
 .../test_auth_provider/test_auth_provider.c   | 86 +++++++++++++++++++
 3 files changed, 103 insertions(+), 1 deletion(-)
 create mode 100644 src/test/modules/test_auth_provider/Makefile
 create mode 100644 src/test/modules/test_auth_provider/test_auth_provider.c

diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index e60992a0d2..c51e848c24 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -18,7 +18,7 @@
 #include "libpq/sasl.h"
 
 /* SASL implementation callbacks */
-extern const pg_be_sasl_mech pg_be_scram_mech;
+extern PGDLLIMPORT const pg_be_sasl_mech pg_be_scram_mech;
 
 /* Routines to handle and check SCRAM-SHA-256 secret */
 extern char *pg_be_scram_build_secret(const char *password);
diff --git a/src/test/modules/test_auth_provider/Makefile b/src/test/modules/test_auth_provider/Makefile
new file mode 100644
index 0000000000..17971a5c7a
--- /dev/null
+++ b/src/test/modules/test_auth_provider/Makefile
@@ -0,0 +1,16 @@
+# src/test/modules/test_auth_provider/Makefile
+
+MODULE_big = test_auth_provider
+OBJS = test_auth_provider.o
+PGFILEDESC = "test_auth_provider - provider to test auth hooks"
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = src/test/modules/test_auth_provider
+top_builddir = ../../../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/src/test/modules/test_auth_provider/test_auth_provider.c b/src/test/modules/test_auth_provider/test_auth_provider.c
new file mode 100644
index 0000000000..7c4b1f3500
--- /dev/null
+++ b/src/test/modules/test_auth_provider/test_auth_provider.c
@@ -0,0 +1,86 @@
+/* -------------------------------------------------------------------------
+ *
+ * test_auth_provider.c
+ *			example authentication provider plugin
+ *
+ * Copyright (c) 2022, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *		contrib/test_auth_provider/test_auth_provider.c
+ *
+ * -------------------------------------------------------------------------
+ */
+
+#include "postgres.h"
+#include "fmgr.h"
+#include "libpq/auth.h"
+#include "libpq/libpq.h"
+#include "libpq/scram.h"
+
+PG_MODULE_MAGIC;
+
+void _PG_init(void);
+
+static char *get_encrypted_password_for_user(char *user_name);
+
+/*
+ * List of usernames / passwords to approve. Here we are not
+ * getting passwords from Postgres but from this list. In a more real-life
+ * extension, you can fetch valid credentials and authentication tokens /
+ * passwords from an external authentication provider.
+ */
+char credentials[3][3][50] = {
+	{"bob","alice","carol"},
+	{"bob123","alice123","carol123"}
+};
+
+static int TestAuthenticationCheck(Port *port)
+{
+	int result = STATUS_ERROR;
+	char *real_pass;
+	const char *logdetail = NULL;
+
+	real_pass = get_encrypted_password_for_user(port->user_name);
+	if (real_pass)
+	{
+		result = CheckSASLAuth(&pg_be_scram_mech, port, real_pass, &logdetail);
+		pfree(real_pass);
+	}
+
+	if (result == STATUS_OK)
+		set_authn_id(port, port->user_name);
+
+	return result;
+}
+
+/*
+ * Get SCRAM encrypted version of the password for user.
+ */
+static char *
+get_encrypted_password_for_user(char *user_name)
+{
+	char *password = NULL;
+	int i;
+	for (i=0; i<3; i++)
+	{
+		if (strcmp(user_name, credentials[0][i]) == 0)
+		{
+			password = pstrdup(pg_be_scram_build_secret(credentials[1][i]));
+		}
+	}
+
+	return password;
+}
+
+static const char *TestAuthenticationError(Port *port)
+{
+	char *error_message = (char *)palloc (100);
+	sprintf(error_message, "Test authentication failed for user %s", port->user_name);
+	return error_message;
+}
+
+void
+_PG_init(void)
+{
+	RegisterAuthProvider("test", TestAuthenticationCheck, TestAuthenticationError);
+}
-- 
2.25.1

From 24702486bfaca691d6ca9388544fb23e6d765055 Mon Sep 17 00:00:00 2001
From: Samay Sharma <smilingsamay@gmail.com>
Date: Wed, 16 Feb 2022 12:28:36 -0800
Subject: [PATCH v4 03/10] Add tests for test_auth_provider extension

Add tap tests for test_auth_provider extension allow make check in
src/test/modules to run them.
---
 src/test/modules/Makefile                     |   1 +
 src/test/modules/test_auth_provider/Makefile  |   2 +
 .../test_auth_provider/t/001_custom_auth.pl   | 125 ++++++++++++++++++
 3 files changed, 128 insertions(+)
 create mode 100644 src/test/modules/test_auth_provider/t/001_custom_auth.pl

diff --git a/src/test/modules/Makefile b/src/test/modules/Makefile
index 9090226daa..d0d461ef9e 100644
--- a/src/test/modules/Makefile
+++ b/src/test/modules/Makefile
@@ -14,6 +14,7 @@ SUBDIRS = \
 		  plsample \
 		  snapshot_too_old \
 		  spgist_name_ops \
+		  test_auth_provider \
 		  test_bloomfilter \
 		  test_ddl_deparse \
 		  test_extensions \
diff --git a/src/test/modules/test_auth_provider/Makefile b/src/test/modules/test_auth_provider/Makefile
index 17971a5c7a..7d601cf7d5 100644
--- a/src/test/modules/test_auth_provider/Makefile
+++ b/src/test/modules/test_auth_provider/Makefile
@@ -4,6 +4,8 @@ MODULE_big = test_auth_provider
 OBJS = test_auth_provider.o
 PGFILEDESC = "test_auth_provider - provider to test auth hooks"
 
+TAP_TESTS = 1
+
 ifdef USE_PGXS
 PG_CONFIG = pg_config
 PGXS := $(shell $(PG_CONFIG) --pgxs)
diff --git a/src/test/modules/test_auth_provider/t/001_custom_auth.pl b/src/test/modules/test_auth_provider/t/001_custom_auth.pl
new file mode 100644
index 0000000000..3b7472dc7f
--- /dev/null
+++ b/src/test/modules/test_auth_provider/t/001_custom_auth.pl
@@ -0,0 +1,125 @@
+
+# Copyright (c) 2021-2022, PostgreSQL Global Development Group
+
+# Set of tests for testing custom authentication hooks.
+
+use strict;
+use warnings;
+use PostgreSQL::Test::Cluster;
+use PostgreSQL::Test::Utils;
+use Test::More;
+
+# Delete pg_hba.conf from the given node, add a new entry to it
+# and then execute a reload to refresh it.
+sub reset_pg_hba
+{
+	my $node       = shift;
+	my $hba_method = shift;
+
+	unlink($node->data_dir . '/pg_hba.conf');
+	# just for testing purposes, use a continuation line
+	$node->append_conf('pg_hba.conf', "local all all\\\n $hba_method");
+	$node->reload;
+	return;
+}
+
+# Test if you get expected results in pg_hba_file_rules error column after
+# changing pg_hba.conf and reloading it.
+sub test_hba_reload
+{
+	my ($node, $method, $expected_res) = @_;
+	my $status_string = 'failed';
+	$status_string = 'success' if ($expected_res eq 0);
+	my $testname = "pg_hba.conf reload $status_string for method $method";
+
+	reset_pg_hba($node, $method);
+
+	my ($cmdret, $stdout, $stderr) = $node->psql("postgres",
+		"select count(*) from pg_hba_file_rules where error is not null",extra_params => ['-U','bob']);
+
+	is($stdout, $expected_res, $testname);
+}
+
+# Test access for a single role, useful to wrap all tests into one.  Extra
+# named parameters are passed to connect_ok/fails as-is.
+sub test_role
+{
+	local $Test::Builder::Level = $Test::Builder::Level + 1;
+
+	my ($node, $role, $method, $expected_res, %params) = @_;
+	my $status_string = 'failed';
+	$status_string = 'success' if ($expected_res eq 0);
+
+	my $connstr = "user=$role";
+	my $testname =
+	  "authentication $status_string for method $method, role $role";
+
+	if ($expected_res eq 0)
+	{
+		$node->connect_ok($connstr, $testname, %params);
+	}
+	else
+	{
+		# No checks of the error message, only the status code.
+		$node->connect_fails($connstr, $testname, %params);
+	}
+}
+
+# Initialize server node
+my $node = PostgreSQL::Test::Cluster->new('server');
+$node->init;
+$node->append_conf('postgresql.conf', "log_connections = on\n");
+$node->append_conf('postgresql.conf', "shared_preload_libraries = 'test_auth_provider.so'\n");
+$node->start;
+
+$node->safe_psql('postgres', "CREATE ROLE bob SUPERUSER LOGIN;");
+$node->safe_psql('postgres', "CREATE ROLE alice LOGIN;");
+$node->safe_psql('postgres', "CREATE ROLE test LOGIN;");
+
+# Add custom auth method to pg_hba.conf
+reset_pg_hba($node, 'custom provider=test');
+
+# Test that users are able to login with correct passwords.
+$ENV{"PGPASSWORD"} = 'bob123';
+test_role($node, 'bob', 'custom', 0, log_like => [qr/connection authorized: user=bob/]);
+$ENV{"PGPASSWORD"} = 'alice123';
+test_role($node, 'alice', 'custom', 0, log_like => [qr/connection authorized: user=alice/]);
+
+# Test that bad passwords are rejected.
+$ENV{"PGPASSWORD"} = 'badpassword';
+test_role($node, 'bob', 'custom', 2, log_unlike => [qr/connection authorized:/]);
+test_role($node, 'alice', 'custom', 2, log_unlike => [qr/connection authorized:/]);
+
+# Test that users not in authentication list are rejected.
+test_role($node, 'test', 'custom', 2, log_unlike => [qr/connection authorized:/]);
+
+$ENV{"PGPASSWORD"} = 'bob123';
+
+# Tests for invalid auth options
+
+# Test that an incorrect provider name is not accepted.
+test_hba_reload($node, 'custom provider=wrong', 1);
+
+# Test that specifying provider option with different auth method is not allowed.
+test_hba_reload($node, 'trust provider=test', 1);
+
+# Test that provider name is a mandatory option for custom auth.
+test_hba_reload($node, 'custom', 1);
+
+# Test that correct provider name allows reload to succeed.
+test_hba_reload($node, 'custom provider=test', 0);
+
+# Custom auth modules require mentioning extension in shared_preload_libraries.
+
+# Remove extension from shared_preload_libraries and try to restart.
+$node->adjust_conf('postgresql.conf', 'shared_preload_libraries', "''");
+command_fails(['pg_ctl', '-w', '-D', $node->data_dir, '-l', $node->logfile, 'restart'],'restart with empty shared_preload_libraries failed');
+
+# Fix shared_preload_libraries and confirm that you can now restart.
+$node->adjust_conf('postgresql.conf', 'shared_preload_libraries', "'test_auth_provider.so'");
+command_ok(['pg_ctl', '-w', '-D', $node->data_dir, '-l', $node->logfile,'start'],'restart with correct shared_preload_libraries succeeded');
+
+# Test that we can connect again
+test_role($node, 'bob', 'custom', 0, log_like => [qr/connection authorized: user=bob/]);
+
+done_testing();
-- 
2.25.1

From c30970a354b23f26eaf3e1db7c7d7759f2f828b3 Mon Sep 17 00:00:00 2001
From: Samay Sharma <smilingsamay@gmail.com>
Date: Mon, 14 Mar 2022 14:54:08 -0700
Subject: [PATCH v4 04/10] Add support for "map" and custom auth options

This commit allows extensions to now specify, validate and use
custom options for their custom auth methods. This is done by
exposing a validation function hook which can be defined by
extensions. The valid options are then stored as key / value
pairs which can be used while checking authentication. We also
allow custom auth providers to use the "map" option to use
usermaps.

The test module was updated to use custom options and new tests
were added.
---
 src/backend/libpq/auth.c                      |  4 +-
 src/backend/libpq/hba.c                       | 76 +++++++++++++++----
 src/include/libpq/auth.h                      | 17 +++--
 src/include/libpq/hba.h                       |  8 ++
 .../test_auth_provider/t/001_custom_auth.pl   | 22 ++++++
 .../test_auth_provider/test_auth_provider.c   | 50 +++++++++++-
 6 files changed, 157 insertions(+), 20 deletions(-)

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 375ee33892..4a8a63922a 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -3364,7 +3364,8 @@ PerformRadiusTransaction(const char *server, const char *secret, const char *por
  */
 void RegisterAuthProvider(const char *provider_name,
 		CustomAuthenticationCheck_hook_type AuthenticationCheckFunction,
-		CustomAuthenticationError_hook_type AuthenticationErrorFunction)
+		CustomAuthenticationError_hook_type AuthenticationErrorFunction,
+		CustomAuthenticationValidateOptions_hook_type AuthenticationOptionsFunction)
 {
 	CustomAuthProvider *provider = NULL;
 	MemoryContext old_context;
@@ -3390,6 +3391,7 @@ void RegisterAuthProvider(const char *provider_name,
 	provider->name = MemoryContextStrdup(TopMemoryContext,provider_name);
 	provider->auth_check_hook = AuthenticationCheckFunction;
 	provider->auth_error_hook = AuthenticationErrorFunction;
+	provider->auth_options_hook = AuthenticationOptionsFunction;
 	custom_auth_providers = lappend(custom_auth_providers, provider);
 	MemoryContextSwitchTo(old_context);
 }
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 9f15252789..42cb1ce51d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1729,8 +1729,9 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 			hbaline->auth_method != uaPeer &&
 			hbaline->auth_method != uaGSS &&
 			hbaline->auth_method != uaSSPI &&
-			hbaline->auth_method != uaCert)
-			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert"));
+			hbaline->auth_method != uaCert &&
+			hbaline->auth_method != uaCustom)
+			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, cert and custom"));
 		hbaline->usermap = pstrdup(val);
 	}
 	else if (strcmp(name, "clientcert") == 0)
@@ -2121,7 +2122,6 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 		/*
 		 * Verify that the provider mentioned is loaded via shared_preload_libraries.
 		 */
-
 		if (get_provider_by_name(val) == NULL)
 		{
 			ereport(elevel,
@@ -2129,7 +2129,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 					 errmsg("cannot use authentication provider %s",val),
 					 errhint("Load authentication provider via shared_preload_libraries."),
 					 errcontext("line %d of configuration file \"%s\"",
-							line_num, HbaFileName)));
+								line_num, HbaFileName)));
 			*err_msg = psprintf("cannot use authentication provider %s", val);
 
 			return false;
@@ -2141,15 +2141,55 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 	}
 	else
 	{
-		ereport(elevel,
-				(errcode(ERRCODE_CONFIG_FILE_ERROR),
-				 errmsg("unrecognized authentication option name: \"%s\"",
-						name),
-				 errcontext("line %d of configuration file \"%s\"",
-							line_num, HbaFileName)));
-		*err_msg = psprintf("unrecognized authentication option name: \"%s\"",
-							name);
-		return false;
+		/*
+		 * Allow custom providers to validate their options if they have an
+		 * option validation function defined.
+		 */
+		if (hbaline->auth_method == uaCustom && (hbaline->custom_provider != NULL))
+		{
+			bool valid_option = false;
+			CustomAuthProvider *provider = get_provider_by_name(hbaline->custom_provider);
+			if (provider->auth_options_hook)
+			{
+				valid_option = provider->auth_options_hook(name, val, hbaline, err_msg);
+				if (valid_option)
+				{
+					CustomOption *option = palloc(sizeof(CustomOption));
+					option->name = pstrdup(name);
+					option->value = pstrdup(val);
+					hbaline->custom_auth_options = lappend(hbaline->custom_auth_options,
+														   option);
+				}
+			}
+			else
+			{
+				*err_msg = psprintf("unrecognized authentication option name: \"%s\"",
+									name);
+			}
+
+			/* Report the error returned by the provider as it is */
+			if (!valid_option)
+			{
+				ereport(elevel,
+						(errcode(ERRCODE_CONFIG_FILE_ERROR),
+						 errmsg("%s", *err_msg),
+						 errcontext("line %d of configuration file \"%s\"",
+									line_num, HbaFileName)));
+				return false;
+			}
+		}
+		else
+		{
+			ereport(elevel,
+					(errcode(ERRCODE_CONFIG_FILE_ERROR),
+					 errmsg("unrecognized authentication option name: \"%s\"",
+							name),
+					 errcontext("line %d of configuration file \"%s\"",
+								line_num, HbaFileName)));
+			*err_msg = psprintf("unrecognized authentication option name: \"%s\"",
+								name);
+			return false;
+		}
 	}
 	return true;
 }
@@ -2484,6 +2524,16 @@ gethba_options(HbaLine *hba)
 		if (hba->custom_provider)
 			options[noptions++] =
 				CStringGetTextDatum(psprintf("provider=%s",hba->custom_provider));
+		if (hba->custom_auth_options)
+		{
+			ListCell *lc;
+			foreach(lc, hba->custom_auth_options)
+			{
+				CustomOption *option = (CustomOption *)lfirst(lc);
+				options[noptions++] =
+					CStringGetTextDatum(psprintf("%s=%s",option->name, option->value));
+			}
+		}
 	}
 
 	/* If you add more options, consider increasing MAX_HBA_OPTIONS. */
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 7aff98d919..cbdc63b4df 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -31,22 +31,29 @@ typedef int (*CustomAuthenticationCheck_hook_type) (Port *);
 typedef void (*ClientAuthentication_hook_type) (Port *, int);
 extern PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook;
 
+/* Declarations for custom authentication providers */
+
 /* Hook for plugins to report error messages in auth_failed() */
 typedef const char * (*CustomAuthenticationError_hook_type) (Port *);
 
-extern void RegisterAuthProvider
-		(const char *provider_name,
-		 CustomAuthenticationCheck_hook_type CustomAuthenticationCheck_hook,
-		 CustomAuthenticationError_hook_type CustomAuthenticationError_hook);
+/* Hook for plugins to validate custom authentication options */
+typedef bool (*CustomAuthenticationValidateOptions_hook_type)
+			 (char *, char *, HbaLine *, char **);
 
-/* Declarations for custom authentication providers */
 typedef struct CustomAuthProvider
 {
 	const char *name;
 	CustomAuthenticationCheck_hook_type auth_check_hook;
 	CustomAuthenticationError_hook_type auth_error_hook;
+	CustomAuthenticationValidateOptions_hook_type auth_options_hook;
 } CustomAuthProvider;
 
+extern void RegisterAuthProvider
+		(const char *provider_name,
+		 CustomAuthenticationCheck_hook_type CustomAuthenticationCheck_hook,
+		 CustomAuthenticationError_hook_type CustomAuthenticationError_hook,
+		 CustomAuthenticationValidateOptions_hook_type CustomAuthenticationOptions_hook);
+
 extern CustomAuthProvider *get_provider_by_name(const char *name);
 
 /*
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 48490c44ed..31a00c4b71 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -78,6 +78,13 @@ typedef enum ClientCertName
 	clientCertDN
 } ClientCertName;
 
+/* Struct for custom options defined by custom auth plugins */
+typedef struct CustomOption
+{
+	char	*name;
+	char	*value;
+}CustomOption;
+
 typedef struct HbaLine
 {
 	int			linenumber;
@@ -122,6 +129,7 @@ typedef struct HbaLine
 	List	   *radiusports;
 	char	   *radiusports_s;
 	char	   *custom_provider;
+	List	   *custom_auth_options;
 } HbaLine;
 
 typedef struct IdentLine
diff --git a/src/test/modules/test_auth_provider/t/001_custom_auth.pl b/src/test/modules/test_auth_provider/t/001_custom_auth.pl
index 3b7472dc7f..e964c2f723 100644
--- a/src/test/modules/test_auth_provider/t/001_custom_auth.pl
+++ b/src/test/modules/test_auth_provider/t/001_custom_auth.pl
@@ -109,6 +109,28 @@ test_hba_reload($node, 'custom', 1);
 # Test that correct provider name allows reload to succeed.
 test_hba_reload($node, 'custom provider=test', 0);
 
+# Tests for custom auth options
+
+# Test that a custom option doesn't work without a provider.
+test_hba_reload($node, 'custom allow=bob', 1);
+
+# Test that options other than allowed ones are not accepted.
+test_hba_reload($node, 'custom provider=test wrong=true', 1);
+
+# Test that only valid values are accepted for allowed options.
+test_hba_reload($node, 'custom provider=test allow=wrong', 1);
+
+# Test that setting allow option for a user doesn't look at the password.
+test_hba_reload($node, 'custom provider=test allow=bob', 0);
+$ENV{"PGPASSWORD"} = 'bad123';
+test_role($node, 'bob', 'custom', 0, log_like => [qr/connection authorized: user=bob/]);
+
+# Password is still checked for other users.
+test_role($node, 'alice', 'custom', 2, log_unlike => [qr/connection authorized:/]);
+
+# Reset the password for future tests.
+$ENV{"PGPASSWORD"} = 'bob123';
+
 # Custom auth modules require mentioning extension in shared_preload_libraries.
 
 # Remove extension from shared_preload_libraries and try to restart.
diff --git a/src/test/modules/test_auth_provider/test_auth_provider.c b/src/test/modules/test_auth_provider/test_auth_provider.c
index 7c4b1f3500..5ac425f5b6 100644
--- a/src/test/modules/test_auth_provider/test_auth_provider.c
+++ b/src/test/modules/test_auth_provider/test_auth_provider.c
@@ -39,7 +39,27 @@ static int TestAuthenticationCheck(Port *port)
 	int result = STATUS_ERROR;
 	char *real_pass;
 	const char *logdetail = NULL;
+	ListCell *lc;
 
+	/*
+	 * If user's name is in the the "allow" list, do not request password
+	 * for them and allow them to authenticate.
+	 */
+	foreach(lc,port->hba->custom_auth_options)
+	{
+		CustomOption *option = (CustomOption *) lfirst(lc);
+		if (strcmp(option->name, "allow") == 0 &&
+			strcmp(option->value, port->user_name) == 0)
+		{
+			set_authn_id(port, port->user_name);
+			return STATUS_OK;
+		}
+	}
+
+	/*
+	 * Encrypt the password and validate that it's the same as the one
+	 * returned by the client.
+	 */
 	real_pass = get_encrypted_password_for_user(port->user_name);
 	if (real_pass)
 	{
@@ -79,8 +99,36 @@ static const char *TestAuthenticationError(Port *port)
 	return error_message;
 }
 
+/*
+ * Returns if the options passed are supported by the extension
+ * and are valid. Currently only "allow" is supported.
+ */
+static bool TestAuthenticationOptions(char *name, char *val, HbaLine *hbaline, char **err_msg)
+{
+	/* Validate that an actual user is in the "allow" list. */
+	if (strcmp(name,"allow") == 0)
+	{
+		for (int i=0;i<3;i++)
+		{
+			if (strcmp(val,credentials[0][i]) == 0)
+			{
+				return true;
+			}
+		}
+
+		*err_msg = psprintf("\"%s\" is not valid value for option \"%s\"", val, name);
+		return false;
+	}
+	else
+	{
+		*err_msg = psprintf("option \"%s\" not recognized by \"%s\" provider", val, hbaline->custom_provider);
+		return false;
+	}
+}
+
 void
 _PG_init(void)
 {
-	RegisterAuthProvider("test", TestAuthenticationCheck, TestAuthenticationError);
+	RegisterAuthProvider("test", TestAuthenticationCheck,
+						 TestAuthenticationError,TestAuthenticationOptions);
 }
-- 
2.25.1

From 0ca324b52c94760e799974e5661fe29c3912d2d8 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Mon, 3 May 2021 15:38:26 -0700
Subject: [PATCH v4 05/10] common/jsonapi: support FRONTEND clients

Based on a patch by Michael Paquier.

For frontend code, use PQExpBuffer instead of StringInfo. This requires
us to track allocation failures so that we can return JSON_OUT_OF_MEMORY
as needed. json_errdetail() now allocates its error message inside
memory owned by the JsonLexContext, so clients don't need to worry about
freeing it.

For convenience, the backend now has destroyJsonLexContext() to mirror
other create/destroy APIs. The frontend has init/term versions of the
API to handle stack-allocated JsonLexContexts.

We can now partially revert b44669b2ca, now that json_errdetail() works
correctly.
---
 src/backend/utils/adt/jsonfuncs.c             |   4 +-
 src/bin/pg_verifybackup/parse_manifest.c      |  13 +-
 src/bin/pg_verifybackup/t/005_bad_manifest.pl |   2 +-
 src/common/Makefile                           |   2 +-
 src/common/jsonapi.c                          | 290 +++++++++++++-----
 src/include/common/jsonapi.h                  |  47 ++-
 6 files changed, 270 insertions(+), 88 deletions(-)

diff --git a/src/backend/utils/adt/jsonfuncs.c b/src/backend/utils/adt/jsonfuncs.c
index 29664aa6e4..7d32a99d8c 100644
--- a/src/backend/utils/adt/jsonfuncs.c
+++ b/src/backend/utils/adt/jsonfuncs.c
@@ -723,9 +723,7 @@ json_object_keys(PG_FUNCTION_ARGS)
 		pg_parse_json_or_ereport(lex, sem);
 		/* keys are now in state->result */
 
-		pfree(lex->strval->data);
-		pfree(lex->strval);
-		pfree(lex);
+		destroyJsonLexContext(lex);
 		pfree(sem);
 
 		MemoryContextSwitchTo(oldcontext);
diff --git a/src/bin/pg_verifybackup/parse_manifest.c b/src/bin/pg_verifybackup/parse_manifest.c
index 6364b01282..4b38fd3963 100644
--- a/src/bin/pg_verifybackup/parse_manifest.c
+++ b/src/bin/pg_verifybackup/parse_manifest.c
@@ -119,7 +119,7 @@ void
 json_parse_manifest(JsonManifestParseContext *context, char *buffer,
 					size_t size)
 {
-	JsonLexContext *lex;
+	JsonLexContext lex = {0};
 	JsonParseErrorType json_error;
 	JsonSemAction sem;
 	JsonManifestParseState parse;
@@ -129,8 +129,8 @@ json_parse_manifest(JsonManifestParseContext *context, char *buffer,
 	parse.state = JM_EXPECT_TOPLEVEL_START;
 	parse.saw_version_field = false;
 
-	/* Create a JSON lexing context. */
-	lex = makeJsonLexContextCstringLen(buffer, size, PG_UTF8, true);
+	/* Initialize a JSON lexing context. */
+	initJsonLexContextCstringLen(&lex, buffer, size, PG_UTF8, true);
 
 	/* Set up semantic actions. */
 	sem.semstate = &parse;
@@ -145,14 +145,17 @@ json_parse_manifest(JsonManifestParseContext *context, char *buffer,
 	sem.scalar = json_manifest_scalar;
 
 	/* Run the actual JSON parser. */
-	json_error = pg_parse_json(lex, &sem);
+	json_error = pg_parse_json(&lex, &sem);
 	if (json_error != JSON_SUCCESS)
-		json_manifest_parse_failure(context, "parsing failed");
+		json_manifest_parse_failure(context, json_errdetail(json_error, &lex));
 	if (parse.state != JM_EXPECT_EOF)
 		json_manifest_parse_failure(context, "manifest ended unexpectedly");
 
 	/* Verify the manifest checksum. */
 	verify_manifest_checksum(&parse, buffer, size);
+
+	/* Clean up. */
+	termJsonLexContext(&lex);
 }
 
 /*
diff --git a/src/bin/pg_verifybackup/t/005_bad_manifest.pl b/src/bin/pg_verifybackup/t/005_bad_manifest.pl
index 118beb53d7..f2692972fe 100644
--- a/src/bin/pg_verifybackup/t/005_bad_manifest.pl
+++ b/src/bin/pg_verifybackup/t/005_bad_manifest.pl
@@ -16,7 +16,7 @@ my $tempdir = PostgreSQL::Test::Utils::tempdir;
 
 test_bad_manifest(
 	'input string ended unexpectedly',
-	qr/could not parse backup manifest: parsing failed/,
+	qr/could not parse backup manifest: The input string ended unexpectedly/,
 	<<EOM);
 {
 EOM
diff --git a/src/common/Makefile b/src/common/Makefile
index f627349835..694da03658 100644
--- a/src/common/Makefile
+++ b/src/common/Makefile
@@ -40,7 +40,7 @@ override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\""
 override CPPFLAGS += -DVAL_LDFLAGS_SL="\"$(LDFLAGS_SL)\""
 override CPPFLAGS += -DVAL_LIBS="\"$(LIBS)\""
 
-override CPPFLAGS := -DFRONTEND -I. -I$(top_srcdir)/src/common $(CPPFLAGS)
+override CPPFLAGS := -DFRONTEND -I. -I$(top_srcdir)/src/common -I$(libpq_srcdir) $(CPPFLAGS)
 LIBS += $(PTHREAD_LIBS)
 
 # If you add objects here, see also src/tools/msvc/Mkvcbuild.pm
diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 6666077a93..7fc5eaf460 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -20,10 +20,39 @@
 #include "common/jsonapi.h"
 #include "mb/pg_wchar.h"
 
-#ifndef FRONTEND
+#ifdef FRONTEND
+#include "pqexpbuffer.h"
+#else
+#include "lib/stringinfo.h"
 #include "miscadmin.h"
 #endif
 
+/*
+ * In backend, we will use palloc/pfree along with StringInfo.  In frontend, use
+ * malloc and PQExpBuffer, and return JSON_OUT_OF_MEMORY on out-of-memory.
+ */
+#ifdef FRONTEND
+
+#define STRDUP(s) strdup(s)
+#define ALLOC(size) malloc(size)
+
+#define appendStrVal		appendPQExpBuffer
+#define appendStrValChar	appendPQExpBufferChar
+#define createStrVal		createPQExpBuffer
+#define resetStrVal			resetPQExpBuffer
+
+#else /* !FRONTEND */
+
+#define STRDUP(s) pstrdup(s)
+#define ALLOC(size) palloc(size)
+
+#define appendStrVal		appendStringInfo
+#define appendStrValChar	appendStringInfoChar
+#define createStrVal		makeStringInfo
+#define resetStrVal			resetStringInfo
+
+#endif
+
 /*
  * The context of the parser is maintained by the recursive descent
  * mechanism, but is passed explicitly to the error reporting routine
@@ -132,10 +161,12 @@ IsValidJsonNumber(const char *str, int len)
 	return (!numeric_error) && (total_len == dummy_lex.input_length);
 }
 
+#ifndef FRONTEND
+
 /*
  * makeJsonLexContextCstringLen
  *
- * lex constructor, with or without StringInfo object for de-escaped lexemes.
+ * lex constructor, with or without a string object for de-escaped lexemes.
  *
  * Without is better as it makes the processing faster, so only make one
  * if really required.
@@ -145,13 +176,66 @@ makeJsonLexContextCstringLen(char *json, int len, int encoding, bool need_escape
 {
 	JsonLexContext *lex = palloc0(sizeof(JsonLexContext));
 
+	initJsonLexContextCstringLen(lex, json, len, encoding, need_escapes);
+
+	return lex;
+}
+
+void
+destroyJsonLexContext(JsonLexContext *lex)
+{
+	termJsonLexContext(lex);
+	pfree(lex);
+}
+
+#endif /* !FRONTEND */
+
+void
+initJsonLexContextCstringLen(JsonLexContext *lex, char *json, int len, int encoding, bool need_escapes)
+{
 	lex->input = lex->token_terminator = lex->line_start = json;
 	lex->line_number = 1;
 	lex->input_length = len;
 	lex->input_encoding = encoding;
-	if (need_escapes)
-		lex->strval = makeStringInfo();
-	return lex;
+	lex->parse_strval = need_escapes;
+	if (lex->parse_strval)
+	{
+		/*
+		 * This call can fail in FRONTEND code. We defer error handling to time
+		 * of use (json_lex_string()) since there's no way to signal failure
+		 * here, and we might not need to parse any strings anyway.
+		 */
+		lex->strval = createStrVal();
+	}
+	lex->errormsg = NULL;
+}
+
+void
+termJsonLexContext(JsonLexContext *lex)
+{
+	static const JsonLexContext empty = {0};
+
+	if (lex->strval)
+	{
+#ifdef FRONTEND
+		destroyPQExpBuffer(lex->strval);
+#else
+		pfree(lex->strval->data);
+		pfree(lex->strval);
+#endif
+	}
+
+	if (lex->errormsg)
+	{
+#ifdef FRONTEND
+		destroyPQExpBuffer(lex->errormsg);
+#else
+		pfree(lex->errormsg->data);
+		pfree(lex->errormsg);
+#endif
+	}
+
+	*lex = empty;
 }
 
 /*
@@ -217,7 +301,7 @@ json_count_array_elements(JsonLexContext *lex, int *elements)
 	 * etc, so doing this with a copy makes that safe.
 	 */
 	memcpy(&copylex, lex, sizeof(JsonLexContext));
-	copylex.strval = NULL;		/* not interested in values here */
+	copylex.parse_strval = false;		/* not interested in values here */
 	copylex.lex_level++;
 
 	count = 0;
@@ -279,14 +363,21 @@ parse_scalar(JsonLexContext *lex, JsonSemAction *sem)
 	/* extract the de-escaped string value, or the raw lexeme */
 	if (lex_peek(lex) == JSON_TOKEN_STRING)
 	{
-		if (lex->strval != NULL)
-			val = pstrdup(lex->strval->data);
+		if (lex->parse_strval)
+		{
+			val = STRDUP(lex->strval->data);
+			if (val == NULL)
+				return JSON_OUT_OF_MEMORY;
+		}
 	}
 	else
 	{
 		int			len = (lex->token_terminator - lex->token_start);
 
-		val = palloc(len + 1);
+		val = ALLOC(len + 1);
+		if (val == NULL)
+			return JSON_OUT_OF_MEMORY;
+
 		memcpy(val, lex->token_start, len);
 		val[len] = '\0';
 	}
@@ -320,8 +411,12 @@ parse_object_field(JsonLexContext *lex, JsonSemAction *sem)
 
 	if (lex_peek(lex) != JSON_TOKEN_STRING)
 		return report_parse_error(JSON_PARSE_STRING, lex);
-	if ((ostart != NULL || oend != NULL) && lex->strval != NULL)
-		fname = pstrdup(lex->strval->data);
+	if ((ostart != NULL || oend != NULL) && lex->parse_strval)
+	{
+		fname = STRDUP(lex->strval->data);
+		if (fname == NULL)
+			return JSON_OUT_OF_MEMORY;
+	}
 	result = json_lex(lex);
 	if (result != JSON_SUCCESS)
 		return result;
@@ -368,6 +463,10 @@ parse_object(JsonLexContext *lex, JsonSemAction *sem)
 	JsonParseErrorType result;
 
 #ifndef FRONTEND
+	/*
+	 * TODO: clients need some way to put a bound on stack growth. Parse level
+	 * limits maybe?
+	 */
 	check_stack_depth();
 #endif
 
@@ -676,8 +775,15 @@ json_lex_string(JsonLexContext *lex)
 	int			len;
 	int			hi_surrogate = -1;
 
-	if (lex->strval != NULL)
-		resetStringInfo(lex->strval);
+	if (lex->parse_strval)
+	{
+#ifdef FRONTEND
+		/* make sure initialization succeeded */
+		if (lex->strval == NULL)
+			return JSON_OUT_OF_MEMORY;
+#endif
+		resetStrVal(lex->strval);
+	}
 
 	Assert(lex->input_length > 0);
 	s = lex->token_start;
@@ -737,7 +843,7 @@ json_lex_string(JsonLexContext *lex)
 						return JSON_UNICODE_ESCAPE_FORMAT;
 					}
 				}
-				if (lex->strval != NULL)
+				if (lex->parse_strval)
 				{
 					/*
 					 * Combine surrogate pairs.
@@ -797,19 +903,19 @@ json_lex_string(JsonLexContext *lex)
 
 						unicode_to_utf8(ch, (unsigned char *) utf8str);
 						utf8len = pg_utf_mblen((unsigned char *) utf8str);
-						appendBinaryStringInfo(lex->strval, utf8str, utf8len);
+						appendBinaryPQExpBuffer(lex->strval, utf8str, utf8len);
 					}
 					else if (ch <= 0x007f)
 					{
 						/* The ASCII range is the same in all encodings */
-						appendStringInfoChar(lex->strval, (char) ch);
+						appendPQExpBufferChar(lex->strval, (char) ch);
 					}
 					else
 						return JSON_UNICODE_HIGH_ESCAPE;
 #endif							/* FRONTEND */
 				}
 			}
-			else if (lex->strval != NULL)
+			else if (lex->parse_strval)
 			{
 				if (hi_surrogate != -1)
 					return JSON_UNICODE_LOW_SURROGATE;
@@ -819,22 +925,22 @@ json_lex_string(JsonLexContext *lex)
 					case '"':
 					case '\\':
 					case '/':
-						appendStringInfoChar(lex->strval, *s);
+						appendStrValChar(lex->strval, *s);
 						break;
 					case 'b':
-						appendStringInfoChar(lex->strval, '\b');
+						appendStrValChar(lex->strval, '\b');
 						break;
 					case 'f':
-						appendStringInfoChar(lex->strval, '\f');
+						appendStrValChar(lex->strval, '\f');
 						break;
 					case 'n':
-						appendStringInfoChar(lex->strval, '\n');
+						appendStrValChar(lex->strval, '\n');
 						break;
 					case 'r':
-						appendStringInfoChar(lex->strval, '\r');
+						appendStrValChar(lex->strval, '\r');
 						break;
 					case 't':
-						appendStringInfoChar(lex->strval, '\t');
+						appendStrValChar(lex->strval, '\t');
 						break;
 					default:
 						/* Not a valid string escape, so signal error. */
@@ -858,12 +964,12 @@ json_lex_string(JsonLexContext *lex)
 			}
 
 		}
-		else if (lex->strval != NULL)
+		else if (lex->parse_strval)
 		{
 			if (hi_surrogate != -1)
 				return JSON_UNICODE_LOW_SURROGATE;
 
-			appendStringInfoChar(lex->strval, *s);
+			appendStrValChar(lex->strval, *s);
 		}
 
 	}
@@ -871,6 +977,11 @@ json_lex_string(JsonLexContext *lex)
 	if (hi_surrogate != -1)
 		return JSON_UNICODE_LOW_SURROGATE;
 
+#ifdef FRONTEND
+	if (lex->parse_strval && PQExpBufferBroken(lex->strval))
+		return JSON_OUT_OF_MEMORY;
+#endif
+
 	/* Hooray, we found the end of the string! */
 	lex->prev_token_terminator = lex->token_terminator;
 	lex->token_terminator = s + 1;
@@ -1043,72 +1154,93 @@ report_parse_error(JsonParseContext ctx, JsonLexContext *lex)
 	return JSON_SUCCESS;		/* silence stupider compilers */
 }
 
-
-#ifndef FRONTEND
-/*
- * Extract the current token from a lexing context, for error reporting.
- */
-static char *
-extract_token(JsonLexContext *lex)
-{
-	int			toklen = lex->token_terminator - lex->token_start;
-	char	   *token = palloc(toklen + 1);
-
-	memcpy(token, lex->token_start, toklen);
-	token[toklen] = '\0';
-	return token;
-}
-
 /*
  * Construct a detail message for a JSON error.
  *
- * Note that the error message generated by this routine may not be
- * palloc'd, making it unsafe for frontend code as there is no way to
- * know if this can be safery pfree'd or not.
+ * The returned allocation is either static or owned by the JsonLexContext and
+ * should not be freed.
  */
 char *
 json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
 {
+	int		toklen = lex->token_terminator - lex->token_start;
+
+	if (error == JSON_OUT_OF_MEMORY)
+	{
+		/* Short circuit. Allocating anything for this case is unhelpful. */
+		return _("out of memory");
+	}
+
+	if (lex->errormsg)
+		resetStrVal(lex->errormsg);
+	else
+		lex->errormsg = createStrVal();
+
 	switch (error)
 	{
 		case JSON_SUCCESS:
 			/* fall through to the error code after switch */
 			break;
 		case JSON_ESCAPING_INVALID:
-			return psprintf(_("Escape sequence \"\\%s\" is invalid."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Escape sequence \"\\%.*s\" is invalid."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_ESCAPING_REQUIRED:
-			return psprintf(_("Character with value 0x%02x must be escaped."),
-							(unsigned char) *(lex->token_terminator));
+			appendStrVal(lex->errormsg,
+						 _("Character with value 0x%02x must be escaped."),
+						 (unsigned char) *(lex->token_terminator));
+			break;
 		case JSON_EXPECTED_END:
-			return psprintf(_("Expected end of input, but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected end of input, but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_ARRAY_FIRST:
-			return psprintf(_("Expected array element or \"]\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected array element or \"]\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_ARRAY_NEXT:
-			return psprintf(_("Expected \",\" or \"]\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected \",\" or \"]\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_COLON:
-			return psprintf(_("Expected \":\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected \":\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_JSON:
-			return psprintf(_("Expected JSON value, but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected JSON value, but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_MORE:
 			return _("The input string ended unexpectedly.");
 		case JSON_EXPECTED_OBJECT_FIRST:
-			return psprintf(_("Expected string or \"}\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected string or \"}\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_OBJECT_NEXT:
-			return psprintf(_("Expected \",\" or \"}\", but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected \",\" or \"}\", but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_EXPECTED_STRING:
-			return psprintf(_("Expected string, but found \"%s\"."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Expected string, but found \"%.*s\"."),
+						 toklen, lex->token_start);
+			break;
 		case JSON_INVALID_TOKEN:
-			return psprintf(_("Token \"%s\" is invalid."),
-							extract_token(lex));
+			appendStrVal(lex->errormsg,
+						 _("Token \"%.*s\" is invalid."),
+						 toklen, lex->token_start);
+			break;
+		case JSON_OUT_OF_MEMORY:
+			/* should have been handled above; use the error path */
+			break;
 		case JSON_UNICODE_CODE_POINT_ZERO:
 			return _("\\u0000 cannot be converted to text.");
 		case JSON_UNICODE_ESCAPE_FORMAT:
@@ -1122,12 +1254,22 @@ json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
 			return _("Unicode low surrogate must follow a high surrogate.");
 	}
 
-	/*
-	 * We don't use a default: case, so that the compiler will warn about
-	 * unhandled enum values.  But this needs to be here anyway to cover the
-	 * possibility of an incorrect input.
-	 */
-	elog(ERROR, "unexpected json parse error type: %d", (int) error);
-	return NULL;
-}
+	/* Note that lex->errormsg can be NULL in FRONTEND code. */
+	if (lex->errormsg && !lex->errormsg->data[0])
+	{
+		/*
+		 * We don't use a default: case, so that the compiler will warn about
+		 * unhandled enum values.  But this needs to be here anyway to cover the
+		 * possibility of an incorrect input.
+		 */
+		appendStrVal(lex->errormsg,
+					 "unexpected json parse error type: %d", (int) error);
+	}
+
+#ifdef FRONTEND
+	if (PQExpBufferBroken(lex->errormsg))
+		return _("out of memory while constructing error description");
 #endif
+
+	return lex->errormsg->data;
+}
diff --git a/src/include/common/jsonapi.h b/src/include/common/jsonapi.h
index 52cb4a9339..d7cafc84fe 100644
--- a/src/include/common/jsonapi.h
+++ b/src/include/common/jsonapi.h
@@ -14,8 +14,6 @@
 #ifndef JSONAPI_H
 #define JSONAPI_H
 
-#include "lib/stringinfo.h"
-
 typedef enum
 {
 	JSON_TOKEN_INVALID,
@@ -48,6 +46,7 @@ typedef enum
 	JSON_EXPECTED_OBJECT_NEXT,
 	JSON_EXPECTED_STRING,
 	JSON_INVALID_TOKEN,
+	JSON_OUT_OF_MEMORY,
 	JSON_UNICODE_CODE_POINT_ZERO,
 	JSON_UNICODE_ESCAPE_FORMAT,
 	JSON_UNICODE_HIGH_ESCAPE,
@@ -55,6 +54,17 @@ typedef enum
 	JSON_UNICODE_LOW_SURROGATE
 } JsonParseErrorType;
 
+/*
+ * Don't depend on the internal type header for strval; if callers need access
+ * then they can include the appropriate header themselves.
+ */
+#ifdef FRONTEND
+#define StrValType PQExpBufferData
+#else
+#define StrValType StringInfoData
+#endif
+
+typedef struct StrValType StrValType;
 
 /*
  * All the fields in this structure should be treated as read-only.
@@ -81,7 +91,9 @@ typedef struct JsonLexContext
 	int			lex_level;
 	int			line_number;	/* line number, starting from 1 */
 	char	   *line_start;		/* where that line starts within input */
-	StringInfo	strval;
+	bool		parse_strval;
+	StrValType *strval;			/* only used if parse_strval == true */
+	StrValType *errormsg;
 } JsonLexContext;
 
 typedef void (*json_struct_action) (void *state);
@@ -141,9 +153,10 @@ extern JsonSemAction nullSemAction;
  */
 extern JsonParseErrorType json_count_array_elements(JsonLexContext *lex,
 													int *elements);
+#ifndef FRONTEND
 
 /*
- * constructor for JsonLexContext, with or without strval element.
+ * allocating constructor for JsonLexContext, with or without strval element.
  * If supplied, the strval element will contain a de-escaped version of
  * the lexeme. However, doing this imposes a performance penalty, so
  * it should be avoided if the de-escaped lexeme is not required.
@@ -153,6 +166,32 @@ extern JsonLexContext *makeJsonLexContextCstringLen(char *json,
 													int encoding,
 													bool need_escapes);
 
+/*
+ * Counterpart to makeJsonLexContextCstringLen(): clears and deallocates lex.
+ * The context pointer should not be used after this call.
+ */
+extern void destroyJsonLexContext(JsonLexContext *lex);
+
+#endif /* !FRONTEND */
+
+/*
+ * stack constructor for JsonLexContext, with or without strval element.
+ * If supplied, the strval element will contain a de-escaped version of
+ * the lexeme. However, doing this imposes a performance penalty, so
+ * it should be avoided if the de-escaped lexeme is not required.
+ */
+extern void initJsonLexContextCstringLen(JsonLexContext *lex,
+										 char *json,
+										 int len,
+										 int encoding,
+										 bool need_escapes);
+
+/*
+ * Counterpart to initJsonLexContextCstringLen(): clears the contents of lex,
+ * but does not deallocate lex itself.
+ */
+extern void termJsonLexContext(JsonLexContext *lex);
+
 /* lex one token */
 extern JsonParseErrorType json_lex(JsonLexContext *lex);
 
-- 
2.25.1

From f4752b6daea9b519ff3482094a1f445a4731cc15 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Tue, 13 Apr 2021 10:27:27 -0700
Subject: [PATCH v4 06/10] libpq: add OAUTHBEARER SASL mechanism

DO NOT USE THIS PROOF OF CONCEPT IN PRODUCTION.

Implement OAUTHBEARER (RFC 7628) and OAuth 2.0 Device Authorization
Grants (RFC 8628) on the client side. When speaking to a OAuth-enabled
server, it looks a bit like this:

    $ psql 'host=example.org oauth_client_id=f02c6361-0635-...'
    Visit https://oauth.example.org/login and enter the code: FPQ2-M4BG

The OAuth issuer must support device authorization. No other OAuth flows
are currently implemented.

The client implementation requires libiddawc and its development
headers. Configure --with-oauth (and --with-includes/--with-libraries to
point at the iddawc installation, if it's in a custom location).

Several TODOs:
- don't retry forever if the server won't accept our token
- perform several sanity checks on the OAuth issuer's responses
- handle cases where the client has been set up with an issuer and
  scope, but the Postgres server wants to use something different
- improve error debuggability during the OAuth handshake
- ...and more.
---
 configure                            | 100 ++++
 configure.ac                         |  19 +
 src/Makefile.global.in               |   1 +
 src/include/common/oauth-common.h    |  19 +
 src/include/pg_config.h.in           |   6 +
 src/interfaces/libpq/Makefile        |   7 +-
 src/interfaces/libpq/fe-auth-oauth.c | 744 +++++++++++++++++++++++++++
 src/interfaces/libpq/fe-auth-sasl.h  |   5 +-
 src/interfaces/libpq/fe-auth-scram.c |   6 +-
 src/interfaces/libpq/fe-auth.c       |  42 +-
 src/interfaces/libpq/fe-auth.h       |   3 +
 src/interfaces/libpq/fe-connect.c    |  38 ++
 src/interfaces/libpq/libpq-int.h     |   8 +
 13 files changed, 979 insertions(+), 19 deletions(-)
 create mode 100644 src/include/common/oauth-common.h
 create mode 100644 src/interfaces/libpq/fe-auth-oauth.c

diff --git a/configure b/configure
index e066cbe2c8..42a3304681 100755
--- a/configure
+++ b/configure
@@ -718,6 +718,7 @@ with_uuid
 with_readline
 with_systemd
 with_selinux
+with_oauth
 with_ldap
 with_krb_srvnam
 krb_srvtab
@@ -861,6 +862,7 @@ with_krb_srvnam
 with_pam
 with_bsd_auth
 with_ldap
+with_oauth
 with_bonjour
 with_selinux
 with_systemd
@@ -1570,6 +1572,7 @@ Optional Packages:
   --with-pam              build with PAM support
   --with-bsd-auth         build with BSD Authentication support
   --with-ldap             build with LDAP support
+  --with-oauth            build with OAuth 2.0 support
   --with-bonjour          build with Bonjour support
   --with-selinux          build with SELinux support
   --with-systemd          build with systemd support
@@ -8377,6 +8380,42 @@ $as_echo "$with_ldap" >&6; }
 
 
 
+#
+# OAuth 2.0
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with OAuth support" >&5
+$as_echo_n "checking whether to build with OAuth support... " >&6; }
+
+
+
+# Check whether --with-oauth was given.
+if test "${with_oauth+set}" = set; then :
+  withval=$with_oauth;
+  case $withval in
+    yes)
+
+$as_echo "#define USE_OAUTH 1" >>confdefs.h
+
+      ;;
+    no)
+      :
+      ;;
+    *)
+      as_fn_error $? "no argument expected for --with-oauth option" "$LINENO" 5
+      ;;
+  esac
+
+else
+  with_oauth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_oauth" >&5
+$as_echo "$with_oauth" >&6; }
+
+
+
 #
 # Bonjour
 #
@@ -13503,6 +13542,56 @@ fi
 
 
 
+if test "$with_oauth" = yes ; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for i_init_session in -liddawc" >&5
+$as_echo_n "checking for i_init_session in -liddawc... " >&6; }
+if ${ac_cv_lib_iddawc_i_init_session+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-liddawc  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char i_init_session ();
+int
+main ()
+{
+return i_init_session ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_iddawc_i_init_session=yes
+else
+  ac_cv_lib_iddawc_i_init_session=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_iddawc_i_init_session" >&5
+$as_echo "$ac_cv_lib_iddawc_i_init_session" >&6; }
+if test "x$ac_cv_lib_iddawc_i_init_session" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBIDDAWC 1
+_ACEOF
+
+  LIBS="-liddawc $LIBS"
+
+else
+  as_fn_error $? "library 'iddawc' is required for OAuth support" "$LINENO" 5
+fi
+
+fi
+
 # for contrib/sepgsql
 if test "$with_selinux" = yes; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for security_compute_create_name in -lselinux" >&5
@@ -14516,6 +14605,17 @@ fi
 
 done
 
+fi
+
+if test "$with_oauth" != no; then
+  ac_fn_c_check_header_mongrel "$LINENO" "iddawc.h" "ac_cv_header_iddawc_h" "$ac_includes_default"
+if test "x$ac_cv_header_iddawc_h" = xyes; then :
+
+else
+  as_fn_error $? "header file <iddawc.h> is required for OAuth" "$LINENO" 5
+fi
+
+
 fi
 
 if test "$PORTNAME" = "win32" ; then
diff --git a/configure.ac b/configure.ac
index 078381e568..4050f91dbd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -887,6 +887,17 @@ AC_MSG_RESULT([$with_ldap])
 AC_SUBST(with_ldap)
 
 
+#
+# OAuth 2.0
+#
+AC_MSG_CHECKING([whether to build with OAuth support])
+PGAC_ARG_BOOL(with, oauth, no,
+              [build with OAuth 2.0 support],
+              [AC_DEFINE([USE_OAUTH], 1, [Define to 1 to build with OAuth 2.0 support. (--with-oauth)])])
+AC_MSG_RESULT([$with_oauth])
+AC_SUBST(with_oauth)
+
+
 #
 # Bonjour
 #
@@ -1388,6 +1399,10 @@ fi
 AC_SUBST(LDAP_LIBS_FE)
 AC_SUBST(LDAP_LIBS_BE)
 
+if test "$with_oauth" = yes ; then
+  AC_CHECK_LIB(iddawc, i_init_session, [], [AC_MSG_ERROR([library 'iddawc' is required for OAuth support])])
+fi
+
 # for contrib/sepgsql
 if test "$with_selinux" = yes; then
   AC_CHECK_LIB(selinux, security_compute_create_name, [],
@@ -1606,6 +1621,10 @@ elif test "$with_uuid" = ossp ; then
       [AC_MSG_ERROR([header file <ossp/uuid.h> or <uuid.h> is required for OSSP UUID])])])
 fi
 
+if test "$with_oauth" != no; then
+  AC_CHECK_HEADER(iddawc.h, [], [AC_MSG_ERROR([header file <iddawc.h> is required for OAuth])])
+fi
+
 if test "$PORTNAME" = "win32" ; then
    AC_CHECK_HEADERS(crtdefs.h)
 fi
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index bbdc1c4bda..c9c61a9c99 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -193,6 +193,7 @@ with_ldap	= @with_ldap@
 with_libxml	= @with_libxml@
 with_libxslt	= @with_libxslt@
 with_llvm	= @with_llvm@
+with_oauth	= @with_oauth@
 with_system_tzdata = @with_system_tzdata@
 with_uuid	= @with_uuid@
 with_zlib	= @with_zlib@
diff --git a/src/include/common/oauth-common.h b/src/include/common/oauth-common.h
new file mode 100644
index 0000000000..3fa95ac7e8
--- /dev/null
+++ b/src/include/common/oauth-common.h
@@ -0,0 +1,19 @@
+/*-------------------------------------------------------------------------
+ *
+ * oauth-common.h
+ *		Declarations for helper functions used for OAuth/OIDC authentication
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/include/common/oauth-common.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef OAUTH_COMMON_H
+#define OAUTH_COMMON_H
+
+/* Name of SASL mechanism per IANA */
+#define OAUTHBEARER_NAME "OAUTHBEARER"
+
+#endif /* OAUTH_COMMON_H */
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 635fbb2181..1b3332601e 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -319,6 +319,9 @@
 /* Define to 1 if you have the `crypto' library (-lcrypto). */
 #undef HAVE_LIBCRYPTO
 
+/* Define to 1 if you have the `iddawc' library (-liddawc). */
+#undef HAVE_LIBIDDAWC
+
 /* Define to 1 if you have the `ldap' library (-lldap). */
 #undef HAVE_LIBLDAP
 
@@ -922,6 +925,9 @@
 /* Define to select named POSIX semaphores. */
 #undef USE_NAMED_POSIX_SEMAPHORES
 
+/* Define to 1 to build with OAuth 2.0 support. (--with-oauth) */
+#undef USE_OAUTH
+
 /* Define to 1 to build with OpenSSL support. (--with-ssl=openssl) */
 #undef USE_OPENSSL
 
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index 3c53393fa4..727305c578 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -62,6 +62,11 @@ OBJS += \
 	fe-secure-gssapi.o
 endif
 
+ifeq ($(with_oauth),yes)
+OBJS += \
+	fe-auth-oauth.o
+endif
+
 ifeq ($(PORTNAME), cygwin)
 override shlib = cyg$(NAME)$(DLSUFFIX)
 endif
@@ -83,7 +88,7 @@ endif
 # that are built correctly for use in a shlib.
 SHLIB_LINK_INTERNAL = -lpgcommon_shlib -lpgport_shlib
 ifneq ($(PORTNAME), win32)
-SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lgssapi_krb5 -lgss -lgssapi -lssl -lsocket -lnsl -lresolv -lintl -lm, $(LIBS)) $(LDAP_LIBS_FE) $(PTHREAD_LIBS)
+SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lgssapi_krb5 -lgss -lgssapi -lssl -liddawc -lsocket -lnsl -lresolv -lintl -lm, $(LIBS)) $(LDAP_LIBS_FE) $(PTHREAD_LIBS)
 else
 SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lgssapi32 -lssl -lsocket -lnsl -lresolv -lintl -lm $(PTHREAD_LIBS), $(LIBS)) $(LDAP_LIBS_FE)
 endif
diff --git a/src/interfaces/libpq/fe-auth-oauth.c b/src/interfaces/libpq/fe-auth-oauth.c
new file mode 100644
index 0000000000..383c9d4bdb
--- /dev/null
+++ b/src/interfaces/libpq/fe-auth-oauth.c
@@ -0,0 +1,744 @@
+/*-------------------------------------------------------------------------
+ *
+ * fe-auth-oauth.c
+ *	   The front-end (client) implementation of OAuth/OIDC authentication.
+ *
+ * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * IDENTIFICATION
+ *	  src/interfaces/libpq/fe-auth-oauth.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include <iddawc.h>
+
+#include "postgres_fe.h"
+
+#include "common/base64.h"
+#include "common/hmac.h"
+#include "common/jsonapi.h"
+#include "common/oauth-common.h"
+#include "fe-auth.h"
+#include "mb/pg_wchar.h"
+
+/* The exported OAuth callback mechanism. */
+static void *oauth_init(PGconn *conn, const char *password,
+						const char *sasl_mechanism);
+static void oauth_exchange(void *opaq, bool final,
+						   char *input, int inputlen,
+						   char **output, int *outputlen,
+						   bool *done, bool *success);
+static bool oauth_channel_bound(void *opaq);
+static void oauth_free(void *opaq);
+
+const pg_fe_sasl_mech pg_oauth_mech = {
+	oauth_init,
+	oauth_exchange,
+	oauth_channel_bound,
+	oauth_free,
+};
+
+typedef enum
+{
+	FE_OAUTH_INIT,
+	FE_OAUTH_BEARER_SENT,
+	FE_OAUTH_SERVER_ERROR,
+} fe_oauth_state_enum;
+
+typedef struct
+{
+	fe_oauth_state_enum state;
+
+	PGconn	   *conn;
+} fe_oauth_state;
+
+static void *
+oauth_init(PGconn *conn, const char *password,
+		   const char *sasl_mechanism)
+{
+	fe_oauth_state *state;
+
+	/*
+	 * We only support one SASL mechanism here; anything else is programmer
+	 * error.
+	 */
+	Assert(sasl_mechanism != NULL);
+	Assert(!strcmp(sasl_mechanism, OAUTHBEARER_NAME));
+
+	state = malloc(sizeof(*state));
+	if (!state)
+		return NULL;
+
+	state->state = FE_OAUTH_INIT;
+	state->conn = conn;
+
+	return state;
+}
+
+static const char *
+iddawc_error_string(int errcode)
+{
+	switch (errcode)
+	{
+		case I_OK:
+			return "I_OK";
+
+		case I_ERROR:
+			return "I_ERROR";
+
+		case I_ERROR_PARAM:
+			return "I_ERROR_PARAM";
+
+		case I_ERROR_MEMORY:
+			return "I_ERROR_MEMORY";
+
+		case I_ERROR_UNAUTHORIZED:
+			return "I_ERROR_UNAUTHORIZED";
+
+		case I_ERROR_SERVER:
+			return "I_ERROR_SERVER";
+	}
+
+	return "<unknown>";
+}
+
+static void
+iddawc_error(PGconn *conn, int errcode, const char *msg)
+{
+	appendPQExpBufferStr(&conn->errorMessage, libpq_gettext(msg));
+	appendPQExpBuffer(&conn->errorMessage,
+					  libpq_gettext(" (iddawc error %s)\n"),
+					  iddawc_error_string(errcode));
+}
+
+static void
+iddawc_request_error(PGconn *conn, struct _i_session *i, int err, const char *msg)
+{
+	const char *error_code;
+	const char *desc;
+
+	appendPQExpBuffer(&conn->errorMessage, "%s: ", libpq_gettext(msg));
+
+	error_code = i_get_str_parameter(i, I_OPT_ERROR);
+	if (!error_code)
+	{
+		/*
+		 * The server didn't give us any useful information, so just print the
+		 * error code.
+		 */
+		appendPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("(iddawc error %s)\n"),
+						  iddawc_error_string(err));
+		return;
+	}
+
+	/* If the server gave a string description, print that too. */
+	desc = i_get_str_parameter(i, I_OPT_ERROR_DESCRIPTION);
+	if (desc)
+		appendPQExpBuffer(&conn->errorMessage, "%s ", desc);
+
+	appendPQExpBuffer(&conn->errorMessage, "(%s)\n", error_code);
+}
+
+static char *
+get_auth_token(PGconn *conn)
+{
+	PQExpBuffer	token_buf = NULL;
+	struct _i_session session;
+	int			err;
+	int			auth_method;
+	bool		user_prompted = false;
+	const char *verification_uri;
+	const char *user_code;
+	const char *access_token;
+	const char *token_type;
+	char	   *token = NULL;
+
+	if (!conn->oauth_discovery_uri)
+		return strdup(""); /* ask the server for one */
+
+	if (!conn->oauth_client_id)
+	{
+		/* We can't talk to a server without a client identifier. */
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("no oauth_client_id is set for the connection"));
+		return NULL;
+	}
+
+	i_init_session(&session);
+
+	token_buf = createPQExpBuffer();
+	if (!token_buf)
+		goto cleanup;
+
+	err = i_set_str_parameter(&session, I_OPT_OPENID_CONFIG_ENDPOINT, conn->oauth_discovery_uri);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to set OpenID config endpoint");
+		goto cleanup;
+	}
+
+	err = i_get_openid_config(&session);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to fetch OpenID discovery document");
+		goto cleanup;
+	}
+
+	if (!i_get_str_parameter(&session, I_OPT_TOKEN_ENDPOINT))
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer has no token endpoint"));
+		goto cleanup;
+	}
+
+	if (!i_get_str_parameter(&session, I_OPT_DEVICE_AUTHORIZATION_ENDPOINT))
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer does not support device authorization"));
+		goto cleanup;
+	}
+
+	err = i_set_response_type(&session, I_RESPONSE_TYPE_DEVICE_CODE);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to set device code response type");
+		goto cleanup;
+	}
+
+	auth_method = I_TOKEN_AUTH_METHOD_NONE;
+	if (conn->oauth_client_secret && *conn->oauth_client_secret)
+		auth_method = I_TOKEN_AUTH_METHOD_SECRET_BASIC;
+
+	err = i_set_parameter_list(&session,
+		I_OPT_CLIENT_ID, conn->oauth_client_id,
+		I_OPT_CLIENT_SECRET, conn->oauth_client_secret,
+		I_OPT_TOKEN_METHOD, auth_method,
+		I_OPT_SCOPE, conn->oauth_scope,
+		I_OPT_NONE
+	);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to set client identifier");
+		goto cleanup;
+	}
+
+	err = i_run_device_auth_request(&session);
+	if (err)
+	{
+		iddawc_request_error(conn, &session, err,
+							"failed to obtain device authorization");
+		goto cleanup;
+	}
+
+	verification_uri = i_get_str_parameter(&session, I_OPT_DEVICE_AUTH_VERIFICATION_URI);
+	if (!verification_uri)
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer did not provide a verification URI"));
+		goto cleanup;
+	}
+
+	user_code = i_get_str_parameter(&session, I_OPT_DEVICE_AUTH_USER_CODE);
+	if (!user_code)
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer did not provide a user code"));
+		goto cleanup;
+	}
+
+	/*
+	 * Poll the token endpoint until either the user logs in and authorizes the
+	 * use of a token, or a hard failure occurs. We perform one ping _before_
+	 * prompting the user, so that we don't make them do the work of logging in
+	 * only to find that the token endpoint is completely unreachable.
+	 */
+	err = i_run_token_request(&session);
+	while (err)
+	{
+		const char *error_code;
+		uint		interval;
+
+		error_code = i_get_str_parameter(&session, I_OPT_ERROR);
+
+		/*
+		 * authorization_pending and slow_down are the only acceptable errors;
+		 * anything else and we bail.
+		 */
+		if (!error_code || (strcmp(error_code, "authorization_pending")
+							&& strcmp(error_code, "slow_down")))
+		{
+			iddawc_request_error(conn, &session, err,
+								"OAuth token retrieval failed");
+			goto cleanup;
+		}
+
+		if (!user_prompted)
+		{
+			/*
+			 * Now that we know the token endpoint isn't broken, give the user
+			 * the login instructions.
+			 */
+			pqInternalNotice(&conn->noticeHooks,
+							 "Visit %s and enter the code: %s",
+							 verification_uri, user_code);
+
+			user_prompted = true;
+		}
+
+		/*
+		 * We are required to wait between polls; the server tells us how long.
+		 * TODO: if interval's not set, we need to default to five seconds
+		 * TODO: sanity check the interval
+		 */
+		interval = i_get_int_parameter(&session, I_OPT_DEVICE_AUTH_INTERVAL);
+
+		/*
+		 * A slow_down error requires us to permanently increase our retry
+		 * interval by five seconds. RFC 8628, Sec. 3.5.
+		 */
+		if (!strcmp(error_code, "slow_down"))
+		{
+			interval += 5;
+			i_set_int_parameter(&session, I_OPT_DEVICE_AUTH_INTERVAL, interval);
+		}
+
+		sleep(interval);
+
+		/*
+		 * XXX Reset the error code before every call, because iddawc won't do
+		 * that for us. This matters if the server first sends a "pending" error
+		 * code, then later hard-fails without sending an error code to
+		 * overwrite the first one.
+		 *
+		 * That we have to do this at all seems like a bug in iddawc.
+		 */
+		i_set_str_parameter(&session, I_OPT_ERROR, NULL);
+
+		err = i_run_token_request(&session);
+	}
+
+	access_token = i_get_str_parameter(&session, I_OPT_ACCESS_TOKEN);
+	token_type = i_get_str_parameter(&session, I_OPT_TOKEN_TYPE);
+
+	if (!access_token || !token_type || strcasecmp(token_type, "Bearer"))
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("issuer did not provide a bearer token"));
+		goto cleanup;
+	}
+
+	appendPQExpBufferStr(token_buf, "Bearer ");
+	appendPQExpBufferStr(token_buf, access_token);
+
+	if (PQExpBufferBroken(token_buf))
+		goto cleanup;
+
+	token = strdup(token_buf->data);
+
+cleanup:
+	if (token_buf)
+		destroyPQExpBuffer(token_buf);
+	i_clean_session(&session);
+
+	return token;
+}
+
+#define kvsep "\x01"
+
+static char *
+client_initial_response(PGconn *conn)
+{
+	static const char * const resp_format = "n,," kvsep "auth=%s" kvsep kvsep;
+
+	PQExpBuffer	token_buf;
+	PQExpBuffer	discovery_buf = NULL;
+	char	   *token = NULL;
+	char	   *response = NULL;
+
+	token_buf = createPQExpBuffer();
+	if (!token_buf)
+		goto cleanup;
+
+	/*
+	 * If we don't yet have a discovery URI, but the user gave us an explicit
+	 * issuer, use the .well-known discovery URI for that issuer.
+	 */
+	if (!conn->oauth_discovery_uri && conn->oauth_issuer)
+	{
+		discovery_buf = createPQExpBuffer();
+		if (!discovery_buf)
+			goto cleanup;
+
+		appendPQExpBufferStr(discovery_buf, conn->oauth_issuer);
+		appendPQExpBufferStr(discovery_buf, "/.well-known/openid-configuration");
+
+		if (PQExpBufferBroken(discovery_buf))
+			goto cleanup;
+
+		conn->oauth_discovery_uri = strdup(discovery_buf->data);
+	}
+
+	token = get_auth_token(conn);
+	if (!token)
+		goto cleanup;
+
+	appendPQExpBuffer(token_buf, resp_format, token);
+	if (PQExpBufferBroken(token_buf))
+		goto cleanup;
+
+	response = strdup(token_buf->data);
+
+cleanup:
+	if (token)
+		free(token);
+	if (discovery_buf)
+		destroyPQExpBuffer(discovery_buf);
+	if (token_buf)
+		destroyPQExpBuffer(token_buf);
+
+	return response;
+}
+
+#define ERROR_STATUS_FIELD "status"
+#define ERROR_SCOPE_FIELD "scope"
+#define ERROR_OPENID_CONFIGURATION_FIELD "openid-configuration"
+
+struct json_ctx
+{
+	char		   *errmsg; /* any non-NULL value stops all processing */
+	PQExpBufferData errbuf; /* backing memory for errmsg */
+	int				nested; /* nesting level (zero is the top) */
+
+	const char	   *target_field_name; /* points to a static allocation */
+	char		  **target_field;      /* see below */
+
+	/* target_field, if set, points to one of the following: */
+	char		   *status;
+	char		   *scope;
+	char		   *discovery_uri;
+};
+
+#define oauth_json_has_error(ctx) \
+	(PQExpBufferDataBroken((ctx)->errbuf) || (ctx)->errmsg)
+
+#define oauth_json_set_error(ctx, ...) \
+	do { \
+		appendPQExpBuffer(&(ctx)->errbuf, __VA_ARGS__); \
+		(ctx)->errmsg = (ctx)->errbuf.data; \
+	} while (0)
+
+static void
+oauth_json_object_start(void *state)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+		return; /* short-circuit */
+
+	if (ctx->target_field)
+	{
+		Assert(ctx->nested == 1);
+
+		oauth_json_set_error(ctx,
+							 libpq_gettext("field \"%s\" must be a string"),
+							 ctx->target_field_name);
+	}
+
+	++ctx->nested;
+}
+
+static void
+oauth_json_object_end(void *state)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+		return; /* short-circuit */
+
+	--ctx->nested;
+}
+
+static void
+oauth_json_object_field_start(void *state, char *name, bool isnull)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+	{
+		/* short-circuit */
+		free(name);
+		return;
+	}
+
+	if (ctx->nested == 1)
+	{
+		if (!strcmp(name, ERROR_STATUS_FIELD))
+		{
+			ctx->target_field_name = ERROR_STATUS_FIELD;
+			ctx->target_field = &ctx->status;
+		}
+		else if (!strcmp(name, ERROR_SCOPE_FIELD))
+		{
+			ctx->target_field_name = ERROR_SCOPE_FIELD;
+			ctx->target_field = &ctx->scope;
+		}
+		else if (!strcmp(name, ERROR_OPENID_CONFIGURATION_FIELD))
+		{
+			ctx->target_field_name = ERROR_OPENID_CONFIGURATION_FIELD;
+			ctx->target_field = &ctx->discovery_uri;
+		}
+	}
+
+	free(name);
+}
+
+static void
+oauth_json_array_start(void *state)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+		return; /* short-circuit */
+
+	if (!ctx->nested)
+	{
+		ctx->errmsg = libpq_gettext("top-level element must be an object");
+	}
+	else if (ctx->target_field)
+	{
+		Assert(ctx->nested == 1);
+
+		oauth_json_set_error(ctx,
+							 libpq_gettext("field \"%s\" must be a string"),
+							 ctx->target_field_name);
+	}
+}
+
+static void
+oauth_json_scalar(void *state, char *token, JsonTokenType type)
+{
+	struct json_ctx	   *ctx = state;
+
+	if (oauth_json_has_error(ctx))
+	{
+		/* short-circuit */
+		free(token);
+		return;
+	}
+
+	if (!ctx->nested)
+	{
+		ctx->errmsg = libpq_gettext("top-level element must be an object");
+	}
+	else if (ctx->target_field)
+	{
+		Assert(ctx->nested == 1);
+
+		if (type == JSON_TOKEN_STRING)
+		{
+			*ctx->target_field = token;
+
+			ctx->target_field = NULL;
+			ctx->target_field_name = NULL;
+
+			return; /* don't free the token we're using */
+		}
+
+		oauth_json_set_error(ctx,
+							 libpq_gettext("field \"%s\" must be a string"),
+							 ctx->target_field_name);
+	}
+
+	free(token);
+}
+
+static bool
+handle_oauth_sasl_error(PGconn *conn, char *msg, int msglen)
+{
+	JsonLexContext		lex = {0};
+	JsonSemAction		sem = {0};
+	JsonParseErrorType	err;
+	struct json_ctx		ctx = {0};
+	char			   *errmsg = NULL;
+
+	/* Sanity check. */
+	if (strlen(msg) != msglen)
+	{
+		appendPQExpBufferStr(&conn->errorMessage,
+							 libpq_gettext("server's error message contained an embedded NULL"));
+		return false;
+	}
+
+	initJsonLexContextCstringLen(&lex, msg, msglen, PG_UTF8, true);
+
+	initPQExpBuffer(&ctx.errbuf);
+	sem.semstate = &ctx;
+
+	sem.object_start = oauth_json_object_start;
+	sem.object_end = oauth_json_object_end;
+	sem.object_field_start = oauth_json_object_field_start;
+	sem.array_start = oauth_json_array_start;
+	sem.scalar = oauth_json_scalar;
+
+	err = pg_parse_json(&lex, &sem);
+
+	if (err != JSON_SUCCESS)
+	{
+		errmsg = json_errdetail(err, &lex);
+	}
+	else if (PQExpBufferDataBroken(ctx.errbuf))
+	{
+		errmsg = libpq_gettext("out of memory");
+	}
+	else if (ctx.errmsg)
+	{
+		errmsg = ctx.errmsg;
+	}
+
+	if (errmsg)
+		appendPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("failed to parse server's error response: %s"),
+						  errmsg);
+
+	/* Don't need the error buffer or the JSON lexer anymore. */
+	termPQExpBuffer(&ctx.errbuf);
+	termJsonLexContext(&lex);
+
+	if (errmsg)
+		return false;
+
+	/* TODO: what if these override what the user already specified? */
+	if (ctx.discovery_uri)
+	{
+		if (conn->oauth_discovery_uri)
+			free(conn->oauth_discovery_uri);
+
+		conn->oauth_discovery_uri = ctx.discovery_uri;
+	}
+
+	if (ctx.scope)
+	{
+		if (conn->oauth_scope)
+			free(conn->oauth_scope);
+
+		conn->oauth_scope = ctx.scope;
+	}
+	/* TODO: missing error scope should clear any existing connection scope */
+
+	if (!ctx.status)
+	{
+		appendPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("server sent error response without a status"));
+		return false;
+	}
+
+	if (!strcmp(ctx.status, "invalid_token"))
+	{
+		/*
+		 * invalid_token is the only error code we'll automatically retry for,
+		 * but only if we have enough information to do so.
+		 */
+		if (conn->oauth_discovery_uri)
+			conn->oauth_want_retry = true;
+	}
+	/* TODO: include status in hard failure message */
+
+	return true;
+}
+
+static void
+oauth_exchange(void *opaq, bool final,
+			   char *input, int inputlen,
+			   char **output, int *outputlen,
+			   bool *done, bool *success)
+{
+	fe_oauth_state *state = opaq;
+	PGconn	   *conn = state->conn;
+
+	*done = false;
+	*success = false;
+	*output = NULL;
+	*outputlen = 0;
+
+	switch (state->state)
+	{
+		case FE_OAUTH_INIT:
+			Assert(inputlen == -1);
+
+			*output = client_initial_response(conn);
+			if (!*output)
+				goto error;
+
+			*outputlen = strlen(*output);
+			state->state = FE_OAUTH_BEARER_SENT;
+
+			break;
+
+		case FE_OAUTH_BEARER_SENT:
+			if (final)
+			{
+				/* TODO: ensure there is no message content here. */
+				*done = true;
+				*success = true;
+
+				break;
+			}
+
+			/*
+			 * Error message sent by the server.
+			 */
+			if (!handle_oauth_sasl_error(conn, input, inputlen))
+				goto error;
+
+			/*
+			 * Respond with the required dummy message (RFC 7628, sec. 3.2.3).
+			 */
+			*output = strdup(kvsep);
+			*outputlen = strlen(*output); /* == 1 */
+
+			state->state = FE_OAUTH_SERVER_ERROR;
+			break;
+
+		case FE_OAUTH_SERVER_ERROR:
+			/*
+			 * After an error, the server should send an error response to fail
+			 * the SASL handshake, which is handled in higher layers.
+			 *
+			 * If we get here, the server either sent *another* challenge which
+			 * isn't defined in the RFC, or completed the handshake successfully
+			 * after telling us it was going to fail. Neither is acceptable.
+			 */
+			appendPQExpBufferStr(&conn->errorMessage,
+								 libpq_gettext("server sent additional OAuth data after error\n"));
+			goto error;
+
+		default:
+			appendPQExpBufferStr(&conn->errorMessage,
+								 libpq_gettext("invalid OAuth exchange state\n"));
+			goto error;
+	}
+
+	return;
+
+error:
+	*done = true;
+	*success = false;
+}
+
+static bool
+oauth_channel_bound(void *opaq)
+{
+	/* This mechanism does not support channel binding. */
+	return false;
+}
+
+static void
+oauth_free(void *opaq)
+{
+	fe_oauth_state *state = opaq;
+
+	free(state);
+}
diff --git a/src/interfaces/libpq/fe-auth-sasl.h b/src/interfaces/libpq/fe-auth-sasl.h
index da3c30b87b..b1bb382f70 100644
--- a/src/interfaces/libpq/fe-auth-sasl.h
+++ b/src/interfaces/libpq/fe-auth-sasl.h
@@ -65,6 +65,8 @@ typedef struct pg_fe_sasl_mech
 	 *
 	 *	state:	   The opaque mechanism state returned by init()
 	 *
+	 *	final:	   true if the server has sent a final exchange outcome
+	 *
 	 *	input:	   The challenge data sent by the server, or NULL when
 	 *			   generating a client-first initial response (that is, when
 	 *			   the server expects the client to send a message to start
@@ -92,7 +94,8 @@ typedef struct pg_fe_sasl_mech
 	 *			   Ignored if *done is false.
 	 *--------
 	 */
-	void		(*exchange) (void *state, char *input, int inputlen,
+	void		(*exchange) (void *state, bool final,
+							 char *input, int inputlen,
 							 char **output, int *outputlen,
 							 bool *done, bool *success);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index e616200704..681b76adbe 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -24,7 +24,8 @@
 /* The exported SCRAM callback mechanism. */
 static void *scram_init(PGconn *conn, const char *password,
 						const char *sasl_mechanism);
-static void scram_exchange(void *opaq, char *input, int inputlen,
+static void scram_exchange(void *opaq, bool final,
+						   char *input, int inputlen,
 						   char **output, int *outputlen,
 						   bool *done, bool *success);
 static bool scram_channel_bound(void *opaq);
@@ -206,7 +207,8 @@ scram_free(void *opaq)
  * Exchange a SCRAM message with backend.
  */
 static void
-scram_exchange(void *opaq, char *input, int inputlen,
+scram_exchange(void *opaq, bool final,
+			   char *input, int inputlen,
 			   char **output, int *outputlen,
 			   bool *done, bool *success)
 {
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 6fceff561b..2567a34023 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -38,6 +38,7 @@
 #endif
 
 #include "common/md5.h"
+#include "common/oauth-common.h"
 #include "common/scram-common.h"
 #include "fe-auth.h"
 #include "fe-auth-sasl.h"
@@ -422,7 +423,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		success;
 	const char *selected_mechanism;
 	PQExpBufferData mechanism_buf;
-	char	   *password;
+	char	   *password = NULL;
 
 	initPQExpBuffer(&mechanism_buf);
 
@@ -444,8 +445,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	/*
 	 * Parse the list of SASL authentication mechanisms in the
 	 * AuthenticationSASL message, and select the best mechanism that we
-	 * support.  SCRAM-SHA-256-PLUS and SCRAM-SHA-256 are the only ones
-	 * supported at the moment, listed by order of decreasing importance.
+	 * support.  Mechanisms are listed by order of decreasing importance.
 	 */
 	selected_mechanism = NULL;
 	for (;;)
@@ -485,6 +485,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 				{
 					selected_mechanism = SCRAM_SHA_256_PLUS_NAME;
 					conn->sasl = &pg_scram_mech;
+					conn->password_needed = true;
 				}
 #else
 				/*
@@ -522,7 +523,17 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		{
 			selected_mechanism = SCRAM_SHA_256_NAME;
 			conn->sasl = &pg_scram_mech;
+			conn->password_needed = true;
 		}
+#ifdef USE_OAUTH
+		else if (strcmp(mechanism_buf.data, OAUTHBEARER_NAME) == 0 &&
+				!selected_mechanism)
+		{
+			selected_mechanism = OAUTHBEARER_NAME;
+			conn->sasl = &pg_oauth_mech;
+			conn->password_needed = false;
+		}
+#endif
 	}
 
 	if (!selected_mechanism)
@@ -547,18 +558,19 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 
 	/*
 	 * First, select the password to use for the exchange, complaining if
-	 * there isn't one.  Currently, all supported SASL mechanisms require a
-	 * password, so we can just go ahead here without further distinction.
+	 * there isn't one and the SASL mechanism needs it.
 	 */
-	conn->password_needed = true;
-	password = conn->connhost[conn->whichhost].password;
-	if (password == NULL)
-		password = conn->pgpass;
-	if (password == NULL || password[0] == '\0')
+	if (conn->password_needed)
 	{
-		appendPQExpBufferStr(&conn->errorMessage,
-							 PQnoPasswordSupplied);
-		goto error;
+		password = conn->connhost[conn->whichhost].password;
+		if (password == NULL)
+			password = conn->pgpass;
+		if (password == NULL || password[0] == '\0')
+		{
+			appendPQExpBufferStr(&conn->errorMessage,
+								 PQnoPasswordSupplied);
+			goto error;
+		}
 	}
 
 	Assert(conn->sasl);
@@ -576,7 +588,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		goto oom_error;
 
 	/* Get the mechanism-specific Initial Client Response, if any */
-	conn->sasl->exchange(conn->sasl_state,
+	conn->sasl->exchange(conn->sasl_state, false,
 						 NULL, -1,
 						 &initialresponse, &initialresponselen,
 						 &done, &success);
@@ -657,7 +669,7 @@ pg_SASL_continue(PGconn *conn, int payloadlen, bool final)
 	/* For safety and convenience, ensure the buffer is NULL-terminated. */
 	challenge[payloadlen] = '\0';
 
-	conn->sasl->exchange(conn->sasl_state,
+	conn->sasl->exchange(conn->sasl_state, final,
 						 challenge, payloadlen,
 						 &output, &outputlen,
 						 &done, &success);
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 049a8bb1a1..2a56774019 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -28,4 +28,7 @@ extern const pg_fe_sasl_mech pg_scram_mech;
 extern char *pg_fe_scram_build_secret(const char *password,
 									  const char **errstr);
 
+/* Mechanisms in fe-auth-oauth.c */
+extern const pg_fe_sasl_mech pg_oauth_mech;
+
 #endif							/* FE_AUTH_H */
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index cf554d389f..fdd30d71de 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -344,6 +344,23 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"Target-Session-Attrs", "", 15, /* sizeof("prefer-standby") = 15 */
 	offsetof(struct pg_conn, target_session_attrs)},
 
+	/* OAuth v2 */
+	{"oauth_issuer", NULL, NULL, NULL,
+		"OAuth-Issuer", "", 40,
+	offsetof(struct pg_conn, oauth_issuer)},
+
+	{"oauth_client_id", NULL, NULL, NULL,
+		"OAuth-Client-ID", "", 40,
+	offsetof(struct pg_conn, oauth_client_id)},
+
+	{"oauth_client_secret", NULL, NULL, NULL,
+		"OAuth-Client-Secret", "", 40,
+	offsetof(struct pg_conn, oauth_client_secret)},
+
+	{"oauth_scope", NULL, NULL, NULL,
+		"OAuth-Scope", "", 15,
+	offsetof(struct pg_conn, oauth_scope)},
+
 	/* Terminating entry --- MUST BE LAST */
 	{NULL, NULL, NULL, NULL,
 	NULL, NULL, 0}
@@ -606,6 +623,7 @@ pqDropServerData(PGconn *conn)
 	conn->write_err_msg = NULL;
 	conn->be_pid = 0;
 	conn->be_key = 0;
+	/* conn->oauth_want_retry = false; TODO */
 }
 
 
@@ -3386,6 +3404,16 @@ keep_going:						/* We will come back to here until there is
 					/* Check to see if we should mention pgpassfile */
 					pgpassfileWarning(conn);
 
+#ifdef USE_OAUTH
+					if (conn->sasl == &pg_oauth_mech
+						&& conn->oauth_want_retry)
+					{
+						/* TODO: only allow retry once */
+						need_new_connection = true;
+						goto keep_going;
+					}
+#endif
+
 #ifdef ENABLE_GSS
 
 					/*
@@ -4166,6 +4194,16 @@ freePGconn(PGconn *conn)
 		free(conn->rowBuf);
 	if (conn->target_session_attrs)
 		free(conn->target_session_attrs);
+	if (conn->oauth_issuer)
+		free(conn->oauth_issuer);
+	if (conn->oauth_discovery_uri)
+		free(conn->oauth_discovery_uri);
+	if (conn->oauth_client_id)
+		free(conn->oauth_client_id);
+	if (conn->oauth_client_secret)
+		free(conn->oauth_client_secret);
+	if (conn->oauth_scope)
+		free(conn->oauth_scope);
 	termPQExpBuffer(&conn->errorMessage);
 	termPQExpBuffer(&conn->workBuffer);
 
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index e0cee4b142..0dff13505a 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -394,6 +394,14 @@ struct pg_conn
 	char	   *ssl_max_protocol_version;	/* maximum TLS protocol version */
 	char	   *target_session_attrs;	/* desired session properties */
 
+	/* OAuth v2 */
+	char	   *oauth_issuer;			/* token issuer URL */
+	char	   *oauth_discovery_uri;	/* URI of the issuer's discovery document */
+	char	   *oauth_client_id;		/* client identifier */
+	char	   *oauth_client_secret;	/* client secret */
+	char	   *oauth_scope;			/* access token scope */
+	bool		oauth_want_retry;		/* should we retry on failure? */
+
 	/* Optional file to write trace info to */
 	FILE	   *Pfdebug;
 	int			traceFlags;
-- 
2.25.1

From 6d8fd9e5b352fd0847c9454ced2b763a6b11e73f Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 4 Jun 2021 09:06:38 -0700
Subject: [PATCH v4 09/10] Add pytest suite for OAuth

Requires Python 3; on the first run of `make installcheck` the
dependencies will be installed into ./venv for you. See the README for
more details.
---
 src/test/python/.gitignore                 |    2 +
 src/test/python/Makefile                   |   38 +
 src/test/python/README                     |   54 ++
 src/test/python/client/__init__.py         |    0
 src/test/python/client/conftest.py         |  126 +++
 src/test/python/client/test_client.py      |  180 ++++
 src/test/python/client/test_oauth.py       |  936 ++++++++++++++++++
 src/test/python/pq3.py                     |  727 ++++++++++++++
 src/test/python/pytest.ini                 |    4 +
 src/test/python/requirements.txt           |    7 +
 src/test/python/server/__init__.py         |    0
 src/test/python/server/conftest.py         |   45 +
 src/test/python/server/test_oauth.py       | 1012 ++++++++++++++++++++
 src/test/python/server/test_server.py      |   21 +
 src/test/python/server/validate_bearer.py  |  101 ++
 src/test/python/server/validate_reflect.py |   34 +
 src/test/python/test_internals.py          |  138 +++
 src/test/python/test_pq3.py                |  558 +++++++++++
 src/test/python/tls.py                     |  195 ++++
 19 files changed, 4178 insertions(+)
 create mode 100644 src/test/python/.gitignore
 create mode 100644 src/test/python/Makefile
 create mode 100644 src/test/python/README
 create mode 100644 src/test/python/client/__init__.py
 create mode 100644 src/test/python/client/conftest.py
 create mode 100644 src/test/python/client/test_client.py
 create mode 100644 src/test/python/client/test_oauth.py
 create mode 100644 src/test/python/pq3.py
 create mode 100644 src/test/python/pytest.ini
 create mode 100644 src/test/python/requirements.txt
 create mode 100644 src/test/python/server/__init__.py
 create mode 100644 src/test/python/server/conftest.py
 create mode 100644 src/test/python/server/test_oauth.py
 create mode 100644 src/test/python/server/test_server.py
 create mode 100755 src/test/python/server/validate_bearer.py
 create mode 100755 src/test/python/server/validate_reflect.py
 create mode 100644 src/test/python/test_internals.py
 create mode 100644 src/test/python/test_pq3.py
 create mode 100644 src/test/python/tls.py

diff --git a/src/test/python/.gitignore b/src/test/python/.gitignore
new file mode 100644
index 0000000000..0e8f027b2e
--- /dev/null
+++ b/src/test/python/.gitignore
@@ -0,0 +1,2 @@
+__pycache__/
+/venv/
diff --git a/src/test/python/Makefile b/src/test/python/Makefile
new file mode 100644
index 0000000000..b0695b6287
--- /dev/null
+++ b/src/test/python/Makefile
@@ -0,0 +1,38 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+# Only Python 3 is supported, but if it's named something different on your
+# system you can override it with the PYTHON3 variable.
+PYTHON3 := python3
+
+# All dependencies are placed into this directory. The default is .gitignored
+# for you, but you can override it if you'd like.
+VENV := ./venv
+
+override VBIN   := $(VENV)/bin
+override PIP    := $(VBIN)/pip
+override PYTEST := $(VBIN)/py.test
+override ISORT  := $(VBIN)/isort
+override BLACK  := $(VBIN)/black
+
+.PHONY: installcheck indent
+
+installcheck: $(PYTEST)
+	$(PYTEST) -v -rs
+
+indent: $(ISORT) $(BLACK)
+	$(ISORT) --profile black *.py client/*.py server/*.py
+	$(BLACK) *.py client/*.py server/*.py
+
+$(PYTEST) $(ISORT) $(BLACK) &: requirements.txt | $(PIP)
+	$(PIP) install --force-reinstall -r $<
+
+$(PIP):
+	$(PYTHON3) -m venv $(VENV)
+
+# A convenience recipe to rebuild psycopg2 against the local libpq.
+.PHONY: rebuild-psycopg2
+rebuild-psycopg2: | $(PIP)
+	$(PIP) install --force-reinstall --no-binary :all: $(shell grep psycopg2 requirements.txt)
diff --git a/src/test/python/README b/src/test/python/README
new file mode 100644
index 0000000000..0bda582c4b
--- /dev/null
+++ b/src/test/python/README
@@ -0,0 +1,54 @@
+A test suite for exercising both the libpq client and the server backend at the
+protocol level, based on pytest and Construct.
+
+The test suite currently assumes that the standard PG* environment variables
+point to the database under test and are sufficient to log in a superuser on
+that system. In other words, a bare `psql` needs to Just Work before the test
+suite can do its thing. For a newly built dev cluster, typically all that I need
+to do is a
+
+    export PGDATABASE=postgres
+
+but you can adjust as needed for your setup.
+
+## Requirements
+
+A supported version (3.6+) of Python.
+
+The first run of
+
+    make installcheck
+
+will install a local virtual environment and all needed dependencies. During
+development, if libpq changes incompatibly, you can issue
+
+    $ make rebuild-psycopg2
+
+to force a rebuild of the client library.
+
+## Hacking
+
+The code style is enforced by a _very_ opinionated autoformatter. Running the
+
+    make indent
+
+recipe will invoke it for you automatically. Don't fight the tool; part of the
+zen is in knowing that if the formatter makes your code ugly, there's probably a
+cleaner way to write your code.
+
+## Advanced Usage
+
+The Makefile is there for convenience, but you don't have to use it. Activate
+the virtualenv to be able to use pytest directly:
+
+    $ source venv/bin/activate
+    $ py.test -k oauth
+    ...
+    $ py.test ./server/test_server.py
+    ...
+    $ deactivate  # puts the PATH et al back the way it was before
+
+To make quick smoke tests possible, slow tests have been marked explicitly. You
+can skip them by saying e.g.
+
+    $ py.test -m 'not slow'
diff --git a/src/test/python/client/__init__.py b/src/test/python/client/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/test/python/client/conftest.py b/src/test/python/client/conftest.py
new file mode 100644
index 0000000000..f38da7a138
--- /dev/null
+++ b/src/test/python/client/conftest.py
@@ -0,0 +1,126 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import socket
+import sys
+import threading
+
+import psycopg2
+import pytest
+
+import pq3
+
+BLOCKING_TIMEOUT = 2  # the number of seconds to wait for blocking calls
+
+
+@pytest.fixture
+def server_socket(unused_tcp_port_factory):
+    """
+    Returns a listening socket bound to an ephemeral port.
+    """
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+        s.bind(("127.0.0.1", unused_tcp_port_factory()))
+        s.listen(1)
+        s.settimeout(BLOCKING_TIMEOUT)
+        yield s
+
+
+class ClientHandshake(threading.Thread):
+    """
+    A thread that connects to a local Postgres server using psycopg2. Once the
+    opening handshake completes, the connection will be immediately closed.
+    """
+
+    def __init__(self, *, port, **kwargs):
+        super().__init__()
+
+        kwargs["port"] = port
+        self._kwargs = kwargs
+
+        self.exception = None
+
+    def run(self):
+        try:
+            conn = psycopg2.connect(host="127.0.0.1", **self._kwargs)
+            conn.close()
+        except Exception as e:
+            self.exception = e
+
+    def check_completed(self, timeout=BLOCKING_TIMEOUT):
+        """
+        Joins the client thread. Raises an exception if the thread could not be
+        joined, or if it threw an exception itself. (The exception will be
+        cleared, so future calls to check_completed will succeed.)
+        """
+        self.join(timeout)
+
+        if self.is_alive():
+            raise TimeoutError("client thread did not handshake within the timeout")
+        elif self.exception:
+            e = self.exception
+            self.exception = None
+            raise e
+
+
+@pytest.fixture
+def accept(server_socket):
+    """
+    Returns a factory function that, when called, returns a pair (sock, client)
+    where sock is a server socket that has accepted a connection from client,
+    and client is an instance of ClientHandshake. Clients will complete their
+    handshakes and cleanly disconnect.
+
+    The default connstring options may be extended or overridden by passing
+    arbitrary keyword arguments. Keep in mind that you generally should not
+    override the host or port, since they point to the local test server.
+
+    For situations where a client needs to connect more than once to complete a
+    handshake, the accept function may be called more than once. (The client
+    returned for subsequent calls will always be the same client that was
+    returned for the first call.)
+
+    Tests must either complete the handshake so that the client thread can be
+    automatically joined during teardown, or else call client.check_completed()
+    and manually handle any expected errors.
+    """
+    _, port = server_socket.getsockname()
+
+    client = None
+    default_opts = dict(
+        port=port,
+        user=pq3.pguser(),
+        sslmode="disable",
+    )
+
+    def factory(**kwargs):
+        nonlocal client
+
+        if client is None:
+            opts = dict(default_opts)
+            opts.update(kwargs)
+
+            # The server_socket is already listening, so the client thread can
+            # be safely started; it'll block on the connection until we accept.
+            client = ClientHandshake(**opts)
+            client.start()
+
+        sock, _ = server_socket.accept()
+        return sock, client
+
+    yield factory
+    client.check_completed()
+
+
+@pytest.fixture
+def conn(accept):
+    """
+    Returns an accepted, wrapped pq3 connection to a psycopg2 client. The socket
+    will be closed when the test finishes, and the client will be checked for a
+    cleanly completed handshake.
+    """
+    sock, client = accept()
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            yield conn
diff --git a/src/test/python/client/test_client.py b/src/test/python/client/test_client.py
new file mode 100644
index 0000000000..c4c946fda4
--- /dev/null
+++ b/src/test/python/client/test_client.py
@@ -0,0 +1,180 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import base64
+import sys
+
+import psycopg2
+import pytest
+from cryptography.hazmat.primitives import hashes, hmac
+
+import pq3
+
+
+def finish_handshake(conn):
+    """
+    Sends the AuthenticationOK message and the standard opening salvo of server
+    messages, then asserts that the client immediately sends a Terminate message
+    to close the connection cleanly.
+    """
+    pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.OK)
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"client_encoding", value=b"UTF-8")
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"DateStyle", value=b"ISO, MDY")
+    pq3.send(conn, pq3.types.ReadyForQuery, status=b"I")
+
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.Terminate
+
+
+def test_handshake(conn):
+    startup = pq3.recv1(conn, cls=pq3.Startup)
+    assert startup.proto == pq3.protocol(3, 0)
+
+    finish_handshake(conn)
+
+
+def test_aborted_connection(accept):
+    """
+    Make sure the client correctly reports an early close during handshakes.
+    """
+    sock, client = accept()
+    sock.close()
+
+    expected = "server closed the connection unexpectedly"
+    with pytest.raises(psycopg2.OperationalError, match=expected):
+        client.check_completed()
+
+
+#
+# SCRAM-SHA-256 (see RFC 5802: https://tools.ietf.org/html/rfc5802)
+#
+
+
+@pytest.fixture
+def password():
+    """
+    Returns a password for use by both client and server.
+    """
+    # TODO: parameterize this with passwords that require SASLprep.
+    return "secret"
+
+
+@pytest.fixture
+def pwconn(accept, password):
+    """
+    Like the conn fixture, but uses a password in the connection.
+    """
+    sock, client = accept(password=password)
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            yield conn
+
+
+def sha256(data):
+    """The H(str) function from Section 2.2."""
+    digest = hashes.Hash(hashes.SHA256())
+    digest.update(data)
+    return digest.finalize()
+
+
+def hmac_256(key, data):
+    """The HMAC(key, str) function from Section 2.2."""
+    h = hmac.HMAC(key, hashes.SHA256())
+    h.update(data)
+    return h.finalize()
+
+
+def xor(a, b):
+    """The XOR operation from Section 2.2."""
+    res = bytearray(a)
+    for i, byte in enumerate(b):
+        res[i] ^= byte
+    return bytes(res)
+
+
+def h_i(data, salt, i):
+    """The Hi(str, salt, i) function from Section 2.2."""
+    assert i > 0
+
+    acc = hmac_256(data, salt + b"\x00\x00\x00\x01")
+    last = acc
+    i -= 1
+
+    while i:
+        u = hmac_256(data, last)
+        acc = xor(acc, u)
+
+        last = u
+        i -= 1
+
+    return acc
+
+
+def test_scram(pwconn, password):
+    startup = pq3.recv1(pwconn, cls=pq3.Startup)
+    assert startup.proto == pq3.protocol(3, 0)
+
+    pq3.send(
+        pwconn,
+        pq3.types.AuthnRequest,
+        type=pq3.authn.SASL,
+        body=[b"SCRAM-SHA-256", b""],
+    )
+
+    # Get the client-first-message.
+    pkt = pq3.recv1(pwconn)
+    assert pkt.type == pq3.types.PasswordMessage
+
+    initial = pq3.SASLInitialResponse.parse(pkt.payload)
+    assert initial.name == b"SCRAM-SHA-256"
+
+    c_bind, authzid, c_name, c_nonce = initial.data.split(b",")
+    assert c_bind == b"n"  # no channel bindings on a plaintext connection
+    assert authzid == b""  # we don't support authzid currently
+    assert c_name == b"n="  # libpq doesn't honor the GS2 username
+    assert c_nonce.startswith(b"r=")
+
+    # Send the server-first-message.
+    salt = b"12345"
+    iterations = 2
+
+    s_nonce = c_nonce + b"somenonce"
+    s_salt = b"s=" + base64.b64encode(salt)
+    s_iterations = b"i=%d" % iterations
+
+    msg = b",".join([s_nonce, s_salt, s_iterations])
+    pq3.send(pwconn, pq3.types.AuthnRequest, type=pq3.authn.SASLContinue, body=msg)
+
+    # Get the client-final-message.
+    pkt = pq3.recv1(pwconn)
+    assert pkt.type == pq3.types.PasswordMessage
+
+    c_bind_final, c_nonce_final, c_proof = pkt.payload.split(b",")
+    assert c_bind_final == b"c=" + base64.b64encode(c_bind + b"," + authzid + b",")
+    assert c_nonce_final == s_nonce
+
+    # Calculate what the client proof should be.
+    salted_password = h_i(password.encode("ascii"), salt, iterations)
+    client_key = hmac_256(salted_password, b"Client Key")
+    stored_key = sha256(client_key)
+
+    auth_message = b",".join(
+        [c_name, c_nonce, s_nonce, s_salt, s_iterations, c_bind_final, c_nonce_final]
+    )
+    client_signature = hmac_256(stored_key, auth_message)
+    client_proof = xor(client_key, client_signature)
+
+    expected = b"p=" + base64.b64encode(client_proof)
+    assert c_proof == expected
+
+    # Send the correct server signature.
+    server_key = hmac_256(salted_password, b"Server Key")
+    server_signature = hmac_256(server_key, auth_message)
+
+    s_verify = b"v=" + base64.b64encode(server_signature)
+    pq3.send(pwconn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal, body=s_verify)
+
+    # Done!
+    finish_handshake(pwconn)
diff --git a/src/test/python/client/test_oauth.py b/src/test/python/client/test_oauth.py
new file mode 100644
index 0000000000..a754a9c0b6
--- /dev/null
+++ b/src/test/python/client/test_oauth.py
@@ -0,0 +1,936 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import base64
+import http.server
+import json
+import secrets
+import sys
+import threading
+import time
+import urllib.parse
+
+import psycopg2
+import pytest
+
+import pq3
+
+from .conftest import BLOCKING_TIMEOUT
+
+
+def finish_handshake(conn):
+    """
+    Sends the AuthenticationOK message and the standard opening salvo of server
+    messages, then asserts that the client immediately sends a Terminate message
+    to close the connection cleanly.
+    """
+    pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.OK)
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"client_encoding", value=b"UTF-8")
+    pq3.send(conn, pq3.types.ParameterStatus, name=b"DateStyle", value=b"ISO, MDY")
+    pq3.send(conn, pq3.types.ReadyForQuery, status=b"I")
+
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.Terminate
+
+
+#
+# OAUTHBEARER (see RFC 7628: https://tools.ietf.org/html/rfc7628)
+#
+
+
+def start_oauth_handshake(conn):
+    """
+    Negotiates an OAUTHBEARER SASL challenge. Returns the client's initial
+    response data.
+    """
+    startup = pq3.recv1(conn, cls=pq3.Startup)
+    assert startup.proto == pq3.protocol(3, 0)
+
+    pq3.send(
+        conn, pq3.types.AuthnRequest, type=pq3.authn.SASL, body=[b"OAUTHBEARER", b""]
+    )
+
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.PasswordMessage
+
+    initial = pq3.SASLInitialResponse.parse(pkt.payload)
+    assert initial.name == b"OAUTHBEARER"
+
+    return initial.data
+
+
+def get_auth_value(initial):
+    """
+    Finds the auth value (e.g. "Bearer somedata..." in the client's initial SASL
+    response.
+    """
+    kvpairs = initial.split(b"\x01")
+    assert kvpairs[0] == b"n,,"  # no channel binding or authzid
+    assert kvpairs[2] == b""  # ends with an empty kvpair
+    assert kvpairs[3] == b""  # ...and there's nothing after it
+    assert len(kvpairs) == 4
+
+    key, value = kvpairs[1].split(b"=", 2)
+    assert key == b"auth"
+
+    return value
+
+
+def xtest_oauth_success(conn):  # TODO
+    initial = start_oauth_handshake(conn)
+
+    auth = get_auth_value(initial)
+    assert auth.startswith(b"Bearer ")
+
+    # Accept the token. TODO actually validate
+    pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+    finish_handshake(conn)
+
+
+class OpenIDProvider(threading.Thread):
+    """
+    A thread that runs a mock OpenID provider server.
+    """
+
+    def __init__(self, *, port):
+        super().__init__()
+
+        self.exception = None
+
+        addr = ("", port)
+        self.server = self._Server(addr, self._Handler)
+
+        # TODO: allow HTTPS only, somehow
+        oauth = self._OAuthState()
+        oauth.host = f"localhost:{port}"
+        oauth.issuer = f"http://localhost:{port}"
+
+        # The following endpoints are required to be advertised by providers,
+        # even though our chosen client implementation does not actually make
+        # use of them.
+        oauth.register_endpoint(
+            "authorization_endpoint", "POST", "/authorize", self._authorization_handler
+        )
+        oauth.register_endpoint("jwks_uri", "GET", "/keys", self._jwks_handler)
+
+        self.server.oauth = oauth
+
+    def run(self):
+        try:
+            self.server.serve_forever()
+        except Exception as e:
+            self.exception = e
+
+    def stop(self, timeout=BLOCKING_TIMEOUT):
+        """
+        Shuts down the server and joins its thread. Raises an exception if the
+        thread could not be joined, or if it threw an exception itself. Must
+        only be called once, after start().
+        """
+        self.server.shutdown()
+        self.join(timeout)
+
+        if self.is_alive():
+            raise TimeoutError("client thread did not handshake within the timeout")
+        elif self.exception:
+            e = self.exception
+            raise e
+
+    class _OAuthState(object):
+        def __init__(self):
+            self.endpoint_paths = {}
+            self._endpoints = {}
+
+        def register_endpoint(self, name, method, path, func):
+            if method not in self._endpoints:
+                self._endpoints[method] = {}
+
+            self._endpoints[method][path] = func
+            self.endpoint_paths[name] = path
+
+        def endpoint(self, method, path):
+            if method not in self._endpoints:
+                return None
+
+            return self._endpoints[method].get(path)
+
+    class _Server(http.server.HTTPServer):
+        def handle_error(self, request, addr):
+            self.shutdown_request(request)
+            raise
+
+    @staticmethod
+    def _jwks_handler(headers, params):
+        return 200, {"keys": []}
+
+    @staticmethod
+    def _authorization_handler(headers, params):
+        # We don't actually want this to be called during these tests -- we
+        # should be using the device authorization endpoint instead.
+        assert (
+            False
+        ), "authorization handler called instead of device authorization handler"
+
+    class _Handler(http.server.BaseHTTPRequestHandler):
+        timeout = BLOCKING_TIMEOUT
+
+        def _discovery_handler(self, headers, params):
+            oauth = self.server.oauth
+
+            doc = {
+                "issuer": oauth.issuer,
+                "response_types_supported": ["token"],
+                "subject_types_supported": ["public"],
+                "id_token_signing_alg_values_supported": ["RS256"],
+            }
+
+            for name, path in oauth.endpoint_paths.items():
+                doc[name] = oauth.issuer + path
+
+            return 200, doc
+
+        def _handle(self, *, params=None, handler=None):
+            oauth = self.server.oauth
+            assert self.headers["Host"] == oauth.host
+
+            if handler is None:
+                handler = oauth.endpoint(self.command, self.path)
+                assert (
+                    handler is not None
+                ), f"no registered endpoint for {self.command} {self.path}"
+
+            code, resp = handler(self.headers, params)
+
+            self.send_response(code)
+            self.send_header("Content-Type", "application/json")
+            self.end_headers()
+
+            resp = json.dumps(resp)
+            resp = resp.encode("utf-8")
+            self.wfile.write(resp)
+
+            self.close_connection = True
+
+        def do_GET(self):
+            if self.path == "/.well-known/openid-configuration":
+                self._handle(handler=self._discovery_handler)
+                return
+
+            self._handle()
+
+        def _request_body(self):
+            length = self.headers["Content-Length"]
+
+            # Handle only an explicit content-length.
+            assert length is not None
+            length = int(length)
+
+            return self.rfile.read(length).decode("utf-8")
+
+        def do_POST(self):
+            assert self.headers["Content-Type"] == "application/x-www-form-urlencoded"
+
+            body = self._request_body()
+            params = urllib.parse.parse_qs(body)
+
+            self._handle(params=params)
+
+
+@pytest.fixture
+def openid_provider(unused_tcp_port_factory):
+    """
+    A fixture that returns the OAuth state of a running OpenID provider server. The
+    server will be stopped when the fixture is torn down.
+    """
+    thread = OpenIDProvider(port=unused_tcp_port_factory())
+    thread.start()
+
+    try:
+        yield thread.server.oauth
+    finally:
+        thread.stop()
+
+
+@pytest.mark.parametrize("secret", [None, "", "hunter2"])
+@pytest.mark.parametrize("scope", [None, "", "openid email"])
+@pytest.mark.parametrize("retries", [0, 1])
+def test_oauth_with_explicit_issuer(
+    capfd, accept, openid_provider, retries, scope, secret
+):
+    client_id = secrets.token_hex()
+
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id=client_id,
+        oauth_client_secret=secret,
+        oauth_scope=scope,
+    )
+
+    device_code = secrets.token_hex()
+    user_code = f"{secrets.token_hex(2)}-{secrets.token_hex(2)}"
+    verification_url = "https://example.com/device"
+
+    access_token = secrets.token_urlsafe()
+
+    def check_client_authn(headers, params):
+        if not secret:
+            assert params["client_id"] == [client_id]
+            return
+
+        # Require the client to use Basic authn; request-body credentials are
+        # NOT RECOMMENDED (RFC 6749, Sec. 2.3.1).
+        assert "Authorization" in headers
+
+        method, creds = headers["Authorization"].split()
+        assert method == "Basic"
+
+        expected = f"{client_id}:{secret}"
+        assert base64.b64decode(creds) == expected.encode("ascii")
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        check_client_authn(headers, params)
+
+        if scope:
+            assert params["scope"] == [scope]
+        else:
+            assert "scope" not in params
+
+        resp = {
+            "device_code": device_code,
+            "user_code": user_code,
+            "interval": 0,
+            "verification_uri": verification_url,
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    attempts = 0
+    retry_lock = threading.Lock()
+
+    def token_endpoint(headers, params):
+        check_client_authn(headers, params)
+
+        assert params["grant_type"] == ["urn:ietf:params:oauth:grant-type:device_code"]
+        assert params["device_code"] == [device_code]
+
+        now = time.monotonic()
+
+        with retry_lock:
+            nonlocal attempts
+
+            # If the test wants to force the client to retry, return an
+            # authorization_pending response and decrement the retry count.
+            if attempts < retries:
+                attempts += 1
+                return 400, {"error": "authorization_pending"}
+
+        # Successfully finish the request by sending the access bearer token.
+        resp = {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            initial = start_oauth_handshake(conn)
+
+            # Validate and accept the token.
+            auth = get_auth_value(initial)
+            assert auth == f"Bearer {access_token}".encode("ascii")
+
+            pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+            finish_handshake(conn)
+
+    if retries:
+        # Finally, make sure that the client prompted the user with the expected
+        # authorization URL and user code.
+        expected = f"Visit {verification_url} and enter the code: {user_code}"
+        _, stderr = capfd.readouterr()
+        assert expected in stderr
+
+
+def test_oauth_requires_client_id(accept, openid_provider):
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        # Do not set a client ID; this should cause a client error after the
+        # server asks for OAUTHBEARER and the client tries to contact the
+        # issuer.
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake.
+            startup = pq3.recv1(conn, cls=pq3.Startup)
+            assert startup.proto == pq3.protocol(3, 0)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASL,
+                body=[b"OAUTHBEARER", b""],
+            )
+
+            # The client should disconnect at this point.
+            assert not conn.read()
+
+    expected_error = "no oauth_client_id is set"
+    with pytest.raises(psycopg2.OperationalError, match=expected_error):
+        client.check_completed()
+
+
+@pytest.mark.slow
+@pytest.mark.parametrize("error_code", ["authorization_pending", "slow_down"])
+@pytest.mark.parametrize("retries", [1, 2])
+def test_oauth_retry_interval(accept, openid_provider, retries, error_code):
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id="some-id",
+    )
+
+    expected_retry_interval = 1
+    access_token = secrets.token_urlsafe()
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        resp = {
+            "device_code": "my-device-code",
+            "user_code": "my-user-code",
+            "interval": expected_retry_interval,
+            "verification_uri": "https://example.com",
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    attempts = 0
+    last_retry = None
+    retry_lock = threading.Lock()
+
+    def token_endpoint(headers, params):
+        now = time.monotonic()
+
+        with retry_lock:
+            nonlocal attempts, last_retry, expected_retry_interval
+
+            # Make sure the retry interval is being respected by the client.
+            if last_retry is not None:
+                interval = now - last_retry
+                assert interval >= expected_retry_interval
+
+            last_retry = now
+
+            # If the test wants to force the client to retry, return the desired
+            # error response and decrement the retry count.
+            if attempts < retries:
+                attempts += 1
+
+                # A slow_down code requires the client to additionally increase
+                # its interval by five seconds.
+                if error_code == "slow_down":
+                    expected_retry_interval += 5
+
+                return 400, {"error": error_code}
+
+        # Successfully finish the request by sending the access bearer token.
+        resp = {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            initial = start_oauth_handshake(conn)
+
+            # Validate and accept the token.
+            auth = get_auth_value(initial)
+            assert auth == f"Bearer {access_token}".encode("ascii")
+
+            pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+            finish_handshake(conn)
+
+
+@pytest.mark.parametrize(
+    "failure_mode, error_pattern",
+    [
+        pytest.param(
+            {
+                "error": "invalid_client",
+                "error_description": "client authentication failed",
+            },
+            r"client authentication failed \(invalid_client\)",
+            id="authentication failure with description",
+        ),
+        pytest.param(
+            {"error": "invalid_request"},
+            r"\(invalid_request\)",
+            id="invalid request without description",
+        ),
+        pytest.param(
+            {},
+            r"failed to obtain device authorization",
+            id="broken error response",
+        ),
+    ],
+)
+def test_oauth_device_authorization_failures(
+    accept, openid_provider, failure_mode, error_pattern
+):
+    client_id = secrets.token_hex()
+
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id=client_id,
+    )
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        return 400, failure_mode
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    def token_endpoint(headers, params):
+        assert False, "token endpoint was invoked unexpectedly"
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            startup = pq3.recv1(conn, cls=pq3.Startup)
+            assert startup.proto == pq3.protocol(3, 0)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASL,
+                body=[b"OAUTHBEARER", b""],
+            )
+
+            # The client should not continue the connection due to the hardcoded
+            # provider failure; we disconnect here.
+
+    # Now make sure the client correctly failed.
+    with pytest.raises(psycopg2.OperationalError, match=error_pattern):
+        client.check_completed()
+
+
+@pytest.mark.parametrize(
+    "failure_mode, error_pattern",
+    [
+        pytest.param(
+            {
+                "error": "expired_token",
+                "error_description": "the device code has expired",
+            },
+            r"the device code has expired \(expired_token\)",
+            id="expired token with description",
+        ),
+        pytest.param(
+            {"error": "access_denied"},
+            r"\(access_denied\)",
+            id="access denied without description",
+        ),
+        pytest.param(
+            {},
+            r"OAuth token retrieval failed",
+            id="broken error response",
+        ),
+    ],
+)
+@pytest.mark.parametrize("retries", [0, 1])
+def test_oauth_token_failures(
+    accept, openid_provider, retries, failure_mode, error_pattern
+):
+    client_id = secrets.token_hex()
+
+    sock, client = accept(
+        oauth_issuer=openid_provider.issuer,
+        oauth_client_id=client_id,
+    )
+
+    device_code = secrets.token_hex()
+    user_code = f"{secrets.token_hex(2)}-{secrets.token_hex(2)}"
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        assert params["client_id"] == [client_id]
+
+        resp = {
+            "device_code": device_code,
+            "user_code": user_code,
+            "interval": 0,
+            "verification_uri": "https://example.com/device",
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    retry_lock = threading.Lock()
+
+    def token_endpoint(headers, params):
+        with retry_lock:
+            nonlocal retries
+
+            # If the test wants to force the client to retry, return an
+            # authorization_pending response and decrement the retry count.
+            if retries > 0:
+                retries -= 1
+                return 400, {"error": "authorization_pending"}
+
+        return 400, failure_mode
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            # Initiate a handshake, which should result in the above endpoints
+            # being called.
+            startup = pq3.recv1(conn, cls=pq3.Startup)
+            assert startup.proto == pq3.protocol(3, 0)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASL,
+                body=[b"OAUTHBEARER", b""],
+            )
+
+            # The client should not continue the connection due to the hardcoded
+            # provider failure; we disconnect here.
+
+    # Now make sure the client correctly failed.
+    with pytest.raises(psycopg2.OperationalError, match=error_pattern):
+        client.check_completed()
+
+
+@pytest.mark.parametrize("scope", [None, "openid email"])
+@pytest.mark.parametrize(
+    "base_response",
+    [
+        {"status": "invalid_token"},
+        {"extra_object": {"key": "value"}, "status": "invalid_token"},
+        {"extra_object": {"status": 1}, "status": "invalid_token"},
+    ],
+)
+def test_oauth_discovery(accept, openid_provider, base_response, scope):
+    sock, client = accept(oauth_client_id=secrets.token_hex())
+
+    device_code = secrets.token_hex()
+    user_code = f"{secrets.token_hex(2)}-{secrets.token_hex(2)}"
+    verification_url = "https://example.com/device"
+
+    access_token = secrets.token_urlsafe()
+
+    # Set up our provider callbacks.
+    # NOTE that these callbacks will be called on a background thread. Don't do
+    # any unprotected state mutation here.
+
+    def authorization_endpoint(headers, params):
+        if scope:
+            assert params["scope"] == [scope]
+        else:
+            assert "scope" not in params
+
+        resp = {
+            "device_code": device_code,
+            "user_code": user_code,
+            "interval": 0,
+            "verification_uri": verification_url,
+            "expires_in": 5,
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
+    )
+
+    def token_endpoint(headers, params):
+        assert params["grant_type"] == ["urn:ietf:params:oauth:grant-type:device_code"]
+        assert params["device_code"] == [device_code]
+
+        # Successfully finish the request by sending the access bearer token.
+        resp = {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+
+        return 200, resp
+
+    openid_provider.register_endpoint(
+        "token_endpoint", "POST", "/token", token_endpoint
+    )
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            initial = start_oauth_handshake(conn)
+
+            # For discovery, the client should send an empty auth header. See
+            # RFC 7628, Sec. 4.3.
+            auth = get_auth_value(initial)
+            assert auth == b""
+
+            # We will fail the first SASL exchange. First return a link to the
+            # discovery document, pointing to the test provider server.
+            resp = dict(base_response)
+
+            discovery_uri = f"{openid_provider.issuer}/.well-known/openid-configuration"
+            resp["openid-configuration"] = discovery_uri
+
+            if scope:
+                resp["scope"] = scope
+
+            resp = json.dumps(resp)
+
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASLContinue,
+                body=resp.encode("ascii"),
+            )
+
+            # Per RFC, the client is required to send a dummy ^A response.
+            pkt = pq3.recv1(conn)
+            assert pkt.type == pq3.types.PasswordMessage
+            assert pkt.payload == b"\x01"
+
+            # Now fail the SASL exchange.
+            pq3.send(
+                conn,
+                pq3.types.ErrorResponse,
+                fields=[
+                    b"SFATAL",
+                    b"C28000",
+                    b"Mdoesn't matter",
+                    b"",
+                ],
+            )
+
+    # The client will connect to us a second time, using the parameters we sent
+    # it.
+    sock, _ = accept()
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            initial = start_oauth_handshake(conn)
+
+            # Validate and accept the token.
+            auth = get_auth_value(initial)
+            assert auth == f"Bearer {access_token}".encode("ascii")
+
+            pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
+            finish_handshake(conn)
+
+
+@pytest.mark.parametrize(
+    "response,expected_error",
+    [
+        pytest.param(
+            "abcde",
+            'Token "abcde" is invalid',
+            id="bad JSON: invalid syntax",
+        ),
+        pytest.param(
+            '"abcde"',
+            "top-level element must be an object",
+            id="bad JSON: top-level element is a string",
+        ),
+        pytest.param(
+            "[]",
+            "top-level element must be an object",
+            id="bad JSON: top-level element is an array",
+        ),
+        pytest.param(
+            "{}",
+            "server sent error response without a status",
+            id="bad JSON: no status member",
+        ),
+        pytest.param(
+            '{ "status": null }',
+            'field "status" must be a string',
+            id="bad JSON: null status member",
+        ),
+        pytest.param(
+            '{ "status": 0 }',
+            'field "status" must be a string',
+            id="bad JSON: int status member",
+        ),
+        pytest.param(
+            '{ "status": [ "bad" ] }',
+            'field "status" must be a string',
+            id="bad JSON: array status member",
+        ),
+        pytest.param(
+            '{ "status": { "bad": "bad" } }',
+            'field "status" must be a string',
+            id="bad JSON: object status member",
+        ),
+        pytest.param(
+            '{ "nested": { "status": "bad" } }',
+            "server sent error response without a status",
+            id="bad JSON: nested status",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token" ',
+            "The input string ended unexpectedly",
+            id="bad JSON: unterminated object",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token" } { }',
+            'Expected end of input, but found "{"',
+            id="bad JSON: trailing data",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token", "openid-configuration": 1 }',
+            'field "openid-configuration" must be a string',
+            id="bad JSON: int openid-configuration member",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token", "openid-configuration": 1 }',
+            'field "openid-configuration" must be a string',
+            id="bad JSON: int openid-configuration member",
+        ),
+        pytest.param(
+            '{ "status": "invalid_token", "scope": 1 }',
+            'field "scope" must be a string',
+            id="bad JSON: int scope member",
+        ),
+    ],
+)
+def test_oauth_discovery_server_error(accept, response, expected_error):
+    sock, client = accept(oauth_client_id=secrets.token_hex())
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            initial = start_oauth_handshake(conn)
+
+            # Fail the SASL exchange with an invalid JSON response.
+            pq3.send(
+                conn,
+                pq3.types.AuthnRequest,
+                type=pq3.authn.SASLContinue,
+                body=response.encode("utf-8"),
+            )
+
+            # The client should disconnect, so the socket is closed here. (If
+            # the client doesn't disconnect, it will report a different error
+            # below and the test will fail.)
+
+    with pytest.raises(psycopg2.OperationalError, match=expected_error):
+        client.check_completed()
+
+
+@pytest.mark.parametrize(
+    "sasl_err,resp_type,resp_payload,expected_error",
+    [
+        pytest.param(
+            {"status": "invalid_request"},
+            pq3.types.ErrorResponse,
+            dict(
+                fields=[b"SFATAL", b"C28000", b"Mexpected error message", b""],
+            ),
+            "expected error message",
+            id="standard server error: invalid_request",
+        ),
+        pytest.param(
+            {"status": "invalid_token"},
+            pq3.types.ErrorResponse,
+            dict(
+                fields=[b"SFATAL", b"C28000", b"Mexpected error message", b""],
+            ),
+            "expected error message",
+            id="standard server error: invalid_token without discovery URI",
+        ),
+        pytest.param(
+            {"status": "invalid_request"},
+            pq3.types.AuthnRequest,
+            dict(type=pq3.authn.SASLContinue, body=b""),
+            "server sent additional OAuth data",
+            id="broken server: additional challenge after error",
+        ),
+        pytest.param(
+            {"status": "invalid_request"},
+            pq3.types.AuthnRequest,
+            dict(type=pq3.authn.SASLFinal),
+            "server sent additional OAuth data",
+            id="broken server: SASL success after error",
+        ),
+    ],
+)
+def test_oauth_server_error(accept, sasl_err, resp_type, resp_payload, expected_error):
+    sock, client = accept()
+
+    with sock:
+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
+            start_oauth_handshake(conn)
+
+            # Ignore the client data. Return an error "challenge".
+            resp = json.dumps(sasl_err)
+            resp = resp.encode("utf-8")
+
+            pq3.send(
+                conn, pq3.types.AuthnRequest, type=pq3.authn.SASLContinue, body=resp
+            )
+
+            # Per RFC, the client is required to send a dummy ^A response.
+            pkt = pq3.recv1(conn)
+            assert pkt.type == pq3.types.PasswordMessage
+            assert pkt.payload == b"\x01"
+
+            # Now fail the SASL exchange (in either a valid way, or an invalid
+            # one, depending on the test).
+            pq3.send(conn, resp_type, **resp_payload)
+
+    with pytest.raises(psycopg2.OperationalError, match=expected_error):
+        client.check_completed()
diff --git a/src/test/python/pq3.py b/src/test/python/pq3.py
new file mode 100644
index 0000000000..3a22dad0b6
--- /dev/null
+++ b/src/test/python/pq3.py
@@ -0,0 +1,727 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import contextlib
+import getpass
+import io
+import os
+import ssl
+import sys
+import textwrap
+
+from construct import *
+
+import tls
+
+
+def protocol(major, minor):
+    """
+    Returns the protocol version, in integer format, corresponding to the given
+    major and minor version numbers.
+    """
+    return (major << 16) | minor
+
+
+# Startup
+
+StringList = GreedyRange(NullTerminated(GreedyBytes))
+
+
+class KeyValueAdapter(Adapter):
+    """
+    Turns a key-value store into a null-terminated list of null-terminated
+    strings, as presented on the wire in the startup packet.
+    """
+
+    def _encode(self, obj, context, path):
+        if isinstance(obj, list):
+            return obj
+
+        l = []
+
+        for k, v in obj.items():
+            if isinstance(k, str):
+                k = k.encode("utf-8")
+            l.append(k)
+
+            if isinstance(v, str):
+                v = v.encode("utf-8")
+            l.append(v)
+
+        l.append(b"")
+        return l
+
+    def _decode(self, obj, context, path):
+        # TODO: turn a list back into a dict
+        return obj
+
+
+KeyValues = KeyValueAdapter(StringList)
+
+_startup_payload = Switch(
+    this.proto,
+    {
+        protocol(3, 0): KeyValues,
+    },
+    default=GreedyBytes,
+)
+
+
+def _default_protocol(this):
+    try:
+        if isinstance(this.payload, (list, dict)):
+            return protocol(3, 0)
+    except AttributeError:
+        pass  # no payload passed during build
+
+    return 0
+
+
+def _startup_payload_len(this):
+    """
+    The payload field has a fixed size based on the length of the packet. But
+    if the caller hasn't supplied an explicit length at build time, we have to
+    build the payload to figure out how long it is, which requires us to know
+    the length first... This function exists solely to break the cycle.
+    """
+    assert this._building, "_startup_payload_len() cannot be called during parsing"
+
+    try:
+        payload = this.payload
+    except AttributeError:
+        return 0  # no payload
+
+    if isinstance(payload, bytes):
+        # already serialized; just use the given length
+        return len(payload)
+
+    try:
+        proto = this.proto
+    except AttributeError:
+        proto = _default_protocol(this)
+
+    data = _startup_payload.build(payload, proto=proto)
+    return len(data)
+
+
+Startup = Struct(
+    "len" / Default(Int32sb, lambda this: _startup_payload_len(this) + 8),
+    "proto" / Default(Hex(Int32sb), _default_protocol),
+    "payload" / FixedSized(this.len - 8, Default(_startup_payload, b"")),
+)
+
+# Pq3
+
+# Adapted from construct.core.EnumIntegerString
+class EnumNamedByte:
+    def __init__(self, val, name):
+        self._val = val
+        self._name = name
+
+    def __int__(self):
+        return ord(self._val)
+
+    def __str__(self):
+        return "(enum) %s %r" % (self._name, self._val)
+
+    def __repr__(self):
+        return "EnumNamedByte(%r)" % self._val
+
+    def __eq__(self, other):
+        if isinstance(other, EnumNamedByte):
+            other = other._val
+        if not isinstance(other, bytes):
+            return NotImplemented
+
+        return self._val == other
+
+    def __hash__(self):
+        return hash(self._val)
+
+
+# Adapted from construct.core.Enum
+class ByteEnum(Adapter):
+    def __init__(self, **mapping):
+        super(ByteEnum, self).__init__(Byte)
+        self.namemapping = {k: EnumNamedByte(v, k) for k, v in mapping.items()}
+        self.decmapping = {v: EnumNamedByte(v, k) for k, v in mapping.items()}
+
+    def __getattr__(self, name):
+        if name in self.namemapping:
+            return self.decmapping[self.namemapping[name]]
+        raise AttributeError
+
+    def _decode(self, obj, context, path):
+        b = bytes([obj])
+        try:
+            return self.decmapping[b]
+        except KeyError:
+            return EnumNamedByte(b, "(unknown)")
+
+    def _encode(self, obj, context, path):
+        if isinstance(obj, int):
+            return obj
+        elif isinstance(obj, bytes):
+            return ord(obj)
+        return int(obj)
+
+
+types = ByteEnum(
+    ErrorResponse=b"E",
+    ReadyForQuery=b"Z",
+    Query=b"Q",
+    EmptyQueryResponse=b"I",
+    AuthnRequest=b"R",
+    PasswordMessage=b"p",
+    BackendKeyData=b"K",
+    CommandComplete=b"C",
+    ParameterStatus=b"S",
+    DataRow=b"D",
+    Terminate=b"X",
+)
+
+
+authn = Enum(
+    Int32ub,
+    OK=0,
+    SASL=10,
+    SASLContinue=11,
+    SASLFinal=12,
+)
+
+
+_authn_body = Switch(
+    this.type,
+    {
+        authn.OK: Terminated,
+        authn.SASL: StringList,
+    },
+    default=GreedyBytes,
+)
+
+
+def _data_len(this):
+    assert this._building, "_data_len() cannot be called during parsing"
+
+    if not hasattr(this, "data") or this.data is None:
+        return -1
+
+    return len(this.data)
+
+
+# The protocol reuses the PasswordMessage for several authentication response
+# types, and there's no good way to figure out which is which without keeping
+# state for the entire stream. So this is a separate Construct that can be
+# explicitly parsed/built by code that knows it's needed.
+SASLInitialResponse = Struct(
+    "name" / NullTerminated(GreedyBytes),
+    "len" / Default(Int32sb, lambda this: _data_len(this)),
+    "data"
+    / IfThenElse(
+        # Allow tests to explicitly pass an incorrect length during testing, by
+        # not enforcing a FixedSized during build. (The len calculation above
+        # defaults to the correct size.)
+        this._building,
+        Optional(GreedyBytes),
+        If(this.len != -1, Default(FixedSized(this.len, GreedyBytes), b"")),
+    ),
+    Terminated,  # make sure the entire response is consumed
+)
+
+
+_column = FocusedSeq(
+    "data",
+    "len" / Default(Int32sb, lambda this: _data_len(this)),
+    "data" / If(this.len != -1, FixedSized(this.len, GreedyBytes)),
+)
+
+
+_payload_map = {
+    types.ErrorResponse: Struct("fields" / StringList),
+    types.ReadyForQuery: Struct("status" / Bytes(1)),
+    types.Query: Struct("query" / NullTerminated(GreedyBytes)),
+    types.EmptyQueryResponse: Terminated,
+    types.AuthnRequest: Struct("type" / authn, "body" / Default(_authn_body, b"")),
+    types.BackendKeyData: Struct("pid" / Int32ub, "key" / Hex(Int32ub)),
+    types.CommandComplete: Struct("tag" / NullTerminated(GreedyBytes)),
+    types.ParameterStatus: Struct(
+        "name" / NullTerminated(GreedyBytes), "value" / NullTerminated(GreedyBytes)
+    ),
+    types.DataRow: Struct("columns" / Default(PrefixedArray(Int16sb, _column), b"")),
+    types.Terminate: Terminated,
+}
+
+
+_payload = FocusedSeq(
+    "_payload",
+    "_payload"
+    / Switch(
+        this._.type,
+        _payload_map,
+        default=GreedyBytes,
+    ),
+    Terminated,  # make sure every payload consumes the entire packet
+)
+
+
+def _payload_len(this):
+    """
+    See _startup_payload_len() for an explanation.
+    """
+    assert this._building, "_payload_len() cannot be called during parsing"
+
+    try:
+        payload = this.payload
+    except AttributeError:
+        return 0  # no payload
+
+    if isinstance(payload, bytes):
+        # already serialized; just use the given length
+        return len(payload)
+
+    data = _payload.build(payload, type=this.type)
+    return len(data)
+
+
+Pq3 = Struct(
+    "type" / types,
+    "len" / Default(Int32ub, lambda this: _payload_len(this) + 4),
+    "payload" / FixedSized(this.len - 4, Default(_payload, b"")),
+)
+
+
+# Environment
+
+
+def pghost():
+    return os.environ.get("PGHOST", default="localhost")
+
+
+def pgport():
+    return int(os.environ.get("PGPORT", default=5432))
+
+
+def pguser():
+    try:
+        return os.environ["PGUSER"]
+    except KeyError:
+        return getpass.getuser()
+
+
+def pgdatabase():
+    return os.environ.get("PGDATABASE", default="postgres")
+
+
+# Connections
+
+
+def _hexdump_translation_map():
+    """
+    For hexdumps. Translates any unprintable or non-ASCII bytes into '.'.
+    """
+    input = bytearray()
+
+    for i in range(128):
+        c = chr(i)
+
+        if not c.isprintable():
+            input += bytes([i])
+
+    input += bytes(range(128, 256))
+
+    return bytes.maketrans(input, b"." * len(input))
+
+
+class _DebugStream(object):
+    """
+    Wraps a file-like object and adds hexdumps of the read and write data. Call
+    end_packet() on a _DebugStream to write the accumulated hexdumps to the
+    output stream, along with the packet that was sent.
+    """
+
+    _translation_map = _hexdump_translation_map()
+
+    def __init__(self, stream, out=sys.stdout):
+        """
+        Creates a new _DebugStream wrapping the given stream (which must have
+        been created by wrap()). All attributes not provided by the _DebugStream
+        are delegated to the wrapped stream. out is the text stream to which
+        hexdumps are written.
+        """
+        self.raw = stream
+        self._out = out
+        self._rbuf = io.BytesIO()
+        self._wbuf = io.BytesIO()
+
+    def __getattr__(self, name):
+        return getattr(self.raw, name)
+
+    def __setattr__(self, name, value):
+        if name in ("raw", "_out", "_rbuf", "_wbuf"):
+            return object.__setattr__(self, name, value)
+
+        setattr(self.raw, name, value)
+
+    def read(self, *args, **kwargs):
+        buf = self.raw.read(*args, **kwargs)
+
+        self._rbuf.write(buf)
+        return buf
+
+    def write(self, b):
+        self._wbuf.write(b)
+        return self.raw.write(b)
+
+    def recv(self, *args):
+        buf = self.raw.recv(*args)
+
+        self._rbuf.write(buf)
+        return buf
+
+    def _flush(self, buf, prefix):
+        width = 16
+        hexwidth = width * 3 - 1
+
+        count = 0
+        buf.seek(0)
+
+        while True:
+            line = buf.read(16)
+
+            if not line:
+                if count:
+                    self._out.write("\n")  # separate the output block with a newline
+                return
+
+            self._out.write("%s %04X:\t" % (prefix, count))
+            self._out.write("%*s\t" % (-hexwidth, line.hex(" ")))
+            self._out.write(line.translate(self._translation_map).decode("ascii"))
+            self._out.write("\n")
+
+            count += 16
+
+    def print_debug(self, obj, *, prefix=""):
+        contents = ""
+        if obj is not None:
+            contents = str(obj)
+
+        for line in contents.splitlines():
+            self._out.write("%s%s\n" % (prefix, line))
+
+        self._out.write("\n")
+
+    def flush_debug(self, *, prefix=""):
+        self._flush(self._rbuf, prefix + "<")
+        self._rbuf = io.BytesIO()
+
+        self._flush(self._wbuf, prefix + ">")
+        self._wbuf = io.BytesIO()
+
+    def end_packet(self, pkt, *, read=False, prefix="", indent="  "):
+        """
+        Marks the end of a logical "packet" of data. A string representation of
+        pkt will be printed, and the debug buffers will be flushed with an
+        indent. All lines can be optionally prefixed.
+
+        If read is True, the packet representation is written after the debug
+        buffers; otherwise the default of False (meaning write) causes the
+        packet representation to be dumped first. This is meant to capture the
+        logical flow of layer translation.
+        """
+        write = not read
+
+        if write:
+            self.print_debug(pkt, prefix=prefix + "> ")
+
+        self.flush_debug(prefix=prefix + indent)
+
+        if read:
+            self.print_debug(pkt, prefix=prefix + "< ")
+
+
+@contextlib.contextmanager
+def wrap(socket, *, debug_stream=None):
+    """
+    Transforms a raw socket into a connection that can be used for Construct
+    building and parsing. The return value is a context manager and can be used
+    in a with statement.
+    """
+    # It is critical that buffering be disabled here, so that we can still
+    # manipulate the raw socket without desyncing the stream.
+    with socket.makefile("rwb", buffering=0) as sfile:
+        # Expose the original socket's recv() on the SocketIO object we return.
+        def recv(self, *args):
+            return socket.recv(*args)
+
+        sfile.recv = recv.__get__(sfile)
+
+        conn = sfile
+        if debug_stream:
+            conn = _DebugStream(conn, debug_stream)
+
+        try:
+            yield conn
+        finally:
+            if debug_stream:
+                conn.flush_debug(prefix="? ")
+
+
+def _send(stream, cls, obj):
+    debugging = hasattr(stream, "flush_debug")
+    out = io.BytesIO()
+
+    # Ideally we would build directly to the passed stream, but because we need
+    # to reparse the generated output for the debugging case, build to an
+    # intermediate BytesIO and send it instead.
+    cls.build_stream(obj, out)
+    buf = out.getvalue()
+
+    stream.write(buf)
+    if debugging:
+        pkt = cls.parse(buf)
+        stream.end_packet(pkt)
+
+    stream.flush()
+
+
+def send(stream, packet_type, payload_data=None, **payloadkw):
+    """
+    Sends a packet on the given pq3 connection. type is the pq3.types member
+    that should be assigned to the packet. If payload_data is given, it will be
+    used as the packet payload; otherwise the key/value pairs in payloadkw will
+    be the payload contents.
+    """
+    data = payloadkw
+
+    if payload_data is not None:
+        if payloadkw:
+            raise ValueError(
+                "payload_data and payload keywords may not be used simultaneously"
+            )
+
+        data = payload_data
+
+    _send(stream, Pq3, dict(type=packet_type, payload=data))
+
+
+def send_startup(stream, proto=None, **kwargs):
+    """
+    Sends a startup packet on the given pq3 connection. In most cases you should
+    use the handshake functions instead, which will do this for you.
+
+    By default, a protocol version 3 packet will be sent. This can be overridden
+    with the proto parameter.
+    """
+    pkt = {}
+
+    if proto is not None:
+        pkt["proto"] = proto
+    if kwargs:
+        pkt["payload"] = kwargs
+
+    _send(stream, Startup, pkt)
+
+
+def recv1(stream, *, cls=Pq3):
+    """
+    Receives a single pq3 packet from the given stream and returns it.
+    """
+    resp = cls.parse_stream(stream)
+
+    debugging = hasattr(stream, "flush_debug")
+    if debugging:
+        stream.end_packet(resp, read=True)
+
+    return resp
+
+
+def handshake(stream, **kwargs):
+    """
+    Performs a libpq v3 startup handshake. kwargs should contain the key/value
+    parameters to send to the server in the startup packet.
+    """
+    # Send our startup parameters.
+    send_startup(stream, **kwargs)
+
+    # Receive and dump packets until the server indicates it's ready for our
+    # first query.
+    while True:
+        resp = recv1(stream)
+        if resp is None:
+            raise RuntimeError("server closed connection during handshake")
+
+        if resp.type == types.ReadyForQuery:
+            return
+        elif resp.type == types.ErrorResponse:
+            raise RuntimeError(
+                f"received error response from peer: {resp.payload.fields!r}"
+            )
+
+
+# TLS
+
+
+class _TLSStream(object):
+    """
+    A file-like object that performs TLS encryption/decryption on a wrapped
+    stream. Differs from ssl.SSLSocket in that we have full visibility and
+    control over the TLS layer.
+    """
+
+    def __init__(self, stream, context):
+        self._stream = stream
+        self._debugging = hasattr(stream, "flush_debug")
+
+        self._in = ssl.MemoryBIO()
+        self._out = ssl.MemoryBIO()
+        self._ssl = context.wrap_bio(self._in, self._out)
+
+    def handshake(self):
+        try:
+            self._pump(lambda: self._ssl.do_handshake())
+        finally:
+            self._flush_debug(prefix="? ")
+
+    def read(self, *args):
+        return self._pump(lambda: self._ssl.read(*args))
+
+    def write(self, *args):
+        return self._pump(lambda: self._ssl.write(*args))
+
+    def _decode(self, buf):
+        """
+        Attempts to decode a buffer of TLS data into a packet representation
+        that can be printed.
+
+        TODO: handle buffers (and record fragments) that don't align with packet
+        boundaries.
+        """
+        end = len(buf)
+        bio = io.BytesIO(buf)
+
+        ret = io.StringIO()
+
+        while bio.tell() < end:
+            record = tls.Plaintext.parse_stream(bio)
+
+            if ret.tell() > 0:
+                ret.write("\n")
+            ret.write("[Record] ")
+            ret.write(str(record))
+            ret.write("\n")
+
+            if record.type == tls.ContentType.handshake:
+                record_cls = tls.Handshake
+            else:
+                continue
+
+            innerlen = len(record.fragment)
+            inner = io.BytesIO(record.fragment)
+
+            while inner.tell() < innerlen:
+                msg = record_cls.parse_stream(inner)
+
+                indented = "[Message] " + str(msg)
+                indented = textwrap.indent(indented, "    ")
+
+                ret.write("\n")
+                ret.write(indented)
+                ret.write("\n")
+
+        return ret.getvalue()
+
+    def flush(self):
+        if not self._out.pending:
+            self._stream.flush()
+            return
+
+        buf = self._out.read()
+        self._stream.write(buf)
+
+        if self._debugging:
+            pkt = self._decode(buf)
+            self._stream.end_packet(pkt, prefix="  ")
+
+        self._stream.flush()
+
+    def _pump(self, operation):
+        while True:
+            try:
+                return operation()
+            except (ssl.SSLWantReadError, ssl.SSLWantWriteError) as e:
+                want = e
+            self._read_write(want)
+
+    def _recv(self, maxsize):
+        buf = self._stream.recv(4096)
+        if not buf:
+            self._in.write_eof()
+            return
+
+        self._in.write(buf)
+
+        if not self._debugging:
+            return
+
+        pkt = self._decode(buf)
+        self._stream.end_packet(pkt, read=True, prefix="  ")
+
+    def _read_write(self, want):
+        # XXX This needs work. So many corner cases yet to handle. For one,
+        # doing blocking writes in flush may lead to distributed deadlock if the
+        # peer is already blocking on its writes.
+
+        if isinstance(want, ssl.SSLWantWriteError):
+            assert self._out.pending, "SSL backend wants write without data"
+
+        self.flush()
+
+        if isinstance(want, ssl.SSLWantReadError):
+            self._recv(4096)
+
+    def _flush_debug(self, prefix):
+        if not self._debugging:
+            return
+
+        self._stream.flush_debug(prefix=prefix)
+
+
+@contextlib.contextmanager
+def tls_handshake(stream, context):
+    """
+    Performs a TLS handshake over the given stream (which must have been created
+    via a call to wrap()), and returns a new stream which transparently tunnels
+    data over the TLS connection.
+
+    If the passed stream has debugging enabled, the returned stream will also
+    have debugging, using the same output IO.
+    """
+    debugging = hasattr(stream, "flush_debug")
+
+    # Send our startup parameters.
+    send_startup(stream, proto=protocol(1234, 5679))
+
+    # Look at the SSL response.
+    resp = stream.read(1)
+    if debugging:
+        stream.flush_debug(prefix="  ")
+
+    if resp == b"N":
+        raise RuntimeError("server does not support SSLRequest")
+    if resp != b"S":
+        raise RuntimeError(f"unexpected response of type {resp!r} during TLS startup")
+
+    tls = _TLSStream(stream, context)
+    tls.handshake()
+
+    if debugging:
+        tls = _DebugStream(tls, stream._out)
+
+    try:
+        yield tls
+        # TODO: teardown/unwrap the connection?
+    finally:
+        if debugging:
+            tls.flush_debug(prefix="? ")
diff --git a/src/test/python/pytest.ini b/src/test/python/pytest.ini
new file mode 100644
index 0000000000..ab7a6e7fb9
--- /dev/null
+++ b/src/test/python/pytest.ini
@@ -0,0 +1,4 @@
+[pytest]
+
+markers =
+    slow: mark test as slow
diff --git a/src/test/python/requirements.txt b/src/test/python/requirements.txt
new file mode 100644
index 0000000000..32f105ea84
--- /dev/null
+++ b/src/test/python/requirements.txt
@@ -0,0 +1,7 @@
+black
+cryptography~=3.4.6
+construct~=2.10.61
+isort~=5.6
+psycopg2~=2.8.6
+pytest~=6.1
+pytest-asyncio~=0.14.0
diff --git a/src/test/python/server/__init__.py b/src/test/python/server/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/test/python/server/conftest.py b/src/test/python/server/conftest.py
new file mode 100644
index 0000000000..ba7342a453
--- /dev/null
+++ b/src/test/python/server/conftest.py
@@ -0,0 +1,45 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import contextlib
+import socket
+import sys
+
+import pytest
+
+import pq3
+
+
+@pytest.fixture
+def connect():
+    """
+    A factory fixture that, when called, returns a socket connected to a
+    Postgres server, wrapped in a pq3 connection. The calling test will be
+    skipped automatically if a server is not running at PGHOST:PGPORT, so it's
+    best to connect as soon as possible after the test case begins, to avoid
+    doing unnecessary work.
+    """
+    # Set up an ExitStack to handle safe cleanup of all of the moving pieces.
+    with contextlib.ExitStack() as stack:
+
+        def conn_factory():
+            addr = (pq3.pghost(), pq3.pgport())
+
+            try:
+                sock = socket.create_connection(addr, timeout=2)
+            except ConnectionError as e:
+                pytest.skip(f"unable to connect to {addr}: {e}")
+
+            # Have ExitStack close our socket.
+            stack.enter_context(sock)
+
+            # Wrap the connection in a pq3 layer and have ExitStack clean it up
+            # too.
+            wrap_ctx = pq3.wrap(sock, debug_stream=sys.stdout)
+            conn = stack.enter_context(wrap_ctx)
+
+            return conn
+
+        yield conn_factory
diff --git a/src/test/python/server/test_oauth.py b/src/test/python/server/test_oauth.py
new file mode 100644
index 0000000000..cb5ca7fa23
--- /dev/null
+++ b/src/test/python/server/test_oauth.py
@@ -0,0 +1,1012 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import base64
+import contextlib
+import json
+import os
+import pathlib
+import secrets
+import shlex
+import shutil
+import socket
+import struct
+from multiprocessing import shared_memory
+
+import psycopg2
+import pytest
+from psycopg2 import sql
+
+import pq3
+
+MAX_SASL_MESSAGE_LENGTH = 65535
+
+INVALID_AUTHORIZATION_ERRCODE = b"28000"
+PROTOCOL_VIOLATION_ERRCODE = b"08P01"
+FEATURE_NOT_SUPPORTED_ERRCODE = b"0A000"
+
+SHARED_MEM_NAME = "oauth-pytest"
+MAX_TOKEN_SIZE = 4096
+MAX_UINT16 = 2 ** 16 - 1
+
+
+def skip_if_no_postgres():
+    """
+    Used by the oauth_ctx fixture to skip this test module if no Postgres server
+    is running.
+
+    This logic is nearly duplicated with the conn fixture. Ideally oauth_ctx
+    would depend on that, but a module-scope fixture can't depend on a
+    test-scope fixture, and we haven't reached the rule of three yet.
+    """
+    addr = (pq3.pghost(), pq3.pgport())
+
+    try:
+        with socket.create_connection(addr, timeout=2):
+            pass
+    except ConnectionError as e:
+        pytest.skip(f"unable to connect to {addr}: {e}")
+
+
+@contextlib.contextmanager
+def prepend_file(path, lines):
+    """
+    A context manager that prepends a file on disk with the desired lines of
+    text. When the context manager is exited, the file will be restored to its
+    original contents.
+    """
+    # First make a backup of the original file.
+    bak = path + ".bak"
+    shutil.copy2(path, bak)
+
+    try:
+        # Write the new lines, followed by the original file content.
+        with open(path, "w") as new, open(bak, "r") as orig:
+            new.writelines(lines)
+            shutil.copyfileobj(orig, new)
+
+        # Return control to the calling code.
+        yield
+
+    finally:
+        # Put the backup back into place.
+        os.replace(bak, path)
+
+
+@pytest.fixture(scope="module")
+def oauth_ctx():
+    """
+    Creates a database and user that use the oauth auth method. The context
+    object contains the dbname and user attributes as strings to be used during
+    connection, as well as the issuer and scope that have been set in the HBA
+    configuration.
+
+    This fixture assumes that the standard PG* environment variables point to a
+    server running on a local machine, and that the PGUSER has rights to create
+    databases and roles.
+    """
+    skip_if_no_postgres()  # don't bother running these tests without a server
+
+    id = secrets.token_hex(4)
+
+    class Context:
+        dbname = "oauth_test_" + id
+
+        user = "oauth_user_" + id
+        map_user = "oauth_map_user_" + id
+        authz_user = "oauth_authz_user_" + id
+
+        issuer = "https://example.com/" + id
+        scope = "openid " + id
+
+    ctx = Context()
+    hba_lines = (
+        f'host {ctx.dbname} {ctx.map_user}   samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}" map=oauth\n',
+        f'host {ctx.dbname} {ctx.authz_user} samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}" trust_validator_authz=1\n',
+        f'host {ctx.dbname} all              samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}"\n',
+    )
+    ident_lines = (r"oauth /^(.*)@example\.com$ \1",)
+
+    conn = psycopg2.connect("")
+    conn.autocommit = True
+
+    with contextlib.closing(conn):
+        c = conn.cursor()
+
+        # Create our roles and database.
+        user = sql.Identifier(ctx.user)
+        map_user = sql.Identifier(ctx.map_user)
+        authz_user = sql.Identifier(ctx.authz_user)
+        dbname = sql.Identifier(ctx.dbname)
+
+        c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(user))
+        c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(map_user))
+        c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(authz_user))
+        c.execute(sql.SQL("CREATE DATABASE {};").format(dbname))
+
+        # Make this test script the server's oauth_validator.
+        path = pathlib.Path(__file__).parent / "validate_bearer.py"
+        path = str(path.absolute())
+
+        cmd = f"{shlex.quote(path)} {SHARED_MEM_NAME} <&%f"
+        c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (cmd,))
+
+        # Replace pg_hba and pg_ident.
+        c.execute("SHOW hba_file;")
+        hba = c.fetchone()[0]
+
+        c.execute("SHOW ident_file;")
+        ident = c.fetchone()[0]
+
+        with prepend_file(hba, hba_lines), prepend_file(ident, ident_lines):
+            c.execute("SELECT pg_reload_conf();")
+
+            # Use the new database and user.
+            yield ctx
+
+        # Put things back the way they were.
+        c.execute("SELECT pg_reload_conf();")
+
+        c.execute("ALTER SYSTEM RESET oauth_validator_command;")
+        c.execute(sql.SQL("DROP DATABASE {};").format(dbname))
+        c.execute(sql.SQL("DROP ROLE {};").format(authz_user))
+        c.execute(sql.SQL("DROP ROLE {};").format(map_user))
+        c.execute(sql.SQL("DROP ROLE {};").format(user))
+
+
+@pytest.fixture()
+def conn(oauth_ctx, connect):
+    """
+    A convenience wrapper for connect(). The main purpose of this fixture is to
+    make sure oauth_ctx runs its setup code before the connection is made.
+    """
+    return connect()
+
+
+@pytest.fixture(scope="module", autouse=True)
+def authn_id_extension(oauth_ctx):
+    """
+    Performs a `CREATE EXTENSION authn_id` in the test database. This fixture is
+    autoused, so tests don't need to rely on it.
+    """
+    conn = psycopg2.connect(database=oauth_ctx.dbname)
+    conn.autocommit = True
+
+    with contextlib.closing(conn):
+        c = conn.cursor()
+        c.execute("CREATE EXTENSION authn_id;")
+
+
+@pytest.fixture(scope="session")
+def shared_mem():
+    """
+    Yields a shared memory segment that can be used for communication between
+    the bearer_token fixture and ./validate_bearer.py.
+    """
+    size = MAX_TOKEN_SIZE + 2  # two byte length prefix
+    mem = shared_memory.SharedMemory(SHARED_MEM_NAME, create=True, size=size)
+
+    try:
+        with contextlib.closing(mem):
+            yield mem
+    finally:
+        mem.unlink()
+
+
+@pytest.fixture()
+def bearer_token(shared_mem):
+    """
+    Returns a factory function that, when called, will store a Bearer token in
+    shared_mem. If token is None (the default), a new token will be generated
+    using secrets.token_urlsafe() and returned; otherwise the passed token will
+    be used as-is.
+
+    When token is None, the generated token size in bytes may be specified as an
+    argument; if unset, a small 16-byte token will be generated. The token size
+    may not exceed MAX_TOKEN_SIZE in any case.
+
+    The return value is the token, converted to a bytes object.
+
+    As a special case for testing failure modes, accept_any may be set to True.
+    This signals to the validator command that any bearer token should be
+    accepted. The returned token in this case may be used or discarded as needed
+    by the test.
+    """
+
+    def set_token(token=None, *, size=16, accept_any=False):
+        if token is not None:
+            size = len(token)
+
+        if size > MAX_TOKEN_SIZE:
+            raise ValueError(f"token size {size} exceeds maximum size {MAX_TOKEN_SIZE}")
+
+        if token is None:
+            if size % 4:
+                raise ValueError(f"requested token size {size} is not a multiple of 4")
+
+            token = secrets.token_urlsafe(size // 4 * 3)
+            assert len(token) == size
+
+        try:
+            token = token.encode("ascii")
+        except AttributeError:
+            pass  # already encoded
+
+        if accept_any:
+            # Two-byte magic value.
+            shared_mem.buf[:2] = struct.pack("H", MAX_UINT16)
+        else:
+            # Two-byte length prefix, then the token data.
+            shared_mem.buf[:2] = struct.pack("H", len(token))
+            shared_mem.buf[2 : size + 2] = token
+
+        return token
+
+    return set_token
+
+
+def begin_oauth_handshake(conn, oauth_ctx, *, user=None):
+    if user is None:
+        user = oauth_ctx.authz_user
+
+    pq3.send_startup(conn, user=user, database=oauth_ctx.dbname)
+
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.AuthnRequest
+
+    # The server should advertise exactly one mechanism.
+    assert resp.payload.type == pq3.authn.SASL
+    assert resp.payload.body == [b"OAUTHBEARER", b""]
+
+
+def send_initial_response(conn, *, auth=None, bearer=None):
+    """
+    Sends the OAUTHBEARER initial response on the connection, using the given
+    bearer token. Alternatively to a bearer token, the initial response's auth
+    field may be explicitly specified to test corner cases.
+    """
+    if bearer is not None and auth is not None:
+        raise ValueError("exactly one of the auth and bearer kwargs must be set")
+
+    if bearer is not None:
+        auth = b"Bearer " + bearer
+
+    if auth is None:
+        raise ValueError("exactly one of the auth and bearer kwargs must be set")
+
+    initial = pq3.SASLInitialResponse.build(
+        dict(
+            name=b"OAUTHBEARER",
+            data=b"n,,\x01auth=" + auth + b"\x01\x01",
+        )
+    )
+    pq3.send(conn, pq3.types.PasswordMessage, initial)
+
+
+def expect_handshake_success(conn):
+    """
+    Validates that the server responds with an AuthnOK message, and then drains
+    the connection until a ReadyForQuery message is received.
+    """
+    resp = pq3.recv1(conn)
+
+    assert resp.type == pq3.types.AuthnRequest
+    assert resp.payload.type == pq3.authn.OK
+    assert not resp.payload.body
+
+    receive_until(conn, pq3.types.ReadyForQuery)
+
+
+def expect_handshake_failure(conn, oauth_ctx):
+    """
+    Performs the OAUTHBEARER SASL failure "handshake" and validates the server's
+    side of the conversation, including the final ErrorResponse.
+    """
+
+    # We expect a discovery "challenge" back from the server before the authn
+    # failure message.
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.AuthnRequest
+
+    req = resp.payload
+    assert req.type == pq3.authn.SASLContinue
+
+    body = json.loads(req.body)
+    assert body["status"] == "invalid_token"
+    assert body["scope"] == oauth_ctx.scope
+
+    expected_config = oauth_ctx.issuer + "/.well-known/openid-configuration"
+    assert body["openid-configuration"] == expected_config
+
+    # Send the dummy response to complete the failed handshake.
+    pq3.send(conn, pq3.types.PasswordMessage, b"\x01")
+    resp = pq3.recv1(conn)
+
+    err = ExpectedError(INVALID_AUTHORIZATION_ERRCODE, "bearer authentication failed")
+    err.match(resp)
+
+
+def receive_until(conn, type):
+    """
+    receive_until pulls packets off the pq3 connection until a packet with the
+    desired type is found, or an error response is received.
+    """
+    while True:
+        pkt = pq3.recv1(conn)
+
+        if pkt.type == type:
+            return pkt
+        elif pkt.type == pq3.types.ErrorResponse:
+            raise RuntimeError(
+                f"received error response from peer: {pkt.payload.fields!r}"
+            )
+
+
+@pytest.mark.parametrize("token_len", [16, 1024, 4096])
+@pytest.mark.parametrize(
+    "auth_prefix",
+    [
+        b"Bearer ",
+        b"bearer ",
+        b"Bearer    ",
+    ],
+)
+def test_oauth(conn, oauth_ctx, bearer_token, auth_prefix, token_len):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Generate our bearer token with the desired length.
+    token = bearer_token(size=token_len)
+    auth = auth_prefix + token
+
+    send_initial_response(conn, auth=auth)
+    expect_handshake_success(conn)
+
+    # Make sure that the server has not set an authenticated ID.
+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
+    resp = receive_until(conn, pq3.types.DataRow)
+
+    row = resp.payload
+    assert row.columns == [None]
+
+
+@pytest.mark.parametrize(
+    "token_value",
+    [
+        "abcdzA==",
+        "123456M=",
+        "x-._~+/x",
+    ],
+)
+def test_oauth_bearer_corner_cases(conn, oauth_ctx, bearer_token, token_value):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    send_initial_response(conn, bearer=bearer_token(token_value))
+
+    expect_handshake_success(conn)
+
+
+@pytest.mark.parametrize(
+    "user,authn_id,should_succeed",
+    [
+        pytest.param(
+            lambda ctx: ctx.user,
+            lambda ctx: ctx.user,
+            True,
+            id="validator authn: succeeds when authn_id == username",
+        ),
+        pytest.param(
+            lambda ctx: ctx.user,
+            lambda ctx: None,
+            False,
+            id="validator authn: fails when authn_id is not set",
+        ),
+        pytest.param(
+            lambda ctx: ctx.user,
+            lambda ctx: ctx.authz_user,
+            False,
+            id="validator authn: fails when authn_id != username",
+        ),
+        pytest.param(
+            lambda ctx: ctx.map_user,
+            lambda ctx: ctx.map_user + "@example.com",
+            True,
+            id="validator with map: succeeds when authn_id matches map",
+        ),
+        pytest.param(
+            lambda ctx: ctx.map_user,
+            lambda ctx: None,
+            False,
+            id="validator with map: fails when authn_id is not set",
+        ),
+        pytest.param(
+            lambda ctx: ctx.map_user,
+            lambda ctx: ctx.map_user + "@example.net",
+            False,
+            id="validator with map: fails when authn_id doesn't match map",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: None,
+            True,
+            id="validator authz: succeeds with no authn_id",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: "",
+            True,
+            id="validator authz: succeeds with empty authn_id",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: "postgres",
+            True,
+            id="validator authz: succeeds with basic username",
+        ),
+        pytest.param(
+            lambda ctx: ctx.authz_user,
+            lambda ctx: "me@example.com",
+            True,
+            id="validator authz: succeeds with email address",
+        ),
+    ],
+)
+def test_oauth_authn_id(conn, oauth_ctx, bearer_token, user, authn_id, should_succeed):
+    token = None
+
+    authn_id = authn_id(oauth_ctx)
+    if authn_id is not None:
+        authn_id = authn_id.encode("ascii")
+
+        # As a hack to get the validator to reflect arbitrary output from this
+        # test, encode the desired output as a base64 token. The validator will
+        # key on the leading "output=" to differentiate this from the random
+        # tokens generated by secrets.token_urlsafe().
+        output = b"output=" + authn_id + b"\n"
+        token = base64.urlsafe_b64encode(output)
+
+    token = bearer_token(token)
+    username = user(oauth_ctx)
+
+    begin_oauth_handshake(conn, oauth_ctx, user=username)
+    send_initial_response(conn, bearer=token)
+
+    if not should_succeed:
+        expect_handshake_failure(conn, oauth_ctx)
+        return
+
+    expect_handshake_success(conn)
+
+    # Check the reported authn_id.
+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
+    resp = receive_until(conn, pq3.types.DataRow)
+
+    row = resp.payload
+    assert row.columns == [authn_id]
+
+
+class ExpectedError(object):
+    def __init__(self, code, msg=None, detail=None):
+        self.code = code
+        self.msg = msg
+        self.detail = detail
+
+        # Protect against the footgun of an accidental empty string, which will
+        # "match" anything. If you don't want to match message or detail, just
+        # don't pass them.
+        if self.msg == "":
+            raise ValueError("msg must be non-empty or None")
+        if self.detail == "":
+            raise ValueError("detail must be non-empty or None")
+
+    def _getfield(self, resp, type):
+        """
+        Searches an ErrorResponse for a single field of the given type (e.g.
+        "M", "C", "D") and returns its value. Asserts if it doesn't find exactly
+        one field.
+        """
+        prefix = type.encode("ascii")
+        fields = [f for f in resp.payload.fields if f.startswith(prefix)]
+
+        assert len(fields) == 1
+        return fields[0][1:]  # strip off the type byte
+
+    def match(self, resp):
+        """
+        Checks that the given response matches the expected code, message, and
+        detail (if given). The error code must match exactly. The expected
+        message and detail must be contained within the actual strings.
+        """
+        assert resp.type == pq3.types.ErrorResponse
+
+        code = self._getfield(resp, "C")
+        assert code == self.code
+
+        if self.msg:
+            msg = self._getfield(resp, "M")
+            expected = self.msg.encode("utf-8")
+            assert expected in msg
+
+        if self.detail:
+            detail = self._getfield(resp, "D")
+            expected = self.detail.encode("utf-8")
+            assert expected in detail
+
+
+def test_oauth_rejected_bearer(conn, oauth_ctx, bearer_token):
+    # Generate a new bearer token, which we will proceed not to use.
+    _ = bearer_token()
+
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Send a bearer token that doesn't match what the validator expects. It
+    # should fail the connection.
+    send_initial_response(conn, bearer=b"xxxxxx")
+
+    expect_handshake_failure(conn, oauth_ctx)
+
+
+@pytest.mark.parametrize(
+    "bad_bearer",
+    [
+        b"Bearer    ",
+        b"Bearer a===b",
+        b"Bearer hello!",
+        b"Bearer me@example.com",
+        b'OAuth realm="Example"',
+        b"",
+    ],
+)
+def test_oauth_invalid_bearer(conn, oauth_ctx, bearer_token, bad_bearer):
+    # Tell the validator to accept any token. This ensures that the invalid
+    # bearer tokens are rejected before the validation step.
+    _ = bearer_token(accept_any=True)
+
+    begin_oauth_handshake(conn, oauth_ctx)
+    send_initial_response(conn, auth=bad_bearer)
+
+    expect_handshake_failure(conn, oauth_ctx)
+
+
+@pytest.mark.slow
+@pytest.mark.parametrize(
+    "resp_type,resp,err",
+    [
+        pytest.param(
+            None,
+            None,
+            None,
+            marks=pytest.mark.slow,
+            id="no response (expect timeout)",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            b"hello",
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not send a kvsep response",
+            ),
+            id="bad dummy response",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            b"\x01\x01",
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not send a kvsep response",
+            ),
+            id="multiple kvseps",
+        ),
+        pytest.param(
+            pq3.types.Query,
+            dict(query=b""),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "expected SASL response"),
+            id="bad response message type",
+        ),
+    ],
+)
+def test_oauth_bad_response_to_error_challenge(conn, oauth_ctx, resp_type, resp, err):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Send an empty auth initial response, which will force an authn failure.
+    send_initial_response(conn, auth=b"")
+
+    # We expect a discovery "challenge" back from the server before the authn
+    # failure message.
+    pkt = pq3.recv1(conn)
+    assert pkt.type == pq3.types.AuthnRequest
+
+    req = pkt.payload
+    assert req.type == pq3.authn.SASLContinue
+
+    body = json.loads(req.body)
+    assert body["status"] == "invalid_token"
+
+    if resp_type is None:
+        # Do not send the dummy response. We should time out and not get a
+        # response from the server.
+        with pytest.raises(socket.timeout):
+            conn.read(1)
+
+        # Done with the test.
+        return
+
+    # Send the bad response.
+    pq3.send(conn, resp_type, resp)
+
+    # Make sure the server fails the connection correctly.
+    pkt = pq3.recv1(conn)
+    err.match(pkt)
+
+
+@pytest.mark.parametrize(
+    "type,payload,err",
+    [
+        pytest.param(
+            pq3.types.ErrorResponse,
+            dict(fields=[b""]),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "expected SASL response"),
+            id="error response in initial message",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            b"x" * (MAX_SASL_MESSAGE_LENGTH + 1),
+            ExpectedError(
+                INVALID_AUTHORIZATION_ERRCODE, "bearer authentication failed"
+            ),
+            id="overlong initial response data",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"SCRAM-SHA-256")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE, "invalid SASL authentication mechanism"
+            ),
+            id="bad SASL mechanism selection",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", len=2, data=b"x")),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "insufficient data"),
+            id="SASL data underflow",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", len=0, data=b"x")),
+            ExpectedError(PROTOCOL_VIOLATION_ERRCODE, "invalid message format"),
+            id="SASL data overflow",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "message is empty",
+            ),
+            id="empty",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"n,,\x01auth=\x01\x01\0")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "length does not match input length",
+            ),
+            id="contains null byte",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"\x01")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected channel-binding flag",  # XXX this is a bit strange
+            ),
+            id="initial error response",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"p=tls-server-end-point,,\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "server does not support channel binding",
+            ),
+            id="uses channel binding",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"x,,\x01")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected channel-binding flag",
+            ),
+            id="invalid channel binding specifier",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Comma expected",
+            ),
+            id="bad GS2 header: missing channel binding terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,a")),
+            ExpectedError(
+                FEATURE_NOT_SUPPORTED_ERRCODE,
+                "client uses authorization identity",
+            ),
+            id="bad GS2 header: authzid in use",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,b,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected attribute",
+            ),
+            id="bad GS2 header: extra attribute",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Unexpected attribute 0x00",  # XXX this is a bit strange
+            ),
+            id="bad GS2 header: missing authzid terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Key-value separator expected",
+            ),
+            id="missing initial kvsep",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,,")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "Key-value separator expected",
+            ),
+            id="missing initial kvsep",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "does not contain an auth value",
+            ),
+            id="missing auth value: empty key-value list",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01host=example.com\x01\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "does not contain an auth value",
+            ),
+            id="missing auth value: other keys present",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01host=example.com")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "unterminated key/value pair",
+            ),
+            id="missing value terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER", data=b"y,,\x01")),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not contain a final terminator",
+            ),
+            id="missing list terminator: empty list",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01auth=Bearer 0\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "did not contain a final terminator",
+            ),
+            id="missing list terminator: with auth value",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01auth=Bearer 0\x01\x01blah")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "additional data after the final terminator",
+            ),
+            id="additional key after terminator",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(name=b"OAUTHBEARER", data=b"y,,\x01key\x01\x01")
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "key without a value",
+            ),
+            id="key without value",
+        ),
+        pytest.param(
+            pq3.types.PasswordMessage,
+            pq3.SASLInitialResponse.build(
+                dict(
+                    name=b"OAUTHBEARER",
+                    data=b"y,,\x01auth=Bearer 0\x01auth=Bearer 1\x01\x01",
+                )
+            ),
+            ExpectedError(
+                PROTOCOL_VIOLATION_ERRCODE,
+                "malformed OAUTHBEARER message",
+                "contains multiple auth values",
+            ),
+            id="multiple auth values",
+        ),
+    ],
+)
+def test_oauth_bad_initial_response(conn, oauth_ctx, type, payload, err):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # The server expects a SASL response; give it something else instead.
+    if not isinstance(payload, dict):
+        payload = dict(payload_data=payload)
+    pq3.send(conn, type, **payload)
+
+    resp = pq3.recv1(conn)
+    err.match(resp)
+
+
+def test_oauth_empty_initial_response(conn, oauth_ctx, bearer_token):
+    begin_oauth_handshake(conn, oauth_ctx)
+
+    # Send an initial response without data.
+    initial = pq3.SASLInitialResponse.build(dict(name=b"OAUTHBEARER"))
+    pq3.send(conn, pq3.types.PasswordMessage, initial)
+
+    # The server should respond with an empty challenge so we can send the data
+    # it wants.
+    pkt = pq3.recv1(conn)
+
+    assert pkt.type == pq3.types.AuthnRequest
+    assert pkt.payload.type == pq3.authn.SASLContinue
+    assert not pkt.payload.body
+
+    # Now send the initial data.
+    data = b"n,,\x01auth=Bearer " + bearer_token() + b"\x01\x01"
+    pq3.send(conn, pq3.types.PasswordMessage, data)
+
+    # Server should now complete the handshake.
+    expect_handshake_success(conn)
+
+
+@pytest.fixture()
+def set_validator():
+    """
+    A per-test fixture that allows a test to override the setting of
+    oauth_validator_command for the cluster. The setting will be reverted during
+    teardown.
+
+    Passing None will perform an ALTER SYSTEM RESET.
+    """
+    conn = psycopg2.connect("")
+    conn.autocommit = True
+
+    with contextlib.closing(conn):
+        c = conn.cursor()
+
+        # Save the previous value.
+        c.execute("SHOW oauth_validator_command;")
+        prev_cmd = c.fetchone()[0]
+
+        def setter(cmd):
+            c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (cmd,))
+            c.execute("SELECT pg_reload_conf();")
+
+        yield setter
+
+        # Restore the previous value.
+        c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (prev_cmd,))
+        c.execute("SELECT pg_reload_conf();")
+
+
+def test_oauth_no_validator(oauth_ctx, set_validator, connect, bearer_token):
+    # Clear out our validator command, then establish a new connection.
+    set_validator("")
+    conn = connect()
+
+    begin_oauth_handshake(conn, oauth_ctx)
+    send_initial_response(conn, bearer=bearer_token())
+
+    # The server should fail the connection.
+    expect_handshake_failure(conn, oauth_ctx)
+
+
+def test_oauth_validator_role(oauth_ctx, set_validator, connect):
+    # Switch the validator implementation. This validator will reflect the
+    # PGUSER as the authenticated identity.
+    path = pathlib.Path(__file__).parent / "validate_reflect.py"
+    path = str(path.absolute())
+
+    set_validator(f"{shlex.quote(path)} '%r' <&%f")
+    conn = connect()
+
+    # Log in. Note that the reflection validator ignores the bearer token.
+    begin_oauth_handshake(conn, oauth_ctx, user=oauth_ctx.user)
+    send_initial_response(conn, bearer=b"dontcare")
+    expect_handshake_success(conn)
+
+    # Check the user identity.
+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
+    resp = receive_until(conn, pq3.types.DataRow)
+
+    row = resp.payload
+    expected = oauth_ctx.user.encode("utf-8")
+    assert row.columns == [expected]
+
+
+def test_oauth_role_with_shell_unsafe_characters(oauth_ctx, set_validator, connect):
+    """
+    XXX This test pins undesirable behavior. We should be able to handle any
+    valid Postgres role name.
+    """
+    # Switch the validator implementation. This validator will reflect the
+    # PGUSER as the authenticated identity.
+    path = pathlib.Path(__file__).parent / "validate_reflect.py"
+    path = str(path.absolute())
+
+    set_validator(f"{shlex.quote(path)} '%r' <&%f")
+    conn = connect()
+
+    unsafe_username = "hello'there"
+    begin_oauth_handshake(conn, oauth_ctx, user=unsafe_username)
+
+    # The server should reject the handshake.
+    send_initial_response(conn, bearer=b"dontcare")
+    expect_handshake_failure(conn, oauth_ctx)
diff --git a/src/test/python/server/test_server.py b/src/test/python/server/test_server.py
new file mode 100644
index 0000000000..02126dba79
--- /dev/null
+++ b/src/test/python/server/test_server.py
@@ -0,0 +1,21 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import pq3
+
+
+def test_handshake(connect):
+    """Basic sanity check."""
+    conn = connect()
+
+    pq3.handshake(conn, user=pq3.pguser(), database=pq3.pgdatabase())
+
+    pq3.send(conn, pq3.types.Query, query=b"")
+
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.EmptyQueryResponse
+
+    resp = pq3.recv1(conn)
+    assert resp.type == pq3.types.ReadyForQuery
diff --git a/src/test/python/server/validate_bearer.py b/src/test/python/server/validate_bearer.py
new file mode 100755
index 0000000000..2cc73ff154
--- /dev/null
+++ b/src/test/python/server/validate_bearer.py
@@ -0,0 +1,101 @@
+#! /usr/bin/env python3
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+# DO NOT USE THIS OAUTH VALIDATOR IN PRODUCTION. It doesn't actually validate
+# anything, and it logs the bearer token data, which is sensitive.
+#
+# This executable is used as an oauth_validator_command in concert with
+# test_oauth.py. Memory is shared and communicated from that test module's
+# bearer_token() fixture.
+#
+# This script must run under the Postgres server environment; keep the
+# dependency list fairly standard.
+
+import base64
+import binascii
+import contextlib
+import struct
+import sys
+from multiprocessing import shared_memory
+
+MAX_UINT16 = 2 ** 16 - 1
+
+
+def remove_shm_from_resource_tracker():
+    """
+    Monkey-patch multiprocessing.resource_tracker so SharedMemory won't be
+    tracked. Pulled from this thread, where there are more details:
+
+        https://bugs.python.org/issue38119
+
+    TL;DR: all clients of shared memory segments automatically destroy them on
+    process exit, which makes shared memory segments much less useful. This
+    monkeypatch removes that behavior so that we can defer to the test to manage
+    the segment lifetime.
+
+    Ideally a future Python patch will pull in this fix and then the entire
+    function can go away.
+    """
+    from multiprocessing import resource_tracker
+
+    def fix_register(name, rtype):
+        if rtype == "shared_memory":
+            return
+        return resource_tracker._resource_tracker.register(self, name, rtype)
+
+    resource_tracker.register = fix_register
+
+    def fix_unregister(name, rtype):
+        if rtype == "shared_memory":
+            return
+        return resource_tracker._resource_tracker.unregister(self, name, rtype)
+
+    resource_tracker.unregister = fix_unregister
+
+    if "shared_memory" in resource_tracker._CLEANUP_FUNCS:
+        del resource_tracker._CLEANUP_FUNCS["shared_memory"]
+
+
+def main(args):
+    remove_shm_from_resource_tracker()  # XXX remove some day
+
+    # Get the expected token from the currently running test.
+    shared_mem_name = args[0]
+
+    mem = shared_memory.SharedMemory(shared_mem_name)
+    with contextlib.closing(mem):
+        # First two bytes are the token length.
+        size = struct.unpack("H", mem.buf[:2])[0]
+
+        if size == MAX_UINT16:
+            # Special case: the test wants us to accept any token.
+            sys.stderr.write("accepting token without validation\n")
+            return
+
+        # The remainder of the buffer contains the expected token.
+        assert size <= (mem.size - 2)
+        expected_token = mem.buf[2 : size + 2].tobytes()
+
+        mem.buf[:] = b"\0" * mem.size  # scribble over the token
+
+    token = sys.stdin.buffer.read()
+    if token != expected_token:
+        sys.exit(f"failed to match Bearer token ({token!r} != {expected_token!r})")
+
+    # See if the test wants us to print anything. If so, it will have encoded
+    # the desired output in the token with an "output=" prefix.
+    try:
+        # altchars="-_" corresponds to the urlsafe alphabet.
+        data = base64.b64decode(token, altchars="-_", validate=True)
+
+        if data.startswith(b"output="):
+            sys.stdout.buffer.write(data[7:])
+
+    except binascii.Error:
+        pass
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])
diff --git a/src/test/python/server/validate_reflect.py b/src/test/python/server/validate_reflect.py
new file mode 100755
index 0000000000..24c3a7e715
--- /dev/null
+++ b/src/test/python/server/validate_reflect.py
@@ -0,0 +1,34 @@
+#! /usr/bin/env python3
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+# DO NOT USE THIS OAUTH VALIDATOR IN PRODUCTION. It ignores the bearer token
+# entirely and automatically logs the user in.
+#
+# This executable is used as an oauth_validator_command in concert with
+# test_oauth.py. It expects the user's desired role name as an argument; the
+# actual token will be discarded and the user will be logged in with the role
+# name as the authenticated identity.
+#
+# This script must run under the Postgres server environment; keep the
+# dependency list fairly standard.
+
+import sys
+
+
+def main(args):
+    # We have to read the entire token as our first action to unblock the
+    # server, but we won't actually use it.
+    _ = sys.stdin.buffer.read()
+
+    if len(args) != 1:
+        sys.exit("usage: ./validate_reflect.py ROLE")
+
+    # Log the user in as the provided role.
+    role = args[0]
+    print(role)
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])
diff --git a/src/test/python/test_internals.py b/src/test/python/test_internals.py
new file mode 100644
index 0000000000..dee4855fc0
--- /dev/null
+++ b/src/test/python/test_internals.py
@@ -0,0 +1,138 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import io
+
+from pq3 import _DebugStream
+
+
+def test_DebugStream_read():
+    under = io.BytesIO(b"abcdefghijklmnopqrstuvwxyz")
+    out = io.StringIO()
+
+    stream = _DebugStream(under, out)
+
+    res = stream.read(5)
+    assert res == b"abcde"
+
+    res = stream.read(16)
+    assert res == b"fghijklmnopqrstu"
+
+    stream.flush_debug()
+
+    res = stream.read()
+    assert res == b"vwxyz"
+
+    stream.flush_debug()
+
+    expected = (
+        "< 0000:\t61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70\tabcdefghijklmnop\n"
+        "< 0010:\t71 72 73 74 75                                 \tqrstu\n"
+        "\n"
+        "< 0000:\t76 77 78 79 7a                                 \tvwxyz\n"
+        "\n"
+    )
+    assert out.getvalue() == expected
+
+
+def test_DebugStream_write():
+    under = io.BytesIO()
+    out = io.StringIO()
+
+    stream = _DebugStream(under, out)
+
+    stream.write(b"\x00\x01\x02")
+    stream.flush()
+
+    assert under.getvalue() == b"\x00\x01\x02"
+
+    stream.write(b"\xc0\xc1\xc2")
+    stream.flush()
+
+    assert under.getvalue() == b"\x00\x01\x02\xc0\xc1\xc2"
+
+    stream.flush_debug()
+
+    expected = "> 0000:\t00 01 02 c0 c1 c2                              \t......\n\n"
+    assert out.getvalue() == expected
+
+
+def test_DebugStream_read_write():
+    under = io.BytesIO(b"abcdefghijklmnopqrstuvwxyz")
+    out = io.StringIO()
+    stream = _DebugStream(under, out)
+
+    res = stream.read(5)
+    assert res == b"abcde"
+
+    stream.write(b"xxxxx")
+    stream.flush()
+
+    assert under.getvalue() == b"abcdexxxxxklmnopqrstuvwxyz"
+
+    res = stream.read(5)
+    assert res == b"klmno"
+
+    stream.write(b"xxxxx")
+    stream.flush()
+
+    assert under.getvalue() == b"abcdexxxxxklmnoxxxxxuvwxyz"
+
+    stream.flush_debug()
+
+    expected = (
+        "< 0000:\t61 62 63 64 65 6b 6c 6d 6e 6f                  \tabcdeklmno\n"
+        "\n"
+        "> 0000:\t78 78 78 78 78 78 78 78 78 78                  \txxxxxxxxxx\n"
+        "\n"
+    )
+    assert out.getvalue() == expected
+
+
+def test_DebugStream_end_packet():
+    under = io.BytesIO(b"abcdefghijklmnopqrstuvwxyz")
+    out = io.StringIO()
+    stream = _DebugStream(under, out)
+
+    stream.read(5)
+    stream.end_packet("read description", read=True, indent=" ")
+
+    stream.write(b"xxxxx")
+    stream.flush()
+    stream.end_packet("write description", indent=" ")
+
+    stream.read(5)
+    stream.write(b"xxxxx")
+    stream.flush()
+    stream.end_packet("read/write combo for read", read=True, indent=" ")
+
+    stream.read(5)
+    stream.write(b"xxxxx")
+    stream.flush()
+    stream.end_packet("read/write combo for write", indent=" ")
+
+    expected = (
+        " < 0000:\t61 62 63 64 65                                 \tabcde\n"
+        "\n"
+        "< read description\n"
+        "\n"
+        "> write description\n"
+        "\n"
+        " > 0000:\t78 78 78 78 78                                 \txxxxx\n"
+        "\n"
+        " < 0000:\t6b 6c 6d 6e 6f                                 \tklmno\n"
+        "\n"
+        " > 0000:\t78 78 78 78 78                                 \txxxxx\n"
+        "\n"
+        "< read/write combo for read\n"
+        "\n"
+        "> read/write combo for write\n"
+        "\n"
+        " < 0000:\t75 76 77 78 79                                 \tuvwxy\n"
+        "\n"
+        " > 0000:\t78 78 78 78 78                                 \txxxxx\n"
+        "\n"
+    )
+    assert out.getvalue() == expected
diff --git a/src/test/python/test_pq3.py b/src/test/python/test_pq3.py
new file mode 100644
index 0000000000..e0c0e0568d
--- /dev/null
+++ b/src/test/python/test_pq3.py
@@ -0,0 +1,558 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+import contextlib
+import getpass
+import io
+import struct
+import sys
+
+import pytest
+from construct import Container, PaddingError, StreamError, TerminatedError
+
+import pq3
+
+
+@pytest.mark.parametrize(
+    "raw,expected,extra",
+    [
+        pytest.param(
+            b"\x00\x00\x00\x10\x00\x04\x00\x00abcdefgh",
+            Container(len=16, proto=0x40000, payload=b"abcdefgh"),
+            b"",
+            id="8-byte payload",
+        ),
+        pytest.param(
+            b"\x00\x00\x00\x08\x00\x04\x00\x00",
+            Container(len=8, proto=0x40000, payload=b""),
+            b"",
+            id="no payload",
+        ),
+        pytest.param(
+            b"\x00\x00\x00\x09\x00\x04\x00\x00abcde",
+            Container(len=9, proto=0x40000, payload=b"a"),
+            b"bcde",
+            id="1-byte payload and extra padding",
+        ),
+        pytest.param(
+            b"\x00\x00\x00\x0B\x00\x03\x00\x00hi\x00",
+            Container(len=11, proto=pq3.protocol(3, 0), payload=[b"hi"]),
+            b"",
+            id="implied parameter list when using proto version 3.0",
+        ),
+    ],
+)
+def test_Startup_parse(raw, expected, extra):
+    with io.BytesIO(raw) as stream:
+        actual = pq3.Startup.parse_stream(stream)
+
+        assert actual == expected
+        assert stream.read() == extra
+
+
+@pytest.mark.parametrize(
+    "packet,expected_bytes",
+    [
+        pytest.param(
+            dict(),
+            b"\x00\x00\x00\x08\x00\x00\x00\x00",
+            id="nothing set",
+        ),
+        pytest.param(
+            dict(len=10, proto=0x12345678),
+            b"\x00\x00\x00\x0A\x12\x34\x56\x78\x00\x00",
+            id="len and proto set explicitly",
+        ),
+        pytest.param(
+            dict(proto=0x12345678),
+            b"\x00\x00\x00\x08\x12\x34\x56\x78",
+            id="implied len with no payload",
+        ),
+        pytest.param(
+            dict(proto=0x12345678, payload=b"abcd"),
+            b"\x00\x00\x00\x0C\x12\x34\x56\x78abcd",
+            id="implied len with payload",
+        ),
+        pytest.param(
+            dict(payload=[b""]),
+            b"\x00\x00\x00\x09\x00\x03\x00\x00\x00",
+            id="implied proto version 3 when sending parameters",
+        ),
+        pytest.param(
+            dict(payload=[b"hi", b""]),
+            b"\x00\x00\x00\x0C\x00\x03\x00\x00hi\x00\x00",
+            id="implied proto version 3 and len when sending more than one parameter",
+        ),
+        pytest.param(
+            dict(payload=dict(user="jsmith", database="postgres")),
+            b"\x00\x00\x00\x27\x00\x03\x00\x00user\x00jsmith\x00database\x00postgres\x00\x00",
+            id="auto-serialization of dict parameters",
+        ),
+    ],
+)
+def test_Startup_build(packet, expected_bytes):
+    actual = pq3.Startup.build(packet)
+    assert actual == expected_bytes
+
+
+@pytest.mark.parametrize(
+    "raw,expected,extra",
+    [
+        pytest.param(
+            b"*\x00\x00\x00\x08abcd",
+            dict(type=b"*", len=8, payload=b"abcd"),
+            b"",
+            id="4-byte payload",
+        ),
+        pytest.param(
+            b"*\x00\x00\x00\x04",
+            dict(type=b"*", len=4, payload=b""),
+            b"",
+            id="no payload",
+        ),
+        pytest.param(
+            b"*\x00\x00\x00\x05xabcd",
+            dict(type=b"*", len=5, payload=b"x"),
+            b"abcd",
+            id="1-byte payload with extra padding",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x08\x00\x00\x00\x00",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=8,
+                payload=dict(type=pq3.authn.OK, body=None),
+            ),
+            b"",
+            id="AuthenticationOk",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x12\x00\x00\x00\x0AEXTERNAL\x00\x00",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=18,
+                payload=dict(type=pq3.authn.SASL, body=[b"EXTERNAL", b""]),
+            ),
+            b"",
+            id="AuthenticationSASL",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0B12345",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=13,
+                payload=dict(type=pq3.authn.SASLContinue, body=b"12345"),
+            ),
+            b"",
+            id="AuthenticationSASLContinue",
+        ),
+        pytest.param(
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0C12345",
+            dict(
+                type=pq3.types.AuthnRequest,
+                len=13,
+                payload=dict(type=pq3.authn.SASLFinal, body=b"12345"),
+            ),
+            b"",
+            id="AuthenticationSASLFinal",
+        ),
+        pytest.param(
+            b"p\x00\x00\x00\x0Bhunter2",
+            dict(
+                type=pq3.types.PasswordMessage,
+                len=11,
+                payload=b"hunter2",
+            ),
+            b"",
+            id="PasswordMessage",
+        ),
+        pytest.param(
+            b"K\x00\x00\x00\x0C\x00\x00\x00\x00\x12\x34\x56\x78",
+            dict(
+                type=pq3.types.BackendKeyData,
+                len=12,
+                payload=dict(pid=0, key=0x12345678),
+            ),
+            b"",
+            id="BackendKeyData",
+        ),
+        pytest.param(
+            b"C\x00\x00\x00\x08SET\x00",
+            dict(
+                type=pq3.types.CommandComplete,
+                len=8,
+                payload=dict(tag=b"SET"),
+            ),
+            b"",
+            id="CommandComplete",
+        ),
+        pytest.param(
+            b"E\x00\x00\x00\x11Mbad!\x00Mdog!\x00\x00",
+            dict(type=b"E", len=17, payload=dict(fields=[b"Mbad!", b"Mdog!", b""])),
+            b"",
+            id="ErrorResponse",
+        ),
+        pytest.param(
+            b"S\x00\x00\x00\x08a\x00b\x00",
+            dict(
+                type=pq3.types.ParameterStatus,
+                len=8,
+                payload=dict(name=b"a", value=b"b"),
+            ),
+            b"",
+            id="ParameterStatus",
+        ),
+        pytest.param(
+            b"Z\x00\x00\x00\x05x",
+            dict(type=b"Z", len=5, payload=dict(status=b"x")),
+            b"",
+            id="ReadyForQuery",
+        ),
+        pytest.param(
+            b"Q\x00\x00\x00\x06!\x00",
+            dict(type=pq3.types.Query, len=6, payload=dict(query=b"!")),
+            b"",
+            id="Query",
+        ),
+        pytest.param(
+            b"D\x00\x00\x00\x0B\x00\x01\x00\x00\x00\x01!",
+            dict(type=pq3.types.DataRow, len=11, payload=dict(columns=[b"!"])),
+            b"",
+            id="DataRow",
+        ),
+        pytest.param(
+            b"D\x00\x00\x00\x06\x00\x00extra",
+            dict(type=pq3.types.DataRow, len=6, payload=dict(columns=[])),
+            b"extra",
+            id="DataRow with extra data",
+        ),
+        pytest.param(
+            b"I\x00\x00\x00\x04",
+            dict(type=pq3.types.EmptyQueryResponse, len=4, payload=None),
+            b"",
+            id="EmptyQueryResponse",
+        ),
+        pytest.param(
+            b"I\x00\x00\x00\x04\xFF",
+            dict(type=b"I", len=4, payload=None),
+            b"\xFF",
+            id="EmptyQueryResponse with extra bytes",
+        ),
+        pytest.param(
+            b"X\x00\x00\x00\x04",
+            dict(type=pq3.types.Terminate, len=4, payload=None),
+            b"",
+            id="Terminate",
+        ),
+    ],
+)
+def test_Pq3_parse(raw, expected, extra):
+    with io.BytesIO(raw) as stream:
+        actual = pq3.Pq3.parse_stream(stream)
+
+        assert actual == expected
+        assert stream.read() == extra
+
+
+@pytest.mark.parametrize(
+    "fields,expected",
+    [
+        pytest.param(
+            dict(type=b"*", len=5),
+            b"*\x00\x00\x00\x05\x00",
+            id="type and len set explicitly",
+        ),
+        pytest.param(
+            dict(type=b"*"),
+            b"*\x00\x00\x00\x04",
+            id="implied len with no payload",
+        ),
+        pytest.param(
+            dict(type=b"*", payload=b"1234"),
+            b"*\x00\x00\x00\x081234",
+            id="implied len with payload",
+        ),
+        pytest.param(
+            dict(type=pq3.types.AuthnRequest, payload=dict(type=pq3.authn.OK)),
+            b"R\x00\x00\x00\x08\x00\x00\x00\x00",
+            id="implied len/type for AuthenticationOK",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.AuthnRequest,
+                payload=dict(
+                    type=pq3.authn.SASL,
+                    body=[b"SCRAM-SHA-256-PLUS", b"SCRAM-SHA-256", b""],
+                ),
+            ),
+            b"R\x00\x00\x00\x2A\x00\x00\x00\x0ASCRAM-SHA-256-PLUS\x00SCRAM-SHA-256\x00\x00",
+            id="implied len/type for AuthenticationSASL",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.AuthnRequest,
+                payload=dict(type=pq3.authn.SASLContinue, body=b"12345"),
+            ),
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0B12345",
+            id="implied len/type for AuthenticationSASLContinue",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.AuthnRequest,
+                payload=dict(type=pq3.authn.SASLFinal, body=b"12345"),
+            ),
+            b"R\x00\x00\x00\x0D\x00\x00\x00\x0C12345",
+            id="implied len/type for AuthenticationSASLFinal",
+        ),
+        pytest.param(
+            dict(
+                type=pq3.types.PasswordMessage,
+                payload=b"hunter2",
+            ),
+            b"p\x00\x00\x00\x0Bhunter2",
+            id="implied len/type for PasswordMessage",
+        ),
+        pytest.param(
+            dict(type=pq3.types.BackendKeyData, payload=dict(pid=1, key=7)),
+            b"K\x00\x00\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x07",
+            id="implied len/type for BackendKeyData",
+        ),
+        pytest.param(
+            dict(type=pq3.types.CommandComplete, payload=dict(tag=b"SET")),
+            b"C\x00\x00\x00\x08SET\x00",
+            id="implied len/type for CommandComplete",
+        ),
+        pytest.param(
+            dict(type=pq3.types.ErrorResponse, payload=dict(fields=[b"error", b""])),
+            b"E\x00\x00\x00\x0Berror\x00\x00",
+            id="implied len/type for ErrorResponse",
+        ),
+        pytest.param(
+            dict(type=pq3.types.ParameterStatus, payload=dict(name=b"a", value=b"b")),
+            b"S\x00\x00\x00\x08a\x00b\x00",
+            id="implied len/type for ParameterStatus",
+        ),
+        pytest.param(
+            dict(type=pq3.types.ReadyForQuery, payload=dict(status=b"I")),
+            b"Z\x00\x00\x00\x05I",
+            id="implied len/type for ReadyForQuery",
+        ),
+        pytest.param(
+            dict(type=pq3.types.Query, payload=dict(query=b"SELECT 1;")),
+            b"Q\x00\x00\x00\x0eSELECT 1;\x00",
+            id="implied len/type for Query",
+        ),
+        pytest.param(
+            dict(type=pq3.types.DataRow, payload=dict(columns=[b"abcd"])),
+            b"D\x00\x00\x00\x0E\x00\x01\x00\x00\x00\x04abcd",
+            id="implied len/type for DataRow",
+        ),
+        pytest.param(
+            dict(type=pq3.types.EmptyQueryResponse),
+            b"I\x00\x00\x00\x04",
+            id="implied len for EmptyQueryResponse",
+        ),
+        pytest.param(
+            dict(type=pq3.types.Terminate),
+            b"X\x00\x00\x00\x04",
+            id="implied len for Terminate",
+        ),
+    ],
+)
+def test_Pq3_build(fields, expected):
+    actual = pq3.Pq3.build(fields)
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "raw,expected,extra",
+    [
+        pytest.param(
+            b"\x00\x00",
+            dict(columns=[]),
+            b"",
+            id="no columns",
+        ),
+        pytest.param(
+            b"\x00\x01\x00\x00\x00\x04abcd",
+            dict(columns=[b"abcd"]),
+            b"",
+            id="one column",
+        ),
+        pytest.param(
+            b"\x00\x02\x00\x00\x00\x04abcd\x00\x00\x00\x01x",
+            dict(columns=[b"abcd", b"x"]),
+            b"",
+            id="multiple columns",
+        ),
+        pytest.param(
+            b"\x00\x02\x00\x00\x00\x00\x00\x00\x00\x01x",
+            dict(columns=[b"", b"x"]),
+            b"",
+            id="empty column value",
+        ),
+        pytest.param(
+            b"\x00\x02\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",
+            dict(columns=[None, None]),
+            b"",
+            id="null columns",
+        ),
+    ],
+)
+def test_DataRow_parse(raw, expected, extra):
+    pkt = b"D" + struct.pack("!i", len(raw) + 4) + raw
+    with io.BytesIO(pkt) as stream:
+        actual = pq3.Pq3.parse_stream(stream)
+
+        assert actual.type == pq3.types.DataRow
+        assert actual.payload == expected
+        assert stream.read() == extra
+
+
+@pytest.mark.parametrize(
+    "fields,expected",
+    [
+        pytest.param(
+            dict(),
+            b"\x00\x00",
+            id="no columns",
+        ),
+        pytest.param(
+            dict(columns=[None, None]),
+            b"\x00\x02\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",
+            id="null columns",
+        ),
+    ],
+)
+def test_DataRow_build(fields, expected):
+    actual = pq3.Pq3.build(dict(type=pq3.types.DataRow, payload=fields))
+
+    expected = b"D" + struct.pack("!i", len(expected) + 4) + expected
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "raw,expected,exception",
+    [
+        pytest.param(
+            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            dict(name=b"EXTERNAL", len=-1, data=None),
+            None,
+            id="no initial response",
+        ),
+        pytest.param(
+            b"EXTERNAL\x00\x00\x00\x00\x02me",
+            dict(name=b"EXTERNAL", len=2, data=b"me"),
+            None,
+            id="initial response",
+        ),
+        pytest.param(
+            b"EXTERNAL\x00\x00\x00\x00\x02meextra",
+            None,
+            TerminatedError,
+            id="extra data",
+        ),
+        pytest.param(
+            b"EXTERNAL\x00\x00\x00\x00\xFFme",
+            None,
+            StreamError,
+            id="underflow",
+        ),
+    ],
+)
+def test_SASLInitialResponse_parse(raw, expected, exception):
+    ctx = contextlib.nullcontext()
+    if exception:
+        ctx = pytest.raises(exception)
+
+    with ctx:
+        actual = pq3.SASLInitialResponse.parse(raw)
+        assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "fields,expected",
+    [
+        pytest.param(
+            dict(name=b"EXTERNAL"),
+            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            id="no initial response",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", data=None),
+            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            id="no initial response (explicit None)",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", data=b""),
+            b"EXTERNAL\x00\x00\x00\x00\x00",
+            id="empty response",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", data=b"me@example.com"),
+            b"EXTERNAL\x00\x00\x00\x00\x0Eme@example.com",
+            id="initial response",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", len=2, data=b"me@example.com"),
+            b"EXTERNAL\x00\x00\x00\x00\x02me@example.com",
+            id="data overflow",
+        ),
+        pytest.param(
+            dict(name=b"EXTERNAL", len=14, data=b"me"),
+            b"EXTERNAL\x00\x00\x00\x00\x0Eme",
+            id="data underflow",
+        ),
+    ],
+)
+def test_SASLInitialResponse_build(fields, expected):
+    actual = pq3.SASLInitialResponse.build(fields)
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "version,expected_bytes",
+    [
+        pytest.param((3, 0), b"\x00\x03\x00\x00", id="version 3"),
+        pytest.param((1234, 5679), b"\x04\xd2\x16\x2f", id="SSLRequest"),
+    ],
+)
+def test_protocol(version, expected_bytes):
+    # Make sure the integer returned by protocol is correctly serialized on the
+    # wire.
+    assert struct.pack("!i", pq3.protocol(*version)) == expected_bytes
+
+
+@pytest.mark.parametrize(
+    "envvar,func,expected",
+    [
+        ("PGHOST", pq3.pghost, "localhost"),
+        ("PGPORT", pq3.pgport, 5432),
+        ("PGUSER", pq3.pguser, getpass.getuser()),
+        ("PGDATABASE", pq3.pgdatabase, "postgres"),
+    ],
+)
+def test_env_defaults(monkeypatch, envvar, func, expected):
+    monkeypatch.delenv(envvar, raising=False)
+
+    actual = func()
+    assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "envvars,func,expected",
+    [
+        (dict(PGHOST="otherhost"), pq3.pghost, "otherhost"),
+        (dict(PGPORT="6789"), pq3.pgport, 6789),
+        (dict(PGUSER="postgres"), pq3.pguser, "postgres"),
+        (dict(PGDATABASE="template1"), pq3.pgdatabase, "template1"),
+    ],
+)
+def test_env(monkeypatch, envvars, func, expected):
+    for k, v in envvars.items():
+        monkeypatch.setenv(k, v)
+
+    actual = func()
+    assert actual == expected
diff --git a/src/test/python/tls.py b/src/test/python/tls.py
new file mode 100644
index 0000000000..075c02c1ca
--- /dev/null
+++ b/src/test/python/tls.py
@@ -0,0 +1,195 @@
+#
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: PostgreSQL
+#
+
+from construct import *
+
+#
+# TLS 1.3
+#
+# Most of the types below are transcribed from RFC 8446:
+#
+#     https://tools.ietf.org/html/rfc8446
+#
+
+
+def _Vector(size_field, element):
+    return Prefixed(size_field, GreedyRange(element))
+
+
+# Alerts
+
+AlertLevel = Enum(
+    Byte,
+    warning=1,
+    fatal=2,
+)
+
+AlertDescription = Enum(
+    Byte,
+    close_notify=0,
+    unexpected_message=10,
+    bad_record_mac=20,
+    decryption_failed_RESERVED=21,
+    record_overflow=22,
+    decompression_failure=30,
+    handshake_failure=40,
+    no_certificate_RESERVED=41,
+    bad_certificate=42,
+    unsupported_certificate=43,
+    certificate_revoked=44,
+    certificate_expired=45,
+    certificate_unknown=46,
+    illegal_parameter=47,
+    unknown_ca=48,
+    access_denied=49,
+    decode_error=50,
+    decrypt_error=51,
+    export_restriction_RESERVED=60,
+    protocol_version=70,
+    insufficient_security=71,
+    internal_error=80,
+    user_canceled=90,
+    no_renegotiation=100,
+    unsupported_extension=110,
+)
+
+Alert = Struct(
+    "level" / AlertLevel,
+    "description" / AlertDescription,
+)
+
+
+# Extensions
+
+ExtensionType = Enum(
+    Int16ub,
+    server_name=0,
+    max_fragment_length=1,
+    status_request=5,
+    supported_groups=10,
+    signature_algorithms=13,
+    use_srtp=14,
+    heartbeat=15,
+    application_layer_protocol_negotiation=16,
+    signed_certificate_timestamp=18,
+    client_certificate_type=19,
+    server_certificate_type=20,
+    padding=21,
+    pre_shared_key=41,
+    early_data=42,
+    supported_versions=43,
+    cookie=44,
+    psk_key_exchange_modes=45,
+    certificate_authorities=47,
+    oid_filters=48,
+    post_handshake_auth=49,
+    signature_algorithms_cert=50,
+    key_share=51,
+)
+
+Extension = Struct(
+    "extension_type" / ExtensionType,
+    "extension_data" / Prefixed(Int16ub, GreedyBytes),
+)
+
+
+# ClientHello
+
+
+class _CipherSuiteAdapter(Adapter):
+    class _hextuple(tuple):
+        def __repr__(self):
+            return f"(0x{self[0]:02X}, 0x{self[1]:02X})"
+
+    def _encode(self, obj, context, path):
+        return bytes(obj)
+
+    def _decode(self, obj, context, path):
+        assert len(obj) == 2
+        return self._hextuple(obj)
+
+
+ProtocolVersion = Hex(Int16ub)
+
+Random = Hex(Bytes(32))
+
+CipherSuite = _CipherSuiteAdapter(Byte[2])
+
+ClientHello = Struct(
+    "legacy_version" / ProtocolVersion,
+    "random" / Random,
+    "legacy_session_id" / Prefixed(Byte, Hex(GreedyBytes)),
+    "cipher_suites" / _Vector(Int16ub, CipherSuite),
+    "legacy_compression_methods" / Prefixed(Byte, GreedyBytes),
+    "extensions" / _Vector(Int16ub, Extension),
+)
+
+# ServerHello
+
+ServerHello = Struct(
+    "legacy_version" / ProtocolVersion,
+    "random" / Random,
+    "legacy_session_id_echo" / Prefixed(Byte, Hex(GreedyBytes)),
+    "cipher_suite" / CipherSuite,
+    "legacy_compression_method" / Hex(Byte),
+    "extensions" / _Vector(Int16ub, Extension),
+)
+
+# Handshake
+
+HandshakeType = Enum(
+    Byte,
+    client_hello=1,
+    server_hello=2,
+    new_session_ticket=4,
+    end_of_early_data=5,
+    encrypted_extensions=8,
+    certificate=11,
+    certificate_request=13,
+    certificate_verify=15,
+    finished=20,
+    key_update=24,
+    message_hash=254,
+)
+
+Handshake = Struct(
+    "msg_type" / HandshakeType,
+    "length" / Int24ub,
+    "payload"
+    / Switch(
+        this.msg_type,
+        {
+            HandshakeType.client_hello: ClientHello,
+            HandshakeType.server_hello: ServerHello,
+            # HandshakeType.end_of_early_data: EndOfEarlyData,
+            # HandshakeType.encrypted_extensions: EncryptedExtensions,
+            # HandshakeType.certificate_request: CertificateRequest,
+            # HandshakeType.certificate: Certificate,
+            # HandshakeType.certificate_verify: CertificateVerify,
+            # HandshakeType.finished: Finished,
+            # HandshakeType.new_session_ticket: NewSessionTicket,
+            # HandshakeType.key_update: KeyUpdate,
+        },
+        default=FixedSized(this.length, GreedyBytes),
+    ),
+)
+
+# Records
+
+ContentType = Enum(
+    Byte,
+    invalid=0,
+    change_cipher_spec=20,
+    alert=21,
+    handshake=22,
+    application_data=23,
+)
+
+Plaintext = Struct(
+    "type" / ContentType,
+    "legacy_record_version" / ProtocolVersion,
+    "length" / Int16ub,
+    "fragment" / FixedSized(this.length, GreedyBytes),
+)
-- 
2.25.1

From f520c08e1aee5239051e304c8a8faf5cb25bdbf2 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 25 Mar 2022 16:35:30 -0700
Subject: [PATCH v4 10/10] contrib/oauth: switch to pluggable auth API

Move the core server implementation to contrib/oauth as a pluggable
provider, using the RegisterAuthProvider() API. oauth_validator_command
has been moved from core to a custom GUC. HBA options are handled
using the new hook. Tests have been updated to handle the new
implementations.

One server modification remains: allowing custom SASL mechanisms to
declare their own maximum message length.

This patch is optional; you can apply/revert it to compare the two
approaches.
---
 contrib/oauth/Makefile                        | 16 ++++
 .../auth-oauth.c => contrib/oauth/oauth.c     | 88 ++++++++++++++++---
 src/backend/libpq/Makefile                    |  1 -
 src/backend/libpq/auth.c                      |  7 --
 src/backend/libpq/hba.c                       | 27 +-----
 src/backend/utils/misc/guc.c                  | 12 ---
 src/include/libpq/hba.h                       |  6 +-
 src/include/libpq/oauth.h                     | 24 -----
 src/test/python/README                        |  3 +-
 src/test/python/server/test_oauth.py          | 20 ++---
 10 files changed, 104 insertions(+), 100 deletions(-)
 create mode 100644 contrib/oauth/Makefile
 rename src/backend/libpq/auth-oauth.c => contrib/oauth/oauth.c (90%)
 delete mode 100644 src/include/libpq/oauth.h

diff --git a/contrib/oauth/Makefile b/contrib/oauth/Makefile
new file mode 100644
index 0000000000..880bc1fef3
--- /dev/null
+++ b/contrib/oauth/Makefile
@@ -0,0 +1,16 @@
+# contrib/oauth/Makefile
+
+MODULE_big = oauth
+OBJS = oauth.o
+PGFILEDESC = "oauth - auth provider supporting OAuth 2.0/OIDC"
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = contrib/oauth
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/src/backend/libpq/auth-oauth.c b/contrib/oauth/oauth.c
similarity index 90%
rename from src/backend/libpq/auth-oauth.c
rename to contrib/oauth/oauth.c
index c1232a31a0..e83f3c5d99 100644
--- a/src/backend/libpq/auth-oauth.c
+++ b/contrib/oauth/oauth.c
@@ -1,33 +1,39 @@
-/*-------------------------------------------------------------------------
+/* -------------------------------------------------------------------------
  *
- * auth-oauth.c
+ * oauth.c
  *	  Server-side implementation of the SASL OAUTHBEARER mechanism.
  *
  * See the following RFC for more details:
  * - RFC 7628: https://tools.ietf.org/html/rfc7628
  *
- * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * src/backend/libpq/auth-oauth.c
+ * contrib/oauth/oauth.c
  *
- *-------------------------------------------------------------------------
+ * -------------------------------------------------------------------------
  */
+
 #include "postgres.h"
 
 #include <unistd.h>
 #include <fcntl.h>
 
 #include "common/oauth-common.h"
+#include "fmgr.h"
 #include "lib/stringinfo.h"
 #include "libpq/auth.h"
 #include "libpq/hba.h"
-#include "libpq/oauth.h"
 #include "libpq/sasl.h"
 #include "storage/fd.h"
+#include "utils/guc.h"
+
+PG_MODULE_MAGIC;
+
+void _PG_init(void);
 
 /* GUC */
-char *oauth_validator_command;
+static char *oauth_validator_command;
 
 static void  oauth_get_mechanisms(Port *port, StringInfo buf);
 static void *oauth_init(Port *port, const char *selected_mech, const char *shadow_pass);
@@ -35,7 +41,7 @@ static int   oauth_exchange(void *opaq, const char *input, int inputlen,
 							char **output, int *outputlen, const char **logdetail);
 
 /* Mechanism declaration */
-const pg_be_sasl_mech pg_be_oauth_mech = {
+static const pg_be_sasl_mech oauth_mech = {
 	oauth_get_mechanisms,
 	oauth_init,
 	oauth_exchange,
@@ -57,12 +63,13 @@ struct oauth_ctx
 	Port	   *port;
 	const char *issuer;
 	const char *scope;
+	bool		skip_usermap;
 };
 
 static char *sanitize_char(char c);
 static char *parse_kvpairs_for_auth(char **input);
 static void generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen);
-static bool validate(Port *port, const char *auth, const char **logdetail);
+static bool validate(struct oauth_ctx *ctx, const char *auth, const char **logdetail);
 static bool run_validator_command(Port *port, const char *token);
 static bool check_exit(FILE **fh, const char *command);
 static bool unset_cloexec(int fd);
@@ -84,6 +91,7 @@ static void *
 oauth_init(Port *port, const char *selected_mech, const char *shadow_pass)
 {
 	struct oauth_ctx *ctx;
+	ListCell	   *lc;
 
 	if (strcmp(selected_mech, OAUTHBEARER_NAME))
 		ereport(ERROR,
@@ -96,8 +104,21 @@ oauth_init(Port *port, const char *selected_mech, const char *shadow_pass)
 	ctx->port = port;
 
 	Assert(port->hba);
-	ctx->issuer = port->hba->oauth_issuer;
-	ctx->scope = port->hba->oauth_scope;
+
+	foreach (lc, port->hba->custom_auth_options)
+	{
+		CustomOption *option = lfirst(lc);
+
+		if (strcmp(option->name, "issuer") == 0)
+			ctx->issuer = option->value;
+		else if (strcmp(option->name, "scope") == 0)
+			ctx->scope = option->value;
+		else if (strcmp(option->name, "trust_validator_authz") == 0)
+		{
+			if (strcmp(option->value, "1") == 0)
+				ctx->skip_usermap = true;
+		}
+	}
 
 	return ctx;
 }
@@ -248,7 +269,7 @@ oauth_exchange(void *opaq, const char *input, int inputlen,
 				 errmsg("malformed OAUTHBEARER message"),
 				 errdetail("Message contains additional data after the final terminator.")));
 
-	if (!validate(ctx->port, auth, logdetail))
+	if (!validate(ctx, auth, logdetail))
 	{
 		generate_error_response(ctx, output, outputlen);
 
@@ -415,12 +436,13 @@ generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen)
 }
 
 static bool
-validate(Port *port, const char *auth, const char **logdetail)
+validate(struct oauth_ctx *ctx, const char *auth, const char **logdetail)
 {
 	static const char * const b64_set = "abcdefghijklmnopqrstuvwxyz"
 										"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 										"0123456789-._~+/";
 
+	Port	   *port = ctx->port;
 	const char *token;
 	size_t		span;
 	int			ret;
@@ -497,7 +519,7 @@ validate(Port *port, const char *auth, const char **logdetail)
 	if (!run_validator_command(port, token))
 		return false;
 
-	if (port->hba->oauth_skip_usermap)
+	if (ctx->skip_usermap)
 	{
 		/*
 		 * If the validator is our authorization authority, we're done.
@@ -795,3 +817,41 @@ username_ok_for_shell(const char *username)
 
 	return true;
 }
+
+static int CheckOAuth(Port *port)
+{
+	return CheckSASLAuth(&oauth_mech, port, NULL, NULL);
+}
+
+static const char *OAuthError(Port *port)
+{
+	return psprintf("OAuth bearer authentication failed for user \"%s\"",
+					port->user_name);
+}
+
+static bool OAuthCheckOption(char *name, char *val,
+							 struct HbaLine *hbaline, char **errmsg)
+{
+	if (!strcmp(name, "issuer"))
+		return true;
+	if (!strcmp(name, "scope"))
+		return true;
+	if (!strcmp(name, "trust_validator_authz"))
+		return true;
+
+	return false;
+}
+
+void
+_PG_init(void)
+{
+	RegisterAuthProvider("oauth", CheckOAuth, OAuthError, OAuthCheckOption);
+
+	DefineCustomStringVariable("oauth.validator_command",
+							   gettext_noop("Command to validate OAuth v2 bearer tokens."),
+							   NULL,
+							   &oauth_validator_command,
+							   "",
+							   PGC_SIGHUP, GUC_SUPERUSER_ONLY,
+							   NULL, NULL, NULL);
+}
diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile
index 98eb2a8242..6d385fd6a4 100644
--- a/src/backend/libpq/Makefile
+++ b/src/backend/libpq/Makefile
@@ -15,7 +15,6 @@ include $(top_builddir)/src/Makefile.global
 # be-fsstubs is here for historical reasons, probably belongs elsewhere
 
 OBJS = \
-	auth-oauth.o \
 	auth-sasl.o \
 	auth-scram.o \
 	auth.o \
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 17042d84ad..4a8a63922a 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -30,7 +30,6 @@
 #include "libpq/auth.h"
 #include "libpq/crypt.h"
 #include "libpq/libpq.h"
-#include "libpq/oauth.h"
 #include "libpq/pqformat.h"
 #include "libpq/sasl.h"
 #include "libpq/scram.h"
@@ -299,9 +298,6 @@ auth_failed(Port *port, int status, const char *logdetail)
 		case uaRADIUS:
 			errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
 			break;
-		case uaOAuth:
-			errstr = gettext_noop("OAuth bearer authentication failed for user \"%s\"");
-			break;
 		case uaCustom:
 			{
 				CustomAuthProvider *provider = get_provider_by_name(port->hba->custom_provider);
@@ -630,9 +626,6 @@ ClientAuthentication(Port *port)
 		case uaTrust:
 			status = STATUS_OK;
 			break;
-		case uaOAuth:
-			status = CheckSASLAuth(&pg_be_oauth_mech, port, NULL, NULL);
-			break;
 		case uaCustom:
 			{
 				CustomAuthProvider *provider = get_provider_by_name(port->hba->custom_provider);
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index cd3b1cc140..6bf986d5b3 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -137,7 +137,6 @@ static const char *const UserAuthName[] =
 	"radius",
 	"custom",
 	"peer",
-	"oauth",
 };
 
 
@@ -1402,8 +1401,6 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 #endif
 	else if (strcmp(token->string, "radius") == 0)
 		parsedline->auth_method = uaRADIUS;
-	else if (strcmp(token->string, "oauth") == 0)
-		parsedline->auth_method = uaOAuth;
 	else if (strcmp(token->string, "custom") == 0)
 		parsedline->auth_method = uaCustom;
 	else
@@ -1733,9 +1730,8 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 			hbaline->auth_method != uaGSS &&
 			hbaline->auth_method != uaSSPI &&
 			hbaline->auth_method != uaCert &&
-			hbaline->auth_method != uaOAuth &&
 			hbaline->auth_method != uaCustom)
-			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, cert, oauth, and custom"));
+			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, cert, and custom"));
 		hbaline->usermap = pstrdup(val);
 	}
 	else if (strcmp(name, "clientcert") == 0)
@@ -2119,27 +2115,6 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 		hbaline->radiusidentifiers = parsed_identifiers;
 		hbaline->radiusidentifiers_s = pstrdup(val);
 	}
-	else if (strcmp(name, "issuer") == 0)
-	{
-		if (hbaline->auth_method != uaOAuth)
-			INVALID_AUTH_OPTION("issuer", gettext_noop("oauth"));
-		hbaline->oauth_issuer = pstrdup(val);
-	}
-	else if (strcmp(name, "scope") == 0)
-	{
-		if (hbaline->auth_method != uaOAuth)
-			INVALID_AUTH_OPTION("scope", gettext_noop("oauth"));
-		hbaline->oauth_scope = pstrdup(val);
-	}
-	else if (strcmp(name, "trust_validator_authz") == 0)
-	{
-		if (hbaline->auth_method != uaOAuth)
-			INVALID_AUTH_OPTION("trust_validator_authz", gettext_noop("oauth"));
-		if (strcmp(val, "1") == 0)
-			hbaline->oauth_skip_usermap = true;
-		else
-			hbaline->oauth_skip_usermap = false;
-	}
 	else if (strcmp(name, "provider") == 0)
 	{
 		REQUIRE_AUTH_OPTION(uaCustom, "provider", "custom");
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 9a5b2aa496..f70f7f5c01 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -59,7 +59,6 @@
 #include "libpq/auth.h"
 #include "libpq/libpq.h"
 #include "libpq/pqformat.h"
-#include "libpq/oauth.h"
 #include "miscadmin.h"
 #include "optimizer/cost.h"
 #include "optimizer/geqo.h"
@@ -4667,17 +4666,6 @@ static struct config_string ConfigureNamesString[] =
 		check_backtrace_functions, assign_backtrace_functions, NULL
 	},
 
-	{
-		{"oauth_validator_command", PGC_SIGHUP, CONN_AUTH_AUTH,
-			gettext_noop("Command to validate OAuth v2 bearer tokens."),
-			NULL,
-			GUC_SUPERUSER_ONLY
-		},
-		&oauth_validator_command,
-		"",
-		NULL, NULL, NULL
-	},
-
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index e405103a2e..bbc94363cb 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -40,8 +40,7 @@ typedef enum UserAuth
 	uaRADIUS,
 	uaCustom,
 	uaPeer,
-	uaOAuth
-#define USER_AUTH_LAST uaOAuth	/* Must be last value of this enum */
+#define USER_AUTH_LAST uaPeer	/* Must be last value of this enum */
 } UserAuth;
 
 /*
@@ -129,9 +128,6 @@ typedef struct HbaLine
 	char	   *radiusidentifiers_s;
 	List	   *radiusports;
 	char	   *radiusports_s;
-	char	   *oauth_issuer;
-	char	   *oauth_scope;
-	bool		oauth_skip_usermap;
 	char	   *custom_provider;
 	List	   *custom_auth_options;
 } HbaLine;
diff --git a/src/include/libpq/oauth.h b/src/include/libpq/oauth.h
deleted file mode 100644
index 870e426af1..0000000000
--- a/src/include/libpq/oauth.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/*-------------------------------------------------------------------------
- *
- * oauth.h
- *	  Interface to libpq/auth-oauth.c
- *
- * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
- * Portions Copyright (c) 1994, Regents of the University of California
- *
- * src/include/libpq/oauth.h
- *
- *-------------------------------------------------------------------------
- */
-#ifndef PG_OAUTH_H
-#define PG_OAUTH_H
-
-#include "libpq/libpq-be.h"
-#include "libpq/sasl.h"
-
-extern char *oauth_validator_command;
-
-/* Implementation */
-extern const pg_be_sasl_mech pg_be_oauth_mech;
-
-#endif /* PG_OAUTH_H */
diff --git a/src/test/python/README b/src/test/python/README
index 0bda582c4b..0fbc1046cf 100644
--- a/src/test/python/README
+++ b/src/test/python/README
@@ -13,7 +13,8 @@ but you can adjust as needed for your setup.
 
 ## Requirements
 
-A supported version (3.6+) of Python.
+- A supported version (3.6+) of Python.
+- The oauth extension must be installed and loaded via shared_preload_libraries.
 
 The first run of
 
diff --git a/src/test/python/server/test_oauth.py b/src/test/python/server/test_oauth.py
index cb5ca7fa23..07fc25edc2 100644
--- a/src/test/python/server/test_oauth.py
+++ b/src/test/python/server/test_oauth.py
@@ -103,9 +103,9 @@ def oauth_ctx():
 
     ctx = Context()
     hba_lines = (
-        f'host {ctx.dbname} {ctx.map_user}   samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}" map=oauth\n',
-        f'host {ctx.dbname} {ctx.authz_user} samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}" trust_validator_authz=1\n',
-        f'host {ctx.dbname} all              samehost oauth issuer="{ctx.issuer}" scope="{ctx.scope}"\n',
+        f'host {ctx.dbname} {ctx.map_user}   samehost custom provider=oauth issuer="{ctx.issuer}" scope="{ctx.scope}" map=oauth\n',
+        f'host {ctx.dbname} {ctx.authz_user} samehost custom provider=oauth issuer="{ctx.issuer}" scope="{ctx.scope}" trust_validator_authz=1\n',
+        f'host {ctx.dbname} all              samehost custom provider=oauth issuer="{ctx.issuer}" scope="{ctx.scope}"\n',
     )
     ident_lines = (r"oauth /^(.*)@example\.com$ \1",)
 
@@ -126,12 +126,12 @@ def oauth_ctx():
         c.execute(sql.SQL("CREATE ROLE {} LOGIN;").format(authz_user))
         c.execute(sql.SQL("CREATE DATABASE {};").format(dbname))
 
-        # Make this test script the server's oauth_validator.
+        # Make this test script the server's oauth validator.
         path = pathlib.Path(__file__).parent / "validate_bearer.py"
         path = str(path.absolute())
 
         cmd = f"{shlex.quote(path)} {SHARED_MEM_NAME} <&%f"
-        c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (cmd,))
+        c.execute("ALTER SYSTEM SET oauth.validator_command TO %s;", (cmd,))
 
         # Replace pg_hba and pg_ident.
         c.execute("SHOW hba_file;")
@@ -149,7 +149,7 @@ def oauth_ctx():
         # Put things back the way they were.
         c.execute("SELECT pg_reload_conf();")
 
-        c.execute("ALTER SYSTEM RESET oauth_validator_command;")
+        c.execute("ALTER SYSTEM RESET oauth.validator_command;")
         c.execute(sql.SQL("DROP DATABASE {};").format(dbname))
         c.execute(sql.SQL("DROP ROLE {};").format(authz_user))
         c.execute(sql.SQL("DROP ROLE {};").format(map_user))
@@ -930,7 +930,7 @@ def test_oauth_empty_initial_response(conn, oauth_ctx, bearer_token):
 def set_validator():
     """
     A per-test fixture that allows a test to override the setting of
-    oauth_validator_command for the cluster. The setting will be reverted during
+    oauth.validator_command for the cluster. The setting will be reverted during
     teardown.
 
     Passing None will perform an ALTER SYSTEM RESET.
@@ -942,17 +942,17 @@ def set_validator():
         c = conn.cursor()
 
         # Save the previous value.
-        c.execute("SHOW oauth_validator_command;")
+        c.execute("SHOW oauth.validator_command;")
         prev_cmd = c.fetchone()[0]
 
         def setter(cmd):
-            c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (cmd,))
+            c.execute("ALTER SYSTEM SET oauth.validator_command TO %s;", (cmd,))
             c.execute("SELECT pg_reload_conf();")
 
         yield setter
 
         # Restore the previous value.
-        c.execute("ALTER SYSTEM SET oauth_validator_command TO %s;", (prev_cmd,))
+        c.execute("ALTER SYSTEM SET oauth.validator_command TO %s;", (prev_cmd,))
         c.execute("SELECT pg_reload_conf();")
 
 
-- 
2.25.1

diff --git a/src/backend/libpq/auth-oauth.c b/src/backend/libpq/auth-oauth.c
index c47211132c..86f820482b 100644
--- a/src/backend/libpq/auth-oauth.c
+++ b/src/backend/libpq/auth-oauth.c
@@ -24,7 +24,9 @@
 #include "libpq/hba.h"
 #include "libpq/oauth.h"
 #include "libpq/sasl.h"
+#include "miscadmin.h"
 #include "storage/fd.h"
+#include "utils/memutils.h"
 
 /* GUC */
 char *oauth_validator_command;
@@ -34,6 +36,13 @@ static void *oauth_init(Port *port, const char *selected_mech, const char *shado
 static int   oauth_exchange(void *opaq, const char *input, int inputlen,
 							char **output, int *outputlen, char **logdetail);
 
+/*----------------------------------------------------------------
+ * OAuth Authentication
+ *----------------------------------------------------------------
+ */
+static List *oauth_providers = NIL;
+static OAuthProvider* oauth_provider = NULL;
+
 /* Mechanism declaration */
 const pg_be_sasl_mech pg_be_oauth_mech = {
 	oauth_get_mechanisms,
@@ -63,15 +72,90 @@ static char *sanitize_char(char c);
 static char *parse_kvpairs_for_auth(char **input);
 static void generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen);
 static bool validate(Port *port, const char *auth, char **logdetail);
-static bool run_validator_command(Port *port, const char *token);
+static const char* run_validator_command(Port *port, const char *token);
 static bool check_exit(FILE **fh, const char *command);
 static bool unset_cloexec(int fd);
-static bool username_ok_for_shell(const char *username);
 
 #define KVSEP 0x01
 #define AUTH_KEY "auth"
 #define BEARER_SCHEME "Bearer "
 
+/*----------------------------------------------------------------
+ * OAuth Token Validator
+ *----------------------------------------------------------------
+ */
+
+/*
+ * RegisterOAuthProvider registers a OAuth Token Validator to be
+ * used for oauth token validation. It validates the token and adds the valiator
+ * name and it's hooks to a list of loaded token validator. The right validator's
+ * hooks can then be called based on the validator name specified in
+ * pg_hba.conf.
+ *
+ * This function should be called in _PG_init() by any extension looking to
+ * add a custom authentication method.
+ */
+void
+RegisterOAuthProvider(
+	const char *provider_name,
+	OAuthProviderCheck_hook_type OAuthProviderCheck_hook,
+	OAuthProviderError_hook_type OAuthProviderError_hook	
+)
+{
+	if (!process_shared_preload_libraries_in_progress)
+	{
+		ereport(ERROR,
+			(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
+			errmsg("RegisterOAuthProvider can only be called by a shared_preload_library")));
+		return;
+	}
+
+	MemoryContext oldcxt;
+	if (oauth_provider == NULL)
+	{
+		oldcxt = MemoryContextSwitchTo(TopMemoryContext);
+		oauth_provider = palloc(sizeof(OAuthProvider));
+		oauth_provider->name = pstrdup(provider_name);
+		oauth_provider->oauth_provider_hook = OAuthProviderCheck_hook;
+		oauth_provider->oauth_error_hook = OAuthProviderError_hook;		
+		oauth_providers = lappend(oauth_providers, oauth_provider);
+		MemoryContextSwitchTo(oldcxt);
+	}
+	else
+	{
+		if (oauth_provider && oauth_provider->name)
+		{
+			ereport(ERROR,
+				(errmsg("OAuth provider \"%s\" is already loaded.",
+					oauth_provider->name)));
+		}
+		else
+		{
+			ereport(ERROR,
+				(errmsg("OAuth provider is already loaded.")));
+		}
+	}
+}
+
+/*
+ * Returns the oauth provider (which includes it's
+ * callback functions) based on name specified.
+ */
+OAuthProvider *get_provider_by_name(const char *name)
+{
+	ListCell *lc;
+	foreach(lc, oauth_providers)
+	{
+		OAuthProvider *provider = (OAuthProvider *) lfirst(lc);
+		if (strcmp(provider->name, name) == 0)
+		{
+			return provider;
+		}
+	}
+
+	return NULL;
+}
+
 static void
 oauth_get_mechanisms(Port *port, StringInfo buf)
 {
@@ -494,17 +578,17 @@ validate(Port *port, const char *auth, char **logdetail)
 	}
 
 	/* Have the validator check the token. */
-	if (!run_validator_command(port, token))
+	if (run_validator_command(port, token) == NULL)
 		return false;
-
+	
 	if (port->hba->oauth_skip_usermap)
 	{
 		/*
-		 * If the validator is our authorization authority, we're done.
-		 * Authentication may or may not have been performed depending on the
-		 * validator implementation; all that matters is that the validator says
-		 * the user can log in with the target role.
-		 */
+	 	* If the validator is our authorization authority, we're done.
+	 	* Authentication may or may not have been performed depending on the
+	 	* validator implementation; all that matters is that the validator says
+	 	* the user can log in with the target role.
+	 	*/
 		return true;
 	}
 
@@ -524,193 +608,26 @@ validate(Port *port, const char *auth, char **logdetail)
 	return (ret == STATUS_OK);
 }
 
-static bool
+static const char*
 run_validator_command(Port *port, const char *token)
 {
-	bool		success = false;
-	int			rc;
-	int			pipefd[2];
-	int			rfd = -1;
-	int			wfd = -1;
-
-	StringInfoData command = { 0 };
-	char	   *p;
-	FILE	   *fh = NULL;
-
-	ssize_t		written;
-	char	   *line = NULL;
-	size_t		size = 0;
-	ssize_t		len;
-
-	Assert(oauth_validator_command);
-
-	if (!oauth_validator_command[0])
-	{
-		ereport(COMMERROR,
-				(errmsg("oauth_validator_command is not set"),
-				 errhint("To allow OAuth authenticated connections, set "
-						 "oauth_validator_command in postgresql.conf.")));
-		return false;
-	}
-
-	/*
-	 * Since popen() is unidirectional, open up a pipe for the other direction.
-	 * Use CLOEXEC to ensure that our write end doesn't accidentally get copied
-	 * into child processes, which would prevent us from closing it cleanly.
-	 *
-	 * XXX this is ugly. We should just read from the child process's stdout,
-	 * but that's a lot more code.
-	 * XXX by bypassing the popen API, we open the potential of process
-	 * deadlock. Clearly document child process requirements (i.e. the child
-	 * MUST read all data off of the pipe before writing anything).
-	 * TODO: port to Windows using _pipe().
-	 */
-	rc = pipe2(pipefd, O_CLOEXEC);
-	if (rc < 0)
+	if(oauth_provider->oauth_provider_hook == NULL)
 	{
-		ereport(COMMERROR,
-				(errcode_for_file_access(),
-				 errmsg("could not create child pipe: %m")));
 		return false;
 	}
 
-	rfd = pipefd[0];
-	wfd = pipefd[1];
-
-	/* Allow the read pipe be passed to the child. */
-	if (!unset_cloexec(rfd))
+	char *id = oauth_provider->
+			   oauth_provider_hook(port, token);
+	if(id == NULL)
 	{
-		/* error message was already logged */
-		goto cleanup;
-	}
-
-	/*
-	 * Construct the command, substituting any recognized %-specifiers:
-	 *
-	 *   %f: the file descriptor of the input pipe
-	 *   %r: the role that the client wants to assume (port->user_name)
-	 *   %%: a literal '%'
-	 */
-	initStringInfo(&command);
-
-	for (p = oauth_validator_command; *p; p++)
-	{
-		if (p[0] == '%')
-		{
-			switch (p[1])
-			{
-				case 'f':
-					appendStringInfo(&command, "%d", rfd);
-					p++;
-					break;
-				case 'r':
-					/*
-					 * TODO: decide how this string should be escaped. The role
-					 * is controlled by the client, so if we don't escape it,
-					 * command injections are inevitable.
-					 *
-					 * This is probably an indication that the role name needs
-					 * to be communicated to the validator process in some other
-					 * way. For this proof of concept, just be incredibly strict
-					 * about the characters that are allowed in user names.
-					 */
-					if (!username_ok_for_shell(port->user_name))
-						goto cleanup;
-
-					appendStringInfoString(&command, port->user_name);
-					p++;
-					break;
-				case '%':
-					appendStringInfoChar(&command, '%');
-					p++;
-					break;
-				default:
-					appendStringInfoChar(&command, p[0]);
-			}
-		}
-		else
-			appendStringInfoChar(&command, p[0]);
-	}
-
-	/* Execute the command. */
-	fh = OpenPipeStream(command.data, "re");
-	/* TODO: handle failures */
-
-	/* We don't need the read end of the pipe anymore. */
-	close(rfd);
-	rfd = -1;
-
-	/* Give the command the token to validate. */
-	written = write(wfd, token, strlen(token));
-	if (written != strlen(token))
-	{
-		/* TODO must loop for short writes, EINTR et al */
-		ereport(COMMERROR,
-				(errcode_for_file_access(),
-				 errmsg("could not write token to child pipe: %m")));
-		goto cleanup;
-	}
-
-	close(wfd);
-	wfd = -1;
-
-	/*
-	 * Read the command's response.
-	 *
-	 * TODO: getline() is probably too new to use, unfortunately.
-	 * TODO: loop over all lines
-	 */
-	if ((len = getline(&line, &size, fh)) >= 0)
-	{
-		/* TODO: fail if the authn_id doesn't end with a newline */
-		if (len > 0)
-			line[len - 1] = '\0';
-
-		set_authn_id(port, line);
-	}
-	else if (ferror(fh))
-	{
-		ereport(COMMERROR,
-				(errcode_for_file_access(),
-				 errmsg("could not read from command \"%s\": %m",
-						command.data)));
-		goto cleanup;
-	}
-
-	/* Make sure the command exits cleanly. */
-	if (!check_exit(&fh, command.data))
-	{
-		/* error message already logged */
-		goto cleanup;
-	}
-
-	/* Done. */
-	success = true;
-
-cleanup:
-	if (line)
-		free(line);
-
-	/*
-	 * In the successful case, the pipe fds are already closed. For the error
-	 * case, always close out the pipe before waiting for the command, to
-	 * prevent deadlock.
-	 */
-	if (rfd >= 0)
-		close(rfd);
-	if (wfd >= 0)
-		close(wfd);
-
-	if (fh)
-	{
-		Assert(!success);
-		check_exit(&fh, command.data);
+		ereport(LOG,
+				(errmsg("OAuth bearer token validation failed" )));
+		return NULL;
 	}
 
-	if (command.data)
-		pfree(command.data);
-
-	return success;
+	set_authn_id(port, id);
+	
+	return id;
 }
 
 static bool
@@ -769,29 +686,3 @@ unset_cloexec(int fd)
 
 	return true;
 }
-
-/*
- * XXX This should go away eventually and be replaced with either a proper
- * escape or a different strategy for communication with the validator command.
- */
-static bool
-username_ok_for_shell(const char *username)
-{
-	/* This set is borrowed from fe_utils' appendShellStringNoError(). */
-	static const char * const allowed = "abcdefghijklmnopqrstuvwxyz"
-										"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-										"0123456789-_./:";
-	size_t	span;
-
-	Assert(username && username[0]); /* should have already been checked */
-
-	span = strspn(username, allowed);
-	if (username[span] != '\0')
-	{
-		ereport(COMMERROR,
-				(errmsg("PostgreSQL user name contains unsafe characters and cannot be passed to the OAuth validator")));
-		return false;
-	}
-
-	return true;
-}
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 333051ad3c..0bbcf231d2 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -296,8 +296,14 @@ auth_failed(Port *port, int status, const char *logdetail)
 			errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
 			break;
 		case uaOAuth:
-			errstr = gettext_noop("OAuth bearer authentication failed for user \"%s\"");
-			break;
+			{
+				OAuthProvider *provider = get_provider_by_name(port->hba->oauth_provider);
+				if(provider->oauth_error_hook)
+					errstr = provider->oauth_error_hook(port);
+				else
+					errstr = gettext_noop("OAuth bearer authentication failed for user \"%s\"");
+				break;
+			}
 		default:
 			errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
 			break;
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 943e78ddff..94fb5d434d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1663,6 +1663,14 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
 		parsedline->clientcert = clientCertFull;
 	}
 
+	/*
+	 * Ensure that the token validation provider name is specified as provider for oauth method.
+	 */
+	if (parsedline->auth_method == uaOAuth)
+	{
+		MANDATORY_AUTH_ARG(parsedline->oauth_provider, "provider", "oauth");
+	}
+
 	return parsedline;
 }
 
@@ -2095,6 +2103,31 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 		else
 			hbaline->oauth_skip_usermap = false;
 	}
+	else if (strcmp(name, "provider") == 0)
+	{
+		REQUIRE_AUTH_OPTION(uaOAuth, "provider", "oauth");
+		if (hbaline->auth_method != uaOAuth)
+			INVALID_AUTH_OPTION("provider", gettext_noop("oauth"));
+		/*
+		 * Verify that the token validation mentioned is loaded via shared_preload_libraries.
+		 */
+		if (get_provider_by_name(val) == NULL)
+		{
+			ereport(elevel,
+					(errcode(ERRCODE_CONFIG_FILE_ERROR),
+					 errmsg("cannot use oauth provider %s",val),
+					 errhint("Load provider token validation via shared_preload_libraries."),
+					 errcontext("line %d of configuration file \"%s\"",
+								line_num, HbaFileName)));
+			*err_msg = psprintf("cannot use oauth provider %s", val);
+
+			return false;
+		}
+		else
+		{
+			hbaline->oauth_provider = pstrdup(val);
+		}
+	}
 	else
 	{
 		ereport(elevel,
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 485e48970e..938ac399dc 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -44,4 +44,29 @@ extern void set_authn_id(Port *port, const char *id);
 typedef void (*ClientAuthentication_hook_type) (Port *, int);
 extern PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook;
 
+/* Declarations for oAuth authentication providers */
+typedef const char* (*OAuthProviderCheck_hook_type) (Port *, const char*);
+
+/* Hook for plugins to report error messages in validation_failed() */
+typedef const char * (*OAuthProviderError_hook_type) (Port *);
+
+/* Hook for plugins to validate oauth provider options */
+typedef bool (*OAuthProviderValidateOptions_hook_type)
+			 (char *, char *, HbaLine *, char **);
+
+typedef struct OAuthProvider
+{
+	const char *name;
+	OAuthProviderCheck_hook_type oauth_provider_hook;
+	OAuthProviderError_hook_type oauth_error_hook;	
+} OAuthProvider;
+
+extern void RegisterOAuthProvider
+		(const char *provider_name,
+		OAuthProviderCheck_hook_type OAuthProviderCheck_hook,
+		OAuthProviderError_hook_type OAuthProviderError_hook
+		);
+
+extern OAuthProvider *get_provider_by_name(const char *name);
+
 #endif							/* AUTH_H */
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index c1b1313989..d65395cc22 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -123,6 +123,7 @@ typedef struct HbaLine
 	char	   *radiusports_s;
 	char	   *oauth_issuer;
 	char	   *oauth_scope;
+	char       *oauth_provider;
 	bool		oauth_skip_usermap;
 } HbaLine;
 
diff --git a/src/interfaces/libpq/fe-auth-oauth.c b/src/interfaces/libpq/fe-auth-oauth.c
index 91d2c69f16..61a0b80b7e 100644
--- a/src/interfaces/libpq/fe-auth-oauth.c
+++ b/src/interfaces/libpq/fe-auth-oauth.c
@@ -174,6 +174,16 @@ get_auth_token(PGconn *conn)
 	if (!token_buf)
 		goto cleanup;
 
+	if(conn->oauth_bearer_token)
+	{
+		appendPQExpBufferStr(token_buf, "Bearer ");
+		appendPQExpBufferStr(token_buf, conn->oauth_bearer_token);
+		if (PQExpBufferBroken(token_buf))
+			goto cleanup;
+		token = strdup(token_buf->data);
+		goto cleanup;
+	}
+
 	err = i_set_str_parameter(&session, I_OPT_OPENID_CONFIG_ENDPOINT, conn->oauth_discovery_uri);
 	if (err)
 	{
@@ -201,18 +211,22 @@ get_auth_token(PGconn *conn)
 							 libpq_gettext("issuer does not support device authorization"));
 		goto cleanup;
 	}
+	
+	//default device flow
+	int session_response_type = I_RESPONSE_TYPE_DEVICE_CODE; 
+	auth_method = I_TOKEN_AUTH_METHOD_NONE;
+	if (conn->oauth_client_secret && *conn->oauth_client_secret)
+	{
+		auth_method = I_TOKEN_AUTH_METHOD_SECRET_BASIC;
+	}
 
-	err = i_set_response_type(&session, I_RESPONSE_TYPE_DEVICE_CODE);
+	err = i_set_response_type(&session, session_response_type);
 	if (err)
 	{
 		iddawc_error(conn, err, "failed to set device code response type");
 		goto cleanup;
 	}
 
-	auth_method = I_TOKEN_AUTH_METHOD_NONE;
-	if (conn->oauth_client_secret && *conn->oauth_client_secret)
-		auth_method = I_TOKEN_AUTH_METHOD_SECRET_BASIC;
-
 	err = i_set_parameter_list(&session,
 		I_OPT_CLIENT_ID, conn->oauth_client_id,
 		I_OPT_CLIENT_SECRET, conn->oauth_client_secret,
@@ -250,6 +264,18 @@ get_auth_token(PGconn *conn)
 		goto cleanup;
 	}
 
+	if (conn->oauth_client_secret && *conn->oauth_client_secret)
+	{
+		session_response_type = I_RESPONSE_TYPE_CLIENT_CREDENTIALS;
+	}
+	
+	err = i_set_response_type(&session, session_response_type);
+	if (err)
+	{
+		iddawc_error(conn, err, "failed to set session response type");
+		goto cleanup;
+	}
+
 	/*
 	 * Poll the token endpoint until either the user logs in and authorizes the
 	 * use of a token, or a hard failure occurs. We perform one ping _before_
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 2ff450ce05..5d804c8c0d 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -361,6 +361,10 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"OAuth-Scope", "", 15,
 	offsetof(struct pg_conn, oauth_scope)},
 
+	{"oauth_bearer_token", NULL, NULL, NULL,
+		"OAuth-Bearer", "", 20,
+	offsetof(struct pg_conn, oauth_bearer_token)},
+
 	/* Terminating entry --- MUST BE LAST */
 	{NULL, NULL, NULL, NULL,
 	NULL, NULL, 0}
@@ -4200,6 +4204,8 @@ freePGconn(PGconn *conn)
 		free(conn->oauth_discovery_uri);
 	if (conn->oauth_client_id)
 		free(conn->oauth_client_id);
+	if(conn->oauth_bearer_token)
+		free(conn->oauth_bearer_token);
 	if (conn->oauth_client_secret)
 		free(conn->oauth_client_secret);
 	if (conn->oauth_scope)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 1b4de3dff0..91e71afe14 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -402,6 +402,7 @@ struct pg_conn
 	char	   *oauth_client_id;		/* client identifier */
 	char	   *oauth_client_secret;	/* client secret */
 	char	   *oauth_scope;			/* access token scope */
+	char       *oauth_bearer_token;		/* oauth token */
 	bool		oauth_want_retry;		/* should we retry on failure? */
 
 	/* Optional file to write trace info to */

diff --git a/src/backend/libpq/auth-oauth.c b/src/backend/libpq/auth-oauth.c
index 3a625847f3..f213a40b65 100644
--- a/src/backend/libpq/auth-oauth.c
+++ b/src/backend/libpq/auth-oauth.c
@@ -24,15 +24,23 @@
 #include "libpq/hba.h"
 #include "libpq/oauth.h"
 #include "libpq/sasl.h"
+#include "miscadmin.h"
 #include "storage/fd.h"
 
 /* GUC */
 char *oauth_validator_command;
+static OAuthProvider* oauth_provider = NULL;
+
+/*----------------------------------------------------------------
+ * OAuth Authentication
+ *----------------------------------------------------------------
+ */
+static List *oauth_providers = NIL;
 
 static void  oauth_get_mechanisms(Port *port, StringInfo buf);
 static void *oauth_init(Port *port, const char *selected_mech, const char *shadow_pass);
 static int   oauth_exchange(void *opaq, const char *input, int inputlen,
-							char **output, int *outputlen, char **logdetail);
+							char **output, int *outputlen, const char **logdetail);
 
 /* Mechanism declaration */
 const pg_be_sasl_mech pg_be_oauth_mech = {
@@ -43,7 +51,6 @@ const pg_be_sasl_mech pg_be_oauth_mech = {
 	PG_MAX_AUTH_TOKEN_LENGTH,
 };
 
-
 typedef enum
 {
 	OAUTH_STATE_INIT = 0,
@@ -62,7 +69,7 @@ struct oauth_ctx
 static char *sanitize_char(char c);
 static char *parse_kvpairs_for_auth(char **input);
 static void generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen);
-static bool validate(Port *port, const char *auth, char **logdetail);
+static bool validate(Port *port, const char *auth, const char **logdetail);
 static bool run_validator_command(Port *port, const char *token);
 static bool check_exit(FILE **fh, const char *command);
 static bool unset_cloexec(int fd);
@@ -72,6 +79,86 @@ static bool username_ok_for_shell(const char *username);
 #define AUTH_KEY "auth"
 #define BEARER_SCHEME "Bearer "
 
+#include "utils/memutils.h"
+
+/*----------------------------------------------------------------
+ * OAuth Token Validator
+ *----------------------------------------------------------------
+ */
+
+/*
+ * RegistorOAuthProvider registers a OAuth Token Validator to be
+ * used for oauth token validation. It validates the token and adds the valiator
+ * name and it's hooks to a list of loaded token validator. The right validator's
+ * hooks can then be called based on the validator name specified in
+ * pg_hba.conf.
+ *
+ * This function should be called in _PG_init() by any extension looking to
+ * add a custom authentication method.
+ */
+void
+RegistorOAuthProvider(
+	const char *provider_name,
+	OAuthProviderCheck_hook_type OAuthProviderCheck_hook,
+	OAuthProviderError_hook_type OAuthProviderError_hook,
+	OAuthProviderOptions_hook_type OAuthProviderOptions_hook
+)
+{	
+	if (!process_shared_preload_libraries_in_progress)
+	{
+		ereport(ERROR,
+			(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
+			errmsg("RegistorOAuthProvider can only be called by a shared_preload_library")));
+		return;
+	}
+
+	MemoryContext oldcxt;
+	if (oauth_provider == NULL)
+	{
+		oldcxt = MemoryContextSwitchTo(TopMemoryContext);
+		oauth_provider = palloc(sizeof(OAuthProvider));
+		oauth_provider->name = pstrdup(provider_name);
+		oauth_provider->oauth_provider_hook = OAuthProviderCheck_hook;
+		oauth_provider->oauth_error_hook = OAuthProviderError_hook;
+		oauth_provider->oauth_options_hook = OAuthProviderOptions_hook;
+		oauth_providers = lappend(oauth_providers, oauth_provider);
+		MemoryContextSwitchTo(oldcxt);	
+	}
+	else
+	{
+		if (oauth_provider && oauth_provider->name)
+		{
+			ereport(ERROR,
+				(errmsg("OAuth provider \"%s\" is already loaded.",
+					oauth_provider->name)));
+		}
+		else
+		{
+			ereport(ERROR,
+				(errmsg("OAuth provider is already loaded.")));
+		}
+	}
+}
+
+/*
+ * Returns the oauth provider (which includes it's
+ * callback functions) based on name specified.
+ */
+OAuthProvider *get_provider_by_name(const char *name)
+{
+	ListCell *lc;
+	foreach(lc, oauth_providers)
+	{
+		OAuthProvider *provider = (OAuthProvider *) lfirst(lc);		
+		if (strcmp(provider->name, name) == 0)
+		{
+			return provider;
+		}
+	}
+
+	return NULL;
+}
+
 static void
 oauth_get_mechanisms(Port *port, StringInfo buf)
 {
@@ -102,9 +189,32 @@ oauth_init(Port *port, const char *selected_mech, const char *shadow_pass)
 	return ctx;
 }
 
+static void process_oauth_flow_type(pg_oauth_flow_type flow_type, struct oauth_ctx *ctx, char **output, int *outputlen)
+{
+	StringInfoData	buf;
+	initStringInfo(&buf);
+
+	OAuthProviderOptions *oauth_options = oauth_provider->oauth_options_hook(flow_type);
+	ctx->scope = oauth_options->scope;
+	ctx->issuer = oauth_options->issuer_url;
+	appendStringInfo(&buf,
+		"{ "
+			"\"status\": \"invalid_token\", "
+			"\"openid-configuration\": \"%s/.well-known/openid-configuration\","	
+			"\"scope\": \"%s\""
+		"}",
+		oauth_options->issuer_url,
+		oauth_options->scope);
+
+	*output = buf.data;
+	*outputlen = buf.len;
+	
+	pfree(oauth_options);
+}
+
 static int
 oauth_exchange(void *opaq, const char *input, int inputlen,
-			   char **output, int *outputlen, char **logdetail)
+			   char **output, int *outputlen, const char **logdetail)
 {
 	char   *p;
 	char	cbind_flag;
@@ -247,11 +357,17 @@ oauth_exchange(void *opaq, const char *input, int inputlen,
 				(errcode(ERRCODE_PROTOCOL_VIOLATION),
 				 errmsg("malformed OAUTHBEARER message"),
 				 errdetail("Message contains additional data after the final terminator.")));
-
-	if (!validate(ctx->port, auth, logdetail))
+	
+	/* if not Bearer, process flow_type*/
+	if (strncasecmp(auth, BEARER_SCHEME, strlen(BEARER_SCHEME)))
+	{
+		process_oauth_flow_type(atoi(auth), ctx, output, outputlen);
+		ctx->state = OAUTH_STATE_ERROR;
+		return PG_SASL_EXCHANGE_CONTINUE;
+	}
+	else if(!validate(ctx->port, auth, logdetail))
 	{
 		generate_error_response(ctx, output, outputlen);
-
 		ctx->state = OAUTH_STATE_ERROR;
 		return PG_SASL_EXCHANGE_CONTINUE;
 	}
@@ -415,7 +531,7 @@ generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen)
 }
 
 static bool
-validate(Port *port, const char *auth, char **logdetail)
+validate(Port *port, const char *auth, const char **logdetail)
 {
 	static const char * const b64_set = "abcdefghijklmnopqrstuvwxyz"
 										"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
@@ -508,7 +624,7 @@ validate(Port *port, const char *auth, char **logdetail)
 		return true;
 	}
 
-		/* Make sure the validator authenticated the user. */
+	/* Make sure the validator authenticated the user. */
 	if (!MyClientConnectionInfo.authn_id)
 	{
 		/* TODO: use logdetail; reduce message duplication */
@@ -518,199 +634,22 @@ validate(Port *port, const char *auth, char **logdetail)
 		return false;
 	}
 
-	/* Finally, check the user map. */
-	ret = check_usermap(port->hba->usermap, port->user_name,
-						MyClientConnectionInfo.authn_id, false);
+	 /* Finally, check the user map. */
+        ret = check_usermap(port->hba->usermap, port->user_name,
+                                              MyClientConnectionInfo.authn_id, false);
 	return (ret == STATUS_OK);
 }
 
 static bool
 run_validator_command(Port *port, const char *token)
 {
-	bool		success = false;
-	int			rc;
-	int			pipefd[2];
-	int			rfd = -1;
-	int			wfd = -1;
-
-	StringInfoData command = { 0 };
-	char	   *p;
-	FILE	   *fh = NULL;
-
-	ssize_t		written;
-	char	   *line = NULL;
-	size_t		size = 0;
-	ssize_t		len;
-
-	Assert(oauth_validator_command);
-
-	if (!oauth_validator_command[0])
-	{
-		ereport(COMMERROR,
-				(errmsg("oauth_validator_command is not set"),
-				 errhint("To allow OAuth authenticated connections, set "
-						 "oauth_validator_command in postgresql.conf.")));
-		return false;
-	}
-
-	/*
-	 * Since popen() is unidirectional, open up a pipe for the other direction.
-	 * Use CLOEXEC to ensure that our write end doesn't accidentally get copied
-	 * into child processes, which would prevent us from closing it cleanly.
-	 *
-	 * XXX this is ugly. We should just read from the child process's stdout,
-	 * but that's a lot more code.
-	 * XXX by bypassing the popen API, we open the potential of process
-	 * deadlock. Clearly document child process requirements (i.e. the child
-	 * MUST read all data off of the pipe before writing anything).
-	 * TODO: port to Windows using _pipe().
-	 */
-	rc = pipe2(pipefd, O_CLOEXEC);
-	if (rc < 0)
-	{
-		ereport(COMMERROR,
-				(errcode_for_file_access(),
-				 errmsg("could not create child pipe: %m")));
-		return false;
-	}
-
-	rfd = pipefd[0];
-	wfd = pipefd[1];
-
-	/* Allow the read pipe be passed to the child. */
-	if (!unset_cloexec(rfd))
-	{
-		/* error message was already logged */
-		goto cleanup;
-	}
-
-	/*
-	 * Construct the command, substituting any recognized %-specifiers:
-	 *
-	 *   %f: the file descriptor of the input pipe
-	 *   %r: the role that the client wants to assume (port->user_name)
-	 *   %%: a literal '%'
-	 */
-	initStringInfo(&command);
-
-	for (p = oauth_validator_command; *p; p++)
-	{
-		if (p[0] == '%')
-		{
-			switch (p[1])
-			{
-				case 'f':
-					appendStringInfo(&command, "%d", rfd);
-					p++;
-					break;
-				case 'r':
-					/*
-					 * TODO: decide how this string should be escaped. The role
-					 * is controlled by the client, so if we don't escape it,
-					 * command injections are inevitable.
-					 *
-					 * This is probably an indication that the role name needs
-					 * to be communicated to the validator process in some other
-					 * way. For this proof of concept, just be incredibly strict
-					 * about the characters that are allowed in user names.
-					 */
-					if (!username_ok_for_shell(port->user_name))
-						goto cleanup;
-
-					appendStringInfoString(&command, port->user_name);
-					p++;
-					break;
-				case '%':
-					appendStringInfoChar(&command, '%');
-					p++;
-					break;
-				default:
-					appendStringInfoChar(&command, p[0]);
-			}
-		}
-		else
-			appendStringInfoChar(&command, p[0]);
-	}
-
-	/* Execute the command. */
-	fh = OpenPipeStream(command.data, "re");
-	/* TODO: handle failures */
-
-	/* We don't need the read end of the pipe anymore. */
-	close(rfd);
-	rfd = -1;
-
-	/* Give the command the token to validate. */
-	written = write(wfd, token, strlen(token));
-	if (written != strlen(token))
-	{
-		/* TODO must loop for short writes, EINTR et al */
-		ereport(COMMERROR,
-				(errcode_for_file_access(),
-				 errmsg("could not write token to child pipe: %m")));
-		goto cleanup;
-	}
-
-	close(wfd);
-	wfd = -1;
-
-	/*
-	 * Read the command's response.
-	 *
-	 * TODO: getline() is probably too new to use, unfortunately.
-	 * TODO: loop over all lines
-	 */
-	if ((len = getline(&line, &size, fh)) >= 0)
-	{
-		/* TODO: fail if the authn_id doesn't end with a newline */
-		if (len > 0)
-			line[len - 1] = '\0';
-
-		set_authn_id(port, line);
-	}
-	else if (ferror(fh))
-	{
-		ereport(COMMERROR,
-				(errcode_for_file_access(),
-				 errmsg("could not read from command \"%s\": %m",
-						command.data)));
-		goto cleanup;
-	}
-
-	/* Make sure the command exits cleanly. */
-	if (!check_exit(&fh, command.data))
+	int result = oauth_provider->oauth_provider_hook(port, token);
+	if(result == STATUS_OK)
 	{
-		/* error message already logged */
-		goto cleanup;
-	}
-
-	/* Done. */
-	success = true;
-
-cleanup:
-	if (line)
-		free(line);
-
-	/*
-	 * In the successful case, the pipe fds are already closed. For the error
-	 * case, always close out the pipe before waiting for the command, to
-	 * prevent deadlock.
-	 */
-	if (rfd >= 0)
-		close(rfd);
-	if (wfd >= 0)
-		close(wfd);
-
-	if (fh)
-	{
-		Assert(!success);
-		check_exit(&fh, command.data);
+		set_authn_id(port, port->user_name);
+		return true;
 	}
-
-	if (command.data)
-		pfree(command.data);
-
-	return success;
+	return false;
 }
 
 static bool
@@ -780,7 +719,7 @@ username_ok_for_shell(const char *username)
 	/* This set is borrowed from fe_utils' appendShellStringNoError(). */
 	static const char * const allowed = "abcdefghijklmnopqrstuvwxyz"
 										"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-										"0123456789-_./:";
+										"0123456789-_./@:";
 	size_t	span;
 
 	Assert(username && username[0]); /* should have already been checked */
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index b62457d57c..7b7b6ff9aa 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -28,6 +28,41 @@ extern void set_authn_id(Port *port, const char *id);
 /* Hook for plugins to get control in ClientAuthentication() */
 typedef void (*ClientAuthentication_hook_type) (Port *, int);
 extern PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook;
+/* Declarations for oAuth authentication providers */
+typedef int (*OAuthProviderCheck_hook_type) (Port *, const char*);
+
+/* Hook for plugins to report error messages in validation_failed() */
+typedef const char * (*OAuthProviderError_hook_type) (Port *);
+
+/* Hook for plugins to validate oauth provider options */
+typedef bool (*OAuthProviderValidateOptions_hook_type)
+			 (char *, char *, HbaLine *, char **);
+
+typedef struct OAuthProviderOptions
+{
+	char				*issuer_url;
+	char 				*scope;
+} OAuthProviderOptions;
+
+/* Hook for plugins to get oauth params */
+typedef OAuthProviderOptions *(*OAuthProviderOptions_hook_type) (pg_oauth_flow_type);
+
+typedef struct OAuthProvider
+{
+	const char *name;
+	OAuthProviderCheck_hook_type oauth_provider_hook;
+	OAuthProviderError_hook_type oauth_error_hook;	
+	OAuthProviderOptions_hook_type oauth_options_hook;
+} OAuthProvider;
+
+extern void RegistorOAuthProvider
+		(const char *provider_name,
+		OAuthProviderCheck_hook_type OAuthProviderCheck_hook,
+		OAuthProviderError_hook_type OAuthProviderError_hook,		
+		OAuthProviderOptions_hook_type OAuthProviderParams_hook
+		);
+
+extern OAuthProvider *get_provider_by_name(const char *name);
 #define PG_MAX_AUTH_TOKEN_LENGTH	65535
 
 #endif							/* AUTH_H */
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 6d452ec6d9..f7bbb9dcf4 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -68,6 +68,17 @@ typedef enum CAC_state
 	CAC_TOOMANY
 } CAC_state;
 
+/* OAuth flow types */
+typedef enum pg_oauth_flow_type
+{
+	OAUTH_DEVICE_CODE,
+	OAUTH_CLIENT_CREDENTIALS,
+	OAUTH_AUTH,
+	OAUTH_AUTH_PKCE,
+	OAUTH_REFRESH_TOKEN,
+	OAUTH_NONE
+} pg_oauth_flow_type;
+
 
 /*
  * GSSAPI specific state information
diff --git a/src/interfaces/libpq/fe-auth-oauth.c b/src/interfaces/libpq/fe-auth-oauth.c
index 91d2c69f16..1ba2e033c4 100644
--- a/src/interfaces/libpq/fe-auth-oauth.c
+++ b/src/interfaces/libpq/fe-auth-oauth.c
@@ -142,6 +142,43 @@ iddawc_request_error(PGconn *conn, struct _i_session *i, int err, const char *ms
 	appendPQExpBuffer(&conn->errorMessage, "(%s)\n", error_code);
 }
 
+static pg_oauth_flow_type oauth_get_flow_type(const char *oauthflow)
+{
+	pg_oauth_flow_type flow_type;
+
+	if(!oauthflow)
+	{
+		return OAUTH_NONE;
+	}
+
+	/* client_secret, device_code, auth_code_pkce, refresh_token */
+	if(strcmp(oauthflow, "device_code") == 0)
+	{
+		flow_type = OAUTH_DEVICE_CODE;
+	}
+	else if(strcmp(oauthflow, "client_secret") == 0)
+	{
+		flow_type = OAUTH_CLIENT_CREDENTIALS;
+	}
+	else if(strcmp(oauthflow, "auth_code_pkce") == 0)
+	{
+		flow_type = OAUTH_AUTH_PKCE;
+	}
+	else if(strcmp(oauthflow, "refresh_token") == 0)
+	{
+		flow_type = OAUTH_REFRESH_TOKEN;
+	}
+	else if(strcmp(oauthflow, "auth_code"))
+	{
+		flow_type = OAUTH_AUTH_CODE;
+	}
+	else
+	{
+		flow_type = OAUTH_NONE;
+	}
+	return flow_type;
+}
+
 static char *
 get_auth_token(PGconn *conn)
 {
@@ -150,29 +187,44 @@ get_auth_token(PGconn *conn)
 	int			err;
 	int			auth_method;
 	bool		user_prompted = false;
-	const char *verification_uri;
-	const char *user_code;
-	const char *access_token;
-	const char *token_type;
-	char	   *token = NULL;
-
+	char 	*verification_uri;
+	char 	*user_code;
+	char 	*access_token;
+	char 	*refresh_token;	
+	char 	*token_type;
+	pg_oauth_flow_type flow_type;
+	char	   *token = NULL;	
+	uint session_response_type;
+	PGOAuthMsgObj oauthMsgObj;
+
+	MemSet(&oauthMsgObj, 0x00, sizeof(PGOAuthMsgObj));
+	
 	if (!conn->oauth_discovery_uri)
 		return strdup(""); /* ask the server for one */
 
-	i_init_session(&session);
-
 	if (!conn->oauth_client_id)
 	{
 		/* We can't talk to a server without a client identifier. */
 		appendPQExpBufferStr(&conn->errorMessage,
 							 libpq_gettext("no oauth_client_id is set for the connection"));
-		goto cleanup;
+		return NULL;
 	}
 
-	token_buf = createPQExpBuffer();
+	i_init_session(&session);
 
+	token_buf = createPQExpBuffer();
 	if (!token_buf)
 		goto cleanup;
+	
+	if(conn->oauth_bearer_token)
+	{
+		appendPQExpBufferStr(token_buf, "Bearer ");
+		appendPQExpBufferStr(token_buf, conn->oauth_bearer_token);
+		if (PQExpBufferBroken(token_buf))
+			goto cleanup;
+		token = strdup(token_buf->data);
+		goto cleanup;
+	}
 
 	err = i_set_str_parameter(&session, I_OPT_OPENID_CONFIG_ENDPOINT, conn->oauth_discovery_uri);
 	if (err)
@@ -181,6 +233,8 @@ get_auth_token(PGconn *conn)
 		goto cleanup;
 	}
 
+	flow_type = oauth_get_flow_type(conn->oauth_flow_type);
+
 	err = i_get_openid_config(&session);
 	if (err)
 	{
@@ -201,18 +255,64 @@ get_auth_token(PGconn *conn)
 							 libpq_gettext("issuer does not support device authorization"));
 		goto cleanup;
 	}
+	auth_method = I_TOKEN_AUTH_METHOD_NONE;
+
+	/* for refresh token flow, do not run auth request*/
+	if(flow_type == OAUTH_REFRESH_TOKEN && conn->oauth_refresh_token)
+	{
+		err = i_set_parameter_list(&session,
+		I_OPT_CLIENT_ID, conn->oauth_client_id,
+		I_OPT_REFRESH_TOKEN, conn->oauth_refresh_token,
+		I_OPT_RESPONSE_TYPE, I_RESPONSE_TYPE_REFRESH_TOKEN,
+		I_OPT_TOKEN_METHOD, auth_method,
+		I_OPT_CLIENT_SECRET, conn->oauth_client_secret,
+		I_OPT_SCOPE, conn->oauth_scope,
+		I_OPT_NONE
+		);
+
+		if (err)
+		{
+			iddawc_error(conn, err, "failed to set refresh token flow parameters");
+			goto cleanup;
+		}
 
-	err = i_set_response_type(&session, I_RESPONSE_TYPE_DEVICE_CODE);
+		err = i_run_token_request(&session);
+		if (err)
+		{
+			iddawc_request_error(conn, &session, err,
+								 "failed to obtain token authorization with refresh token flow");
+			goto cleanup;
+		}
+
+		access_token = i_get_str_parameter(&session, I_OPT_ACCESS_TOKEN);
+		token_type = i_get_str_parameter(&session, I_OPT_TOKEN_TYPE);
+		
+		if (!access_token || !token_type || strcasecmp(token_type, "Bearer"))
+		{
+			appendPQExpBufferStr(&conn->errorMessage,
+								 libpq_gettext("issuer did not provide a bearer token"));
+			goto cleanup;
+		}
+
+		appendPQExpBufferStr(token_buf, "Bearer ");
+		appendPQExpBufferStr(token_buf, access_token);
+
+		if (PQExpBufferBroken(token_buf))
+			goto cleanup;
+
+		token = strdup(token_buf->data);
+		return token;
+	}
+
+	//default device flow
+	session_response_type = I_RESPONSE_TYPE_DEVICE_CODE; 	
+	err = i_set_response_type(&session, session_response_type);
 	if (err)
 	{
 		iddawc_error(conn, err, "failed to set device code response type");
 		goto cleanup;
 	}
 
-	auth_method = I_TOKEN_AUTH_METHOD_NONE;
-	if (conn->oauth_client_secret && *conn->oauth_client_secret)
-		auth_method = I_TOKEN_AUTH_METHOD_SECRET_BASIC;
-
 	err = i_set_parameter_list(&session,
 		I_OPT_CLIENT_ID, conn->oauth_client_id,
 		I_OPT_CLIENT_SECRET, conn->oauth_client_secret,
@@ -225,7 +325,7 @@ get_auth_token(PGconn *conn)
 		iddawc_error(conn, err, "failed to set client identifier");
 		goto cleanup;
 	}
-
+	
 	err = i_run_device_auth_request(&session);
 	if (err)
 	{
@@ -278,14 +378,15 @@ get_auth_token(PGconn *conn)
 
 		if (!user_prompted)
 		{
+			oauthMsgObj.verification_uri = verification_uri;
+			oauthMsgObj.user_code = user_code;
+			conn->oauthNoticeHooks.noticeRecArg = (void*) &oauthMsgObj;
+
 			/*
 			 * Now that we know the token endpoint isn't broken, give the user
 			 * the login instructions.
-			 */
-			pqInternalNotice(&conn->noticeHooks,
-							 "Visit %s and enter the code: %s",
-							 verification_uri, user_code);
-
+			 */			
+			pqInternalOAuthNotice(&conn->oauthNoticeHooks, "");
 			user_prompted = true;
 		}
 
@@ -300,7 +401,7 @@ get_auth_token(PGconn *conn)
 		 * A slow_down error requires us to permanently increase our retry
 		 * interval by five seconds. RFC 8628, Sec. 3.5.
 		 */
-		if (!strcmp(error_code, "slow_down"))
+		//if (!strcmp(error_code, "slow_down"))
 		{
 			interval += 5;
 			i_set_int_parameter(&session, I_OPT_DEVICE_AUTH_INTERVAL, interval);
@@ -323,6 +424,14 @@ get_auth_token(PGconn *conn)
 
 	access_token = i_get_str_parameter(&session, I_OPT_ACCESS_TOKEN);
 	token_type = i_get_str_parameter(&session, I_OPT_TOKEN_TYPE);
+	refresh_token = i_get_str_parameter(&session, I_OPT_REFRESH_TOKEN);
+	
+	if(refresh_token)
+	{
+		MemSet(&oauthMsgObj, 0x00, sizeof(PGOAuthMsgObj));
+		oauthMsgObj.refresh_token = refresh_token;
+		pqInternalOAuthNotice(&conn->oauthNoticeHooks, "");
+	}
 
 	if (!access_token || !token_type || strcasecmp(token_type, "Bearer"))
 	{
@@ -358,6 +467,8 @@ client_initial_response(PGconn *conn)
 	PQExpBuffer	discovery_buf = NULL;
 	char	   *token = NULL;
 	char	   *response = NULL;
+	pg_oauth_flow_type flow_type;
+	char		oauth_flow_str[3];
 
 	token_buf = createPQExpBuffer();
 	if (!token_buf)
@@ -385,8 +496,26 @@ client_initial_response(PGconn *conn)
 	token = get_auth_token(conn);
 	if (!token)
 		goto cleanup;
-
+	
+	if(strcmp(token, "") == 0)
+	{
+		flow_type = oauth_get_flow_type(conn->oauth_flow_type);
+		if(flow_type == OAUTH_NONE)
+		{
+			appendPQExpBufferStr(&conn->errorMessage,
+								 libpq_gettext("value passed in oauth_flow_type is not valid."\
+								 "supported flows: client_secret, device_code, auth_code_pkce, refresh_token\n"));
+			goto cleanup;
+		}
+		else
+		{
+			sprintf(oauth_flow_str, "%d", flow_type);
+			token = strdup(oauth_flow_str);
+		}
+	}	
 	appendPQExpBuffer(token_buf, resp_format, token);
+//	elog(INFO, "fe-flowtype: %s", token);
+
 	if (PQExpBufferBroken(token_buf))
 		goto cleanup;
 
@@ -406,6 +535,9 @@ cleanup:
 #define ERROR_STATUS_FIELD "status"
 #define ERROR_SCOPE_FIELD "scope"
 #define ERROR_OPENID_CONFIGURATION_FIELD "openid-configuration"
+#define ERROR_ISSUER_URL_FIELD  "issuer"
+#define ERROR_AUTH_ENDPOINT_FIELD  "authorization_endpoint"
+#define ERROR_TOKEN_ENDPOINT_FIELD  "token_endpoint"
 
 struct json_ctx
 {
@@ -420,6 +552,9 @@ struct json_ctx
 	char		   *status;
 	char		   *scope;
 	char		   *discovery_uri;
+	char		   *issuer_url;
+	char		   *auth_endpoint;
+	char		   *token_endpoint;
 };
 
 #define oauth_json_has_error(ctx) \
@@ -491,6 +626,21 @@ oauth_json_object_field_start(void *state, char *name, bool isnull)
 			ctx->target_field_name = ERROR_OPENID_CONFIGURATION_FIELD;
 			ctx->target_field = &ctx->discovery_uri;
 		}
+		else if(!strcmp(name, ERROR_ISSUER_URL_FIELD))
+		{
+			ctx->target_field_name = ERROR_ISSUER_URL_FIELD;
+			ctx->target_field = &ctx->issuer_url;
+		}
+		else if(!strcmp(name, ERROR_AUTH_ENDPOINT_FIELD))
+		{
+			ctx->target_field_name = ERROR_AUTH_ENDPOINT_FIELD;
+			ctx->target_field = &ctx->auth_endpoint;
+		}
+		else if(!strcmp(name, ERROR_TOKEN_ENDPOINT_FIELD))
+		{
+			ctx->target_field_name = ERROR_TOKEN_ENDPOINT_FIELD;
+			ctx->target_field = &ctx->token_endpoint;
+		}
 	}
 
 	free(name);
@@ -627,6 +777,15 @@ handle_oauth_sasl_error(PGconn *conn, char *msg, int msglen)
 
 		conn->oauth_scope = ctx.scope;
 	}
+
+	if(ctx.issuer_url)
+	{
+		if(conn->oauth_issuer)
+			free(conn->oauth_issuer);
+
+		conn->oauth_issuer = ctx.issuer_url;		
+	}
+
 	/* TODO: missing error scope should clear any existing connection scope */
 
 	if (!ctx.status)
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 64f27fee18..e6e8dc48e2 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -358,6 +358,18 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"OAuth-Scope", "", 15,
 	offsetof(struct pg_conn, oauth_scope)},
 
+	{"oauth_bearer_token", NULL, NULL, NULL,
+		"OAuth-Bearer", "", 20,
+	offsetof(struct pg_conn, oauth_bearer_token)},
+
+	{"oauth_flow_type", NULL, NULL, NULL,
+		"OAuth-Flow-Type", "", 20,
+	offsetof(struct pg_conn, oauth_flow_type)},
+
+	{"oauth_refresh_token", NULL, NULL, NULL,
+		"OAuth-Refresh-Token", "", 40,
+	offsetof(struct pg_conn, oauth_refresh_token)},
+	
 	/* Terminating entry --- MUST BE LAST */
 	{NULL, NULL, NULL, NULL,
 	NULL, NULL, 0}
@@ -427,6 +439,7 @@ static PQconninfoOption *conninfo_find(PQconninfoOption *connOptions,
 									   const char *keyword);
 static void defaultNoticeReceiver(void *arg, const PGresult *res);
 static void defaultNoticeProcessor(void *arg, const char *message);
+static void OAuthMsgObjReceiver(void *arg, const PGresult *res);
 static int	parseServiceInfo(PQconninfoOption *options,
 							 PQExpBuffer errorMessage);
 static int	parseServiceFile(const char *serviceFile,
@@ -3926,6 +3939,7 @@ makeEmptyPGconn(void)
 	/* install default notice hooks */
 	conn->noticeHooks.noticeRec = defaultNoticeReceiver;
 	conn->noticeHooks.noticeProc = defaultNoticeProcessor;
+	conn->oauthNoticeHooks.noticeRec = OAuthMsgObjReceiver;
 
 	conn->status = CONNECTION_BAD;
 	conn->asyncStatus = PGASYNC_IDLE;
@@ -4073,6 +4087,12 @@ freePGconn(PGconn *conn)
 		free(conn->oauth_client_secret);
 	if (conn->oauth_scope)
 		free(conn->oauth_scope);
+	if(conn->oauth_bearer_token)
+		free(conn->oauth_bearer_token);
+	if(conn->oauth_flow_type)
+		free(conn->oauth_flow_type);	
+	if(conn->oauth_refresh_token)
+		free(conn->oauth_refresh_token);
 	termPQExpBuffer(&conn->errorMessage);
 	termPQExpBuffer(&conn->workBuffer);
 
@@ -6991,6 +7011,32 @@ defaultNoticeProcessor(void *arg, const char *message)
 	fprintf(stderr, "%s", message);
 }
 
+static void
+OAuthMsgObjReceiver(void *arg, const PGresult *res)
+{
+	PGOAuthMsgObj *oauthMsg = (PGOAuthMsgObj *) arg;
+
+	if(oauthMsg->message)
+	{
+		fprintf(stderr, "%s\n", oauthMsg->message);
+	}
+
+	if(oauthMsg->verification_uri)
+	{
+		fprintf(stderr, "Visit: %s\n", oauthMsg->verification_uri);
+	}
+
+	if(oauthMsg->user_code)
+	{
+		fprintf(stderr, "Enter: %s\n", oauthMsg->user_code);
+	}
+
+	if(oauthMsg->refresh_token)
+	{
+		fprintf(stderr, "Refresh Token: %s\n", oauthMsg->refresh_token);
+	}
+}
+
 /*
  * returns a pointer to the next token or NULL if the current
  * token doesn't match
diff --git a/src/interfaces/libpq/fe-exec.c b/src/interfaces/libpq/fe-exec.c
index da229d632a..4789c1a1fe 100644
--- a/src/interfaces/libpq/fe-exec.c
+++ b/src/interfaces/libpq/fe-exec.c
@@ -976,6 +976,58 @@ pqInternalNotice(const PGNoticeHooks *hooks, const char *fmt,...)
 	PQclear(res);
 }
 
+/*
+ * pqInternalOAuthNotice - it is similar to pqInternalNotice
+ * except that OAuthNoticeHooks are invoked.
+ */
+void
+pqInternalOAuthNotice(const PGOAuthNoticeHooks *hooks, const char *fmt,...)
+{
+	char		msgBuf[1024];
+	va_list		args;
+	PGresult   *res;
+
+	if (hooks->noticeRec == NULL)
+		return;					/* nobody home to receive notice? */
+
+	/* Format the message */
+	va_start(args, fmt);
+	vsnprintf(msgBuf, sizeof(msgBuf), libpq_gettext(fmt), args);
+	va_end(args);
+	msgBuf[sizeof(msgBuf) - 1] = '\0';	/* make real sure it's terminated */
+
+	/* Make a PGresult to pass to the notice receiver */
+	res = PQmakeEmptyPGresult(NULL, PGRES_NONFATAL_ERROR);
+	if (!res)
+		return;
+	res->oauthNoticeHooks = *hooks;
+	res->oauthNoticeHooks.noticeRecArg = hooks->noticeRecArg;
+
+	/*
+	 * Set up fields of notice.
+	 */
+	pqSaveMessageField(res, PG_DIAG_MESSAGE_PRIMARY, msgBuf);
+	pqSaveMessageField(res, PG_DIAG_SEVERITY, libpq_gettext("NOTICE"));
+	pqSaveMessageField(res, PG_DIAG_SEVERITY_NONLOCALIZED, "NOTICE");
+	/* XXX should provide a SQLSTATE too? */
+
+	/*
+	 * Result text is always just the primary message + newline.  If we can't
+	 * allocate it, substitute "out of memory", as in pqSetResultError.
+	 */
+	res->errMsg = (char *) pqResultAlloc(res, strlen(msgBuf) + 2, false);
+	if (res->errMsg)
+		sprintf(res->errMsg, "%s\n", msgBuf);
+	else
+		res->errMsg = libpq_gettext("out of memory\n");
+
+	/*
+	 * Pass to receiver, then free it.
+	 */
+	res->oauthNoticeHooks.noticeRec(res->oauthNoticeHooks.noticeRecArg, res);
+	PQclear(res);
+}
+
 /*
  * pqAddTuple
  *	  add a row pointer to the PGresult structure, growing it if necessary
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index b7df3224c0..ee5b2e2b59 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -197,6 +197,9 @@ typedef struct pgNotify
 typedef void (*PQnoticeReceiver) (void *arg, const PGresult *res);
 typedef void (*PQnoticeProcessor) (void *arg, const char *message);
 
+/* Function types for notice-handling callbacks */
+typedef void (*PQOAuthNoticeReceiver) (void *arg, const PGresult *res);
+
 /* Print options for PQprint() */
 typedef char pqbool;
 
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index ae76ae0e8f..3155d81e00 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -157,6 +157,24 @@ typedef struct
 	void	   *noticeProcArg;
 } PGNoticeHooks;
 
+typedef struct
+{
+	char	*verification_uri; /* URI the user should go to with the user_code in order to sign in */
+	char	*user_code; /* used to identify the session on a secondary device */ 
+	char	*refresh_token;
+	char	*message;	/* string with instructions for the user. */
+	char	*response_error;	/*JSON error response (400 Bad Request) */
+	uint 	expires_in; /* number of seconds before the device_code expire */
+	uint 	interval; /* number of seconds the client should wait between polling requests */
+} PGOAuthMsgObj;
+
+/* Fields needed for oauth callback handling */
+typedef struct
+{
+	PQOAuthNoticeReceiver noticeRec; /* OAuth notice message receiver */
+	void	   *noticeRecArg;
+} PGOAuthNoticeHooks;
+
 typedef struct PGEvent
 {
 	PGEventProc proc;			/* the function to call on events */
@@ -186,6 +204,7 @@ struct pg_result
 	 * on the PGresult don't have to reference the PGconn.
 	 */
 	PGNoticeHooks noticeHooks;
+	PGOAuthNoticeHooks oauthNoticeHooks;
 	PGEvent    *events;
 	int			nEvents;
 	int			client_encoding;	/* encoding id */
@@ -343,6 +362,17 @@ typedef struct pg_conn_host
 								 * found in password file. */
 } pg_conn_host;
 
+typedef enum pg_oauth_flow_type
+{
+	OAUTH_DEVICE_CODE,
+	OAUTH_CLIENT_CREDENTIALS,
+	OAUTH_AUTH,
+	OAUTH_AUTH_PKCE,
+	OAUTH_REFRESH_TOKEN,
+	OAUTH_AUTH_CODE,
+	OAUTH_NONE
+} pg_oauth_flow_type;
+
 /*
  * PGconn stores all the state data associated with a single connection
  * to a backend.
@@ -403,6 +433,9 @@ struct pg_conn
 	char	   *oauth_client_id;		/* client identifier */
 	char	   *oauth_client_secret;	/* client secret */
 	char	   *oauth_scope;			/* access token scope */
+	char       *oauth_bearer_token;		/* oauth token */
+	char	   *oauth_flow_type;		/* oauth flow type */	
+	char	   *oauth_refresh_token;	/* refresh token */
 	bool		oauth_want_retry;		/* should we retry on failure? */
 
 	/* Optional file to write trace info to */
@@ -412,6 +445,9 @@ struct pg_conn
 	/* Callback procedures for notice message processing */
 	PGNoticeHooks noticeHooks;
 
+	/* Callback procedures for notifying messages during oauth flows*/
+	PGOAuthNoticeHooks oauthNoticeHooks;
+
 	/* Event procs registered via PQregisterEventProc */
 	PGEvent    *events;			/* expandable array of event data */
 	int			nEvents;		/* number of active events */
@@ -677,6 +713,7 @@ extern void pqClearAsyncResult(PGconn *conn);
 extern void pqSaveErrorResult(PGconn *conn);
 extern PGresult *pqPrepareAsyncResult(PGconn *conn);
 extern void pqInternalNotice(const PGNoticeHooks *hooks, const char *fmt,...) pg_attribute_printf(2, 3);
+extern void pqInternalOAuthNotice(const PGOAuthNoticeHooks *hooks, const char *fmt,...);
 extern void pqSaveMessageField(PGresult *res, char code,
 							   const char *value);
 extern void pqSaveParameterStatus(PGconn *conn, const char *name,

�+N�cv3-0002-backend-add-OAUTHBEARER-SASL-mechanishm.patch�<�w�F�?�_1e��`�v��Mv�7�q
n���=!
����d�v����H	p�6�ksN0������w�p��L��s7VWEvwj�7�w��;
?t��9s=)�tV]�����y����9�:�gO�t�z��/�z����j��~p�j��|x���]���E>�xt}�K)���d�����Q����:s/�Z^U�ELe{�T�L�p�X�H�Y���� rm���T���#�4�V0����S��TEU_}?/��j�b%���g'��
�R^������@_��Qo@�7"�P��� B-@��9�����tfr�~�/���D��#o�~�y[�_X)�k����O���n�k��6�.��5��"�HF�2j+�.CO.�[��"��x!��xt&�������W�+�����]��d�GR��Y�y������I�x`382�\O=��m�{r����X�q��w�qx���x�	�yw/�n4�qP��e�����*r��X����{�������k��#9��L�!���-�Y�go� 	?
��%��F������Qn������p*���m}��z�W�e���K*����:�Z�it�5
�Ng��l��~�Q�	���������@��p���#������N}������=�:�����������)u,]e[��-�8����K��/;
Y�n��/���>���I��A�\\�����/��#���`-���}_�+43�S�
��n�0
Os����n���sO2qVu��gK����@m1Mf���|����qa�
b�]%=i���J]�	�&���
�)Mw&�qWsY�����"�X��WO�-0����I�
�8�g������LAU�� ����'��>
H���5h{V������d*'���(��X���W8�&���v$D��"��[�\����<A
>�
.&g��7�����6Ym��P:r&��,�M\��d4>&��c�E�Uj\]
���'0z�v��kZ"R�f�(�c�l����1���� ��>1���D�>�R���}(�t�j�Dn��B����8��_���f,��B+RrrsZn�&`
&���&>1bYT��H ���(����C����q!v��%d���(�'E����qp��AI�]_�w?���w��������5[�;��OF��������V�������)~d����&q���xP�2*�
pQ�U	k�VD�P�DI��B� �
�.@�;�4N�"?��X�#,���[��������x|� �Q��%<T��{x��������#�����qGHb[>.������
������6x*��;s��%��-8��,w�����Y�����"H<�X����������`+!�c�+����I�vK�����K�Qs+	�f���&!
T���~����1�S��2F���� �&������y��-����y��<�m3��j�
j�������R0���0��p�"+r�$����`bj�)��LCW*uP?6�0���L ���������{�����t8i���iK5��6
2W�S8�1P[l����h��T"'��_?��:�'������s�{�����w��YvT��ct���b��AX����<���u�?��gll��~I�A�;IX/����g�5��y@�����������2�7�@o���b�Y �/60
6��I�8�0�+�H�����}'6!9��lbw�wb\�����o���),/������SK����i.�H����
�oX���?�J	64�����PG;���A!�p4S�������O�jQ�w����t�"����U#O�!G_z���l<�Di���g��!�M��!�������8`�J� q�2�8&P��@��38�M�7���{u���$U�_$1R���J4s&@x��8	�NX����[��������
�HyB�T������p4�_/P��mt[q{[L^��k�d��Z���
��.�r
E�-�o��]^
����l�����x|:����"R��=sF�����������5/E��g�E5�]���qeh��p��p1�:J�iN�$b2Dj���l�"��]�pJ!r�6�^�b�|`� /)��xb���3�R3��L�	���1��*��������G�p�4�n#�#v�<B�%OU��Ac{���V���>���f1�u��8����N1�<��W:b��[
3
���6T�����'���0^!f�3�|Fl928zw��Yz��CL#�B�
��OVaO�`�D�c�f��;����L�_s���� ��8�������U���,��gx�D�d�s�������?��^\r�3%
�_|V<>oQ�����S��!E���t1��pj�Vj����ZZ�%��bz���fg���0V��h��=2���o^�
�7}]���?����v���bi���t��*X��)�����h�����`��B������3����;m�+�)897�!�nRH���?�R���>��"�� !�*���p�D�9X0
�xs�d�����2������+>R����D�/����H�~������L�zm�����4�\�����f
=��V[�l��<2��5Uqr|zv}5��;rf%^����k��Z��gOM��������2���a�;�uY�j������� ������mf�d'Q@�Su��B����h"�-�*��D�k���g������p��m���d�G��������ah���fR
� �*��l�:��(���4��1���I@��8	�'0�89�b�}�T�(L��J�v�e`������w�9y���� ���o
���d:*Y�Q���[��/�/����`L�����5AzQ ���(6u[fy���<=�<"^���$�E� ,^DA2_hA�~_#���f�(��kd@��������`��2~b��$
]S#�����!//����p�
3&��j����k?,��v�f(TED���*����wDSP���NE��4��K���>�0Lq���:�	�aO��-�{��~��������x��2�������x�z[��(����e�qc��q��0�������[18�p	����7���P;��9|�0l6��--0��j���2�
.��Q�]���(��R��kt��������\��aI�������qL�LL�l�N�n
\���`��$��\o�Ha��[��@m��d:�Do�� �J��F���Z�U�����&%��	���OK��W�9&��YYE��j	���s7���������P�~���m^?!���Bl7�����Q1��|��b�0A1^��F���X�
����"�%���N<~J!�_������2���������-����1�'`"@���U�<�����/��xP��0 �������6!��4�n��7�Y���|$��������/_����������d@R�|�����:���x�v��wj-���.n������S�������G�� 4�a�:IU�i1�M�F�6����t �[��{MI���5
���[p�9�)��h`J����O�.���<yk
���8i�Y,�H��������X���1��B|K�&Y7�W��{��������|���[���Jt��>���_��>6�����8b�����^�4H�[:��h���i�����V,V}����v@P���1������l+_���b�!v�#e�5��&P�-�4�R]��y��u�S����T�u!x��%P��������?�s��Aie>,��[`�sY#�E5[��:2�a+�g�o�����2��������tn�q�A>E���B�5��vjO������dF''0oi/�z�NQ�H\�.�"gli���M
F4���g���"�
4������,n������<����H��k�O�
cu��wg+*�1	$�)���t"�K)�{����:�h���%	$��j
�������%�����������H9����� ��bu�:��(1E����1(�R�g�8��Q���S��*��B=_�!�i�3S�`rTY3L��,���-	,Oz����m�'������R�a��<�?>����e��n�-��U!���^��6|�i�1���A�p�����@�DJh��d�J�#N�D�C�F���<[1�
�>N�V'���!5�-*�+�� 0cI;��|���{i���J&��<�%�c]+h�~
���9�g[��e������,"{(1�?0���d����C���|�R^���r��EU������{���
|�

�\|?^�l+��Y�\(B�	i�_�b�W{_��%�}��x�^_L���=8���@�N�?�y���<��Z94,>�;�N@�u�>���������w�\�Q�t��u0]�x��V*J���/��fr!
���F��
��.+�
YO��	a��h2|��YJ������s������-��|'���M3PFr����������=��fMmP�����o���3�����/�TK��������������;;�^�p5_����������������O�>kw&�ivk���L#�O��2D�����g��bXr|���O����������wAtC7D6�@@�=��
�uu%<����|���
�H���}��h��O�Z����z��8�r�42A<�����Xt����j���u�sB����&}vk�!v!2��`
0y<�����`e���������95�T������<8�to����]F��7r��=�����i9���)z;_�����IE��f��
��	m���������opx��N
y�Y=������������A`
{�VQ�"x�\�kAX�L_��cm&�������t����:�4L��\��-���*��W�����qt�X�/q��
�Bk����6a��L��
c����4��7����/���y��������1�� �6�i0
N5`�~�UPC���a���T,��/�w�7-L�PJj��u�O�����@�6����\�_�Y��c��Q��0�Q��\|��*<�K{��k����vA��'n��#�2��N�K�����6���rV3fA	��.�-�P�aJ�?<?'/
���L
��d}F���"����Mf�od��_3����7��,���e�(2�y�
~�i����h�S+u��N��/�0�a,��`�)8R�:s=�����N�D����t��S��Vs��	�$NA(�q�H�)G��! c��#��b��ST�3N�4e�T5������"/��d5u�����O���������"��gTOI'[�$���k�����(���I]/�Zc��9G �Nb��tNz)�u�I������w�
-sa���$v��g�l�qNv�������O1�	�G��e�<�,���OG�)��������lG��t�7e�������;�9��@/�?���������������L;��|����~o��S?�a�y����i��^k�@4��!���(��~`��o��u�/��j�C[ ����d���t��&�r�����F��!���X����S%v����X7��z�
��Z�)����VKZ�[m�������6�|0����+{�}�ob����c`��������V����z��;�<2���K�	V�D������D4���6�_\���F6��������-���o$c�����
��9�o���|�DO�X�
����6��~���'�}�U�0K`�J����D�E
��b�|<����J8�����6l����~��!i�
Z�d�y�����osW��HnD?k~E���H�F�}�H�x!�a{6�@hI-[^�5o��=��H6�b�4��Y�l�b���������q���������D����
h"�W(p�g�+y����������w����4\�'��C.���OA���X���2����[a���Lk�^w6ht����u��B�Y�DD�=/���>>9�<=�9(�C�<�%�0�Q	�����}��y/��Y,����d@Sb�sI����/i�_�'}#e������^`5��#S�1�� &����y�
��f�6�@f��t�������o�+;}�+���:�����&\�!�%7�
'[:�mBb���'�4=n�T@vO$�
��������6���\
�������h�������O�%�] 3�Id��5d�U
�u��=�������9*�}J������q��|�{��R|�����_����ql\'	}��~���*&3|Y����y�|��%b'&���LX��h�(����_��)WU��q�h�����t�%��i�\��Nt�-i�������I�,68j5`��� X�������Yn�Ma<��w�f%(E_�D���
=A�W����X�Ij�3m\�%~���g��.����H��KE?���wn��S�.A�D��2��9��D�Cl'��p��d~" b�$�����	��z&n�%�PS%+Z
�Da���{%rK�N�����X9�a������r���*B����*�E�E����VS�7���b~QQA��0�6�:G�{�z��~�����>d1t���,����j1�|�,�D��j�~(��a&�S��7�aeU"���������1{�
eKiJ�p�����&I���c�=;����k�H��x���8P��yD^��"1q�X�h�������hO,���c����w���N���tq��FL���}����;	�b��
�

�&2�k����K(�X�V�,�`R��6v\���^��Z�l��V�����2]�e���E�3���S�K�%U�=�������j^I7j�1����x��R�%��T}�]�������+�s�����������Z-l��Y#��I��B��/�,��A�?}K4�W[�����^k�������������o�P��Q���K��0U��@M�q/�������OI�-�l*�AJ��]��i8��C\d���'�Qg�0��B1�#���,�@wTW��;�h����`�Qi��CY���Zxy�2�����h����Y����}u�={��.�$��`�����2�*S�9�����X��aJ�.�*ey�2'����
<�<?��t�OS���;O��-��ZL�Xaip��4A#��y��&�b��h���%��J	.��S�)R
>�CY
����K����*b��=������
�����3xoc �2�e���/g�s��OW��UD�?u��� )��]�s:�b|��
F�S����Z��N��5&e&��ri����w6��d1�f#3It�]������i�&L7�%*p�st�#����gF�w��<K
S�z,^�_m��C9���Sm�WPm>Yx�z
*��z%���t��K���q
��fetd�JL5�w�W����'�j�a`;����4z�LD����/,k��N�#�]�u�f$��^>�V�9�h\��D����sLZ�*����:�@��s����b^Edg�������R�����������J������+�BC��$=��~����R��������=��RK����N���+��J�F��j�dV���\Z~��	5=���vUIH{����
�7���ON���r���4��|�oG�Pv?�z�d|_�V"Z�q�&�N����:a�o��]%��D�Ex�Y��s�>�M6�g�^�#q�����k+�������k+���V�k���^[9���r,{m�h���������k�
��kI��U<��~�������l�#q���DO`����Z���������_�i��S,C��P����f���'u=v��3&������_�Q�b0Z�c��<��
���c(j�J�?�g�����;�z{�+��a���M��P���;�2�15`<��t���`��!���K��Dv1�c��U"��2I{-����B3WH�����*����?{����#���N�����N�`���LV���4�[R9�S��X��\���No��T�R(��[�=
q)��fh�����z��v��yT��?c������t�<��O;&N��Qw�Y���)R�1���,�^�
��^Lo����;H���R��hN��S/d��*��)`^ph}!�p�
���%J����i'�
��Zm:����Y��o��,�VJ������"��;�U��mxq~vU�o�����a
+_�n�|��Z����[e��Z�#��G�G��+~'k�R���x�`�a.?���w3&�@��[�Z�j�n������ECfV�t�u
�(W[�	r���>������`$(���65��3n�%`����q��7�0x�{�u�����C/6���Q��
g������[w�5���f�mr�����p�~��������O�v��l�"!^�m>8���m7r�V����2��}mObT	8Zj��������nJ�v��C�Mp��.{	Z������q#��C��F��u���4�m"k��b�P���E�8�?&��*9��h��<���
�Q�>^�	������>����u��e[�"������'�G�=CwM������55s���-��� �������q*`D!�a�g[g�I��n�7,��iE�
�����q��hj��?��ql�t

 1:  a94a11d56c <  -:  ---------- Add support for custom authentication methods
 2:  973f622fea <  -:  ---------- Add sample extension to test custom auth provider hooks
 3:  b4a0ab5a4e <  -:  ---------- Add tests for test_auth_provider extension
 4:  49715c3c98 <  -:  ---------- Add support for "map" and custom auth options
 5:  2b2e8d3050 !  1:  c3698bbc3d common/jsonapi: support FRONTEND clients
    @@ src/common/jsonapi.c: parse_object(JsonLexContext *lex, JsonSemAction *sem)
      #endif
      
     @@ src/common/jsonapi.c: json_lex_string(JsonLexContext *lex)
    - 	char	   *const end = lex->input + lex->input_length;
    - 	int			hi_surrogate = -1;
    + 		return code; \
    + 	} while (0)
      
     -	if (lex->strval != NULL)
     -		resetStringInfo(lex->strval);
    @@ src/common/jsonapi.c: json_lex_string(JsonLexContext *lex)
      	Assert(lex->input_length > 0);
      	s = lex->token_start;
     @@ src/common/jsonapi.c: json_lex_string(JsonLexContext *lex)
    - 						return JSON_UNICODE_ESCAPE_FORMAT;
    - 					}
    + 					else
    + 						FAIL_AT_CHAR_END(JSON_UNICODE_ESCAPE_FORMAT);
      				}
     -				if (lex->strval != NULL)
     +				if (lex->parse_strval)
    @@ src/common/jsonapi.c: json_lex_string(JsonLexContext *lex)
     +						appendPQExpBufferChar(lex->strval, (char) ch);
      					}
      					else
    - 						return JSON_UNICODE_HIGH_ESCAPE;
    + 						FAIL_AT_CHAR_END(JSON_UNICODE_HIGH_ESCAPE);
      #endif							/* FRONTEND */
      				}
      			}
    @@ src/common/jsonapi.c: json_lex_string(JsonLexContext *lex)
     +			else if (lex->parse_strval)
      			{
      				if (hi_surrogate != -1)
    - 					return JSON_UNICODE_LOW_SURROGATE;
    + 					FAIL_AT_CHAR_END(JSON_UNICODE_LOW_SURROGATE);
     @@ src/common/jsonapi.c: json_lex_string(JsonLexContext *lex)
      					case '"':
      					case '\\':
    @@ src/common/jsonapi.c: json_lex_string(JsonLexContext *lex)
     +						appendStrValChar(lex->strval, '\t');
      						break;
      					default:
    - 						/* Not a valid string escape, so signal error. */
    + 
     @@ src/common/jsonapi.c: json_lex_string(JsonLexContext *lex)
      
      			/*
    @@ src/common/jsonapi.c: json_lex_string(JsonLexContext *lex)
      			/*
      			 * s will be incremented at the top of the loop, so set it to just
     @@ src/common/jsonapi.c: json_lex_string(JsonLexContext *lex)
    - 	if (hi_surrogate != -1)
      		return JSON_UNICODE_LOW_SURROGATE;
    + 	}
      
     +#ifdef FRONTEND
     +	if (lex->parse_strval && PQExpBufferBroken(lex->strval))
    @@ src/common/jsonapi.c: report_parse_error(JsonParseContext ctx, JsonLexContext *l
     -}
     -
      /*
    -  * Construct a detail message for a JSON error.
    +  * Construct an (already translated) detail message for a JSON error.
       *
     - * Note that the error message generated by this routine may not be
     - * palloc'd, making it unsafe for frontend code as there is no way to
    -- * know if this can be safery pfree'd or not.
    +- * know if this can be safely pfree'd or not.
     + * The returned allocation is either static or owned by the JsonLexContext and
     + * should not be freed.
       */
    @@ src/common/jsonapi.c: report_parse_error(JsonParseContext ctx, JsonLexContext *l
      			return _("\\u0000 cannot be converted to text.");
      		case JSON_UNICODE_ESCAPE_FORMAT:
     @@ src/common/jsonapi.c: json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
    - 			return _("Unicode low surrogate must follow a high surrogate.");
    + 			/* note: this case is only reachable in frontend not backend */
    + 			return _("Unicode escape values cannot be used for code point values above 007F when the encoding is not UTF8.");
    + 		case JSON_UNICODE_UNTRANSLATABLE:
    +-			/* note: this case is only reachable in backend not frontend */
    ++			/*
    ++			 * note: this case is only reachable in backend not frontend.
    ++			 * #ifdef it away so the frontend doesn't try to link against
    ++			 * backend functionality.
    ++			 */
    ++#ifndef FRONTEND
    + 			return psprintf(_("Unicode escape value could not be translated to the server's encoding %s."),
    + 							GetDatabaseEncodingName());
    ++#else
    ++			Assert(false);
    ++			break;
    ++#endif
    + 		case JSON_UNICODE_HIGH_SURROGATE:
    + 			return _("Unicode high surrogate must not follow a high surrogate.");
    + 		case JSON_UNICODE_LOW_SURROGATE:
    +@@ src/common/jsonapi.c: json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
    + 			break;
      	}
      
     -	/*
    @@ src/include/common/jsonapi.h
      
     -#include "lib/stringinfo.h"
     -
    - typedef enum
    + typedef enum JsonTokenType
      {
      	JSON_TOKEN_INVALID,
    -@@ src/include/common/jsonapi.h: typedef enum
    +@@ src/include/common/jsonapi.h: typedef enum JsonParseErrorType
      	JSON_EXPECTED_OBJECT_NEXT,
      	JSON_EXPECTED_STRING,
      	JSON_INVALID_TOKEN,
    @@ src/include/common/jsonapi.h: typedef enum
      	JSON_UNICODE_CODE_POINT_ZERO,
      	JSON_UNICODE_ESCAPE_FORMAT,
      	JSON_UNICODE_HIGH_ESCAPE,
    -@@ src/include/common/jsonapi.h: typedef enum
    - 	JSON_UNICODE_LOW_SURROGATE
    +@@ src/include/common/jsonapi.h: typedef enum JsonParseErrorType
    + 	JSON_SEM_ACTION_FAILED		/* error should already be reported */
      } JsonParseErrorType;
      
     +/*
    @@ src/include/common/jsonapi.h: typedef struct JsonLexContext
     +	StrValType *errormsg;
      } JsonLexContext;
      
    - typedef void (*json_struct_action) (void *state);
    + typedef JsonParseErrorType (*json_struct_action) (void *state);
     @@ src/include/common/jsonapi.h: extern PGDLLIMPORT JsonSemAction nullSemAction;
       */
      extern JsonParseErrorType json_count_array_elements(JsonLexContext *lex,
 6:  c18d7da6cc !  2:  0cd726fd55 libpq: add OAUTHBEARER SASL mechanism
    @@ Commit message
         - handle cases where the client has been set up with an issuer and
           scope, but the Postgres server wants to use something different
         - improve error debuggability during the OAuth handshake
    +    - migrate JSON parsing to the new JSON_SEM_ACTION_FAILED API convention
         - ...and more.
     
      ## configure ##
    @@ configure: fi
     +  as_fn_error $? "library 'iddawc' is required for OAuth support" "$LINENO" 5
     +fi
     +
    ++  # Check for an older spelling of i_get_openid_config
    ++  for ac_func in i_load_openid_config
    ++do :
    ++  ac_fn_c_check_func "$LINENO" "i_load_openid_config" "ac_cv_func_i_load_openid_config"
    ++if test "x$ac_cv_func_i_load_openid_config" = xyes; then :
    ++  cat >>confdefs.h <<_ACEOF
    ++#define HAVE_I_LOAD_OPENID_CONFIG 1
    ++_ACEOF
    ++
    ++fi
    ++done
    ++
     +fi
     +
      # for contrib/sepgsql
    @@ configure.ac: fi
      
     +if test "$with_oauth" = yes ; then
     +  AC_CHECK_LIB(iddawc, i_init_session, [], [AC_MSG_ERROR([library 'iddawc' is required for OAuth support])])
    ++  # Check for an older spelling of i_get_openid_config
    ++  AC_CHECK_FUNCS([i_load_openid_config])
     +fi
     +
      # for contrib/sepgsql
    @@ configure.ac: elif test "$with_uuid" = ossp ; then
         AC_CHECK_HEADERS(crtdefs.h)
      fi
     
    + ## meson.build ##
    +@@ meson.build: endif
    + 
    + 
    + 
    ++###############################################################
    ++# Library: oauth
    ++###############################################################
    ++
    ++oauthopt = get_option('oauth')
    ++if not oauthopt.disabled()
    ++  oauth = dependency('libiddawc', required: oauthopt)
    ++
    ++  if oauth.found()
    ++    cdata.set('USE_OAUTH', 1)
    ++    # Check for an older spelling of i_get_openid_config
    ++    if cc.has_function('i_load_openid_config',
    ++                       dependencies: oauth, args: test_c_args)
    ++      cdata.set('HAVE_I_LOAD_OPENID_CONFIG', 1)
    ++    endif
    ++  endif
    ++else
    ++  oauth = not_found_dep
    ++endif
    ++
    ++
    + ###############################################################
    + # Library: Tcl (for pltcl)
    + #
    +@@ meson.build: libpq_deps += [
    +   gssapi,
    +   ldap_r,
    +   libintl,
    ++  oauth,
    +   ssl,
    + ]
    + 
    +@@ meson.build: if meson.version().version_compare('>=0.57')
    +       'llvm': llvm,
    +       'lz4': lz4,
    +       'nls': libintl,
    ++      'oauth': oauth,
    +       'openssl': ssl,
    +       'pam': pam,
    +       'plperl': perl_dep,
    +
    + ## meson_options.txt ##
    +@@ meson_options.txt: option('lz4', type : 'feature', value: 'auto',
    + option('nls', type: 'feature', value: 'auto',
    +   description: 'native language support')
    + 
    ++option('oauth', type : 'feature', value: 'auto',
    ++  description: 'OAuth 2.0 support')
    ++
    + option('pam', type : 'feature', value: 'auto',
    +   description: 'build with PAM support')
    + 
    +
      ## src/Makefile.global.in ##
     @@ src/Makefile.global.in: with_ldap	= @with_ldap@
      with_libxml	= @with_libxml@
    @@ src/Makefile.global.in: with_ldap	= @with_ldap@
      with_uuid	= @with_uuid@
      with_zlib	= @with_zlib@
     
    + ## src/common/meson.build ##
    +@@ src/common/meson.build: common_sources_frontend_static += files(
    + # For the server build of pgcommon, depend on lwlocknames_h, because at least
    + # cryptohash_openssl.c, hmac_openssl.c depend on it. That's arguably a
    + # layering violation, but ...
    ++#
    ++# XXX Frontend builds need libpq's pqexpbuffer.h, so adjust the include paths
    ++# appropriately. This seems completely broken.
    + pgcommon = {}
    + pgcommon_variants = {
    +   '_srv': internal_lib_args + {
    ++    'include_directories': include_directories('.'),
    +     'sources': common_sources + [lwlocknames_h],
    +     'dependencies': [backend_common_code],
    +   },
    +   '': default_lib_args + {
    ++    'include_directories': include_directories('../interfaces/libpq', '.'),
    +     'sources': common_sources_frontend_static,
    +     'dependencies': [frontend_common_code],
    +   },
    +   '_shlib': default_lib_args + {
    +     'pic': true,
    ++    'include_directories': include_directories('../interfaces/libpq', '.'),
    +     'sources': common_sources_frontend_shlib,
    +     'dependencies': [frontend_common_code],
    +   },
    +@@ src/common/meson.build: foreach name, opts : pgcommon_variants
    +     c_args = opts.get('c_args', []) + common_cflags[cflagname]
    +     cflag_libs += static_library('libpgcommon@0@_@1@'.format(name, cflagname),
    +       c_pch: pch_c_h,
    +-      include_directories: include_directories('.'),
    +       kwargs: opts + {
    +         'sources': sources,
    +         'c_args': c_args,
    +@@ src/common/meson.build: foreach name, opts : pgcommon_variants
    +   lib = static_library('libpgcommon@0@'.format(name),
    +       link_with: cflag_libs,
    +       c_pch: pch_c_h,
    +-      include_directories: include_directories('.'),
    +       kwargs: opts + {
    +         'dependencies': opts['dependencies'] + [ssl],
    +       }
    +
      ## src/include/common/oauth-common.h (new) ##
     @@
     +/*-------------------------------------------------------------------------
    @@ src/include/common/oauth-common.h (new)
     +#endif /* OAUTH_COMMON_H */
     
      ## src/include/pg_config.h.in ##
    +@@
    + /* Define to 1 if __builtin_constant_p(x) implies "i"(x) acceptance. */
    + #undef HAVE_I_CONSTRAINT__BUILTIN_CONSTANT_P
    + 
    ++/* Define to 1 if you have the `i_load_openid_config' function. */
    ++#undef HAVE_I_LOAD_OPENID_CONFIG
    ++
    + /* Define to 1 if you have the `kqueue' function. */
    + #undef HAVE_KQUEUE
    + 
     @@
      /* Define to 1 if you have the `crypto' library (-lcrypto). */
      #undef HAVE_LIBCRYPTO
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +#include "fe-auth.h"
     +#include "mb/pg_wchar.h"
     +
    ++#ifdef HAVE_I_LOAD_OPENID_CONFIG
    ++/* Older versions of iddawc used 'load' instead of 'get' for some APIs. */
    ++#define i_get_openid_config i_load_openid_config
    ++#endif
    ++
     +/* The exported OAuth callback mechanism. */
     +static void *oauth_init(PGconn *conn, const char *password,
     +						const char *sasl_mechanism);
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +		(ctx)->errmsg = (ctx)->errbuf.data; \
     +	} while (0)
     +
    -+static void
    ++static JsonParseErrorType
     +oauth_json_object_start(void *state)
     +{
     +	struct json_ctx	   *ctx = state;
     +
     +	if (oauth_json_has_error(ctx))
    -+		return; /* short-circuit */
    ++		return JSON_SUCCESS; /* short-circuit */
     +
     +	if (ctx->target_field)
     +	{
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +	}
     +
     +	++ctx->nested;
    ++	return JSON_SUCCESS; /* TODO: switch all of these to JSON_SEM_ACTION_FAILED */
     +}
     +
    -+static void
    ++static JsonParseErrorType
     +oauth_json_object_end(void *state)
     +{
     +	struct json_ctx	   *ctx = state;
     +
     +	if (oauth_json_has_error(ctx))
    -+		return; /* short-circuit */
    ++		return JSON_SUCCESS; /* short-circuit */
     +
     +	--ctx->nested;
    ++	return JSON_SUCCESS;
     +}
     +
    -+static void
    ++static JsonParseErrorType
     +oauth_json_object_field_start(void *state, char *name, bool isnull)
     +{
     +	struct json_ctx	   *ctx = state;
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +	{
     +		/* short-circuit */
     +		free(name);
    -+		return;
    ++		return JSON_SUCCESS;
     +	}
     +
     +	if (ctx->nested == 1)
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +	}
     +
     +	free(name);
    ++	return JSON_SUCCESS;
     +}
     +
    -+static void
    ++static JsonParseErrorType
     +oauth_json_array_start(void *state)
     +{
     +	struct json_ctx	   *ctx = state;
     +
     +	if (oauth_json_has_error(ctx))
    -+		return; /* short-circuit */
    ++		return JSON_SUCCESS; /* short-circuit */
     +
     +	if (!ctx->nested)
     +	{
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +							 libpq_gettext("field \"%s\" must be a string"),
     +							 ctx->target_field_name);
     +	}
    ++
    ++	return JSON_SUCCESS;
     +}
     +
    -+static void
    ++static JsonParseErrorType
     +oauth_json_scalar(void *state, char *token, JsonTokenType type)
     +{
     +	struct json_ctx	   *ctx = state;
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +	{
     +		/* short-circuit */
     +		free(token);
    -+		return;
    ++		return JSON_SUCCESS;
     +	}
     +
     +	if (!ctx->nested)
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +			ctx->target_field = NULL;
     +			ctx->target_field_name = NULL;
     +
    -+			return; /* don't free the token we're using */
    ++			return JSON_SUCCESS; /* don't free the token we're using */
     +		}
     +
     +		oauth_json_set_error(ctx,
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +	}
     +
     +	free(token);
    ++	return JSON_SUCCESS;
     +}
     +
     +static bool
    @@ src/interfaces/libpq/fe-auth.c: pg_SASL_continue(PGconn *conn, int payloadlen, b
      						 &done, &success);
     
      ## src/interfaces/libpq/fe-auth.h ##
    -@@ src/interfaces/libpq/fe-auth.h: extern const pg_fe_sasl_mech pg_scram_mech;
    - extern char *pg_fe_scram_build_secret(const char *password,
    +@@ src/interfaces/libpq/fe-auth.h: extern char *pg_fe_scram_build_secret(const char *password,
    + 									  int iterations,
      									  const char **errstr);
      
     +/* Mechanisms in fe-auth-oauth.c */
    @@ src/interfaces/libpq/fe-auth.h: extern const pg_fe_sasl_mech pg_scram_mech;
     
      ## src/interfaces/libpq/fe-connect.c ##
     @@ src/interfaces/libpq/fe-connect.c: static const internalPQconninfoOption PQconninfoOptions[] = {
    - 		"Target-Session-Attrs", "", 15, /* sizeof("prefer-standby") = 15 */
    - 	offsetof(struct pg_conn, target_session_attrs)},
    + 		"Load-Balance-Hosts", "", 8,	/* sizeof("disable") = 8 */
    + 	offsetof(struct pg_conn, load_balance_hosts)},
      
     +	/* OAuth v2 */
     +	{"oauth_issuer", NULL, NULL, NULL,
    @@ src/interfaces/libpq/fe-connect.c: keep_going:						/* We will come back to here
      
      					/*
     @@ src/interfaces/libpq/fe-connect.c: freePGconn(PGconn *conn)
    - 	free(conn->outBuffer);
      	free(conn->rowBuf);
      	free(conn->target_session_attrs);
    + 	free(conn->load_balance_hosts);
     +	free(conn->oauth_issuer);
     +	free(conn->oauth_discovery_uri);
     +	free(conn->oauth_client_id);
    @@ src/interfaces/libpq/fe-connect.c: freePGconn(PGconn *conn)
     
      ## src/interfaces/libpq/libpq-int.h ##
     @@ src/interfaces/libpq/libpq-int.h: struct pg_conn
    - 	char	   *ssl_max_protocol_version;	/* maximum TLS protocol version */
    - 	char	   *target_session_attrs;	/* desired session properties */
    + 	char	   *require_auth;	/* name of the expected auth method */
    + 	char	   *load_balance_hosts; /* load balance over hosts */
      
     +	/* OAuth v2 */
     +	char	   *oauth_issuer;			/* token issuer URL */
    @@ src/interfaces/libpq/libpq-int.h: struct pg_conn
      	/* Optional file to write trace info to */
      	FILE	   *Pfdebug;
      	int			traceFlags;
    +
    + ## src/interfaces/libpq/meson.build ##
    +@@ src/interfaces/libpq/meson.build: if gssapi.found()
    +   )
    + endif
    + 
    ++if oauth.found()
    ++  libpq_sources += files('fe-auth-oauth.c')
    ++endif
    ++
    + export_file = custom_target('libpq.exports',
    +   kwargs: gen_export_kwargs,
    + )
    +
    + ## src/makefiles/meson.build ##
    +@@ src/makefiles/meson.build: pgxs_deps = {
    +   'llvm': llvm,
    +   'lz4': lz4,
    +   'nls': libintl,
    ++  'oauth': oauth,
    +   'pam': pam,
    +   'perl': perl_dep,
    +   'python': python3_dep,
 7:  f6a81f50f2 !  3:  77889eb986 backend: add OAUTHBEARER SASL mechanism
    @@ src/backend/libpq/auth.c
      #include "libpq/pqformat.h"
      #include "libpq/sasl.h"
      #include "libpq/scram.h"
    +@@
    +  */
    + static void auth_failed(Port *port, int status, const char *logdetail);
    + static char *recv_password_packet(Port *port);
    +-static void set_authn_id(Port *port, const char *id);
    + 
    + 
    + /*----------------------------------------------------------------
    +@@ src/backend/libpq/auth.c: static int	CheckRADIUSAuth(Port *port);
    + static int	PerformRadiusTransaction(const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd);
    + 
    + 
    +-/*
    +- * Maximum accepted size of GSS and SSPI authentication tokens.
    +- * We also use this as a limit on ordinary password packet lengths.
    +- *
    +- * Kerberos tickets are usually quite small, but the TGTs issued by Windows
    +- * domain controllers include an authorization field known as the Privilege
    +- * Attribute Certificate (PAC), which contains the user's Windows permissions
    +- * (group memberships etc.). The PAC is copied into all tickets obtained on
    +- * the basis of this TGT (even those issued by Unix realms which the Windows
    +- * realm trusts), and can be several kB in size. The maximum token size
    +- * accepted by Windows systems is determined by the MaxAuthToken Windows
    +- * registry setting. Microsoft recommends that it is not set higher than
    +- * 65535 bytes, so that seems like a reasonable limit for us as well.
    +- */
    +-#define PG_MAX_AUTH_TOKEN_LENGTH	65535
    +-
    + /*----------------------------------------------------------------
    +  * Global authentication functions
    +  *----------------------------------------------------------------
     @@ src/backend/libpq/auth.c: auth_failed(Port *port, int status, const char *logdetail)
      		case uaRADIUS:
      			errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
    @@ src/backend/libpq/auth.c: auth_failed(Port *port, int status, const char *logdet
     +		case uaOAuth:
     +			errstr = gettext_noop("OAuth bearer authentication failed for user \"%s\"");
     +			break;
    - 		case uaCustom:
    - 			{
    - 				CustomAuthProvider *provider = get_provider_by_name(port->hba->custom_provider);
    + 		default:
    + 			errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
    + 			break;
    +@@ src/backend/libpq/auth.c: auth_failed(Port *port, int status, const char *logdetail)
    +  * lifetime of MyClientConnectionInfo, so it is safe to pass a string that is
    +  * managed by an external library.
    +  */
    +-static void
    ++void
    + set_authn_id(Port *port, const char *id)
    + {
    + 	Assert(id);
     @@ src/backend/libpq/auth.c: ClientAuthentication(Port *port)
      		case uaTrust:
      			status = STATUS_OK;
    @@ src/backend/libpq/auth.c: ClientAuthentication(Port *port)
     +		case uaOAuth:
     +			status = CheckSASLAuth(&pg_be_oauth_mech, port, NULL, NULL);
     +			break;
    - 		case uaCustom:
    - 			{
    - 				CustomAuthProvider *provider = get_provider_by_name(port->hba->custom_provider);
    + 	}
    + 
    + 	if ((status == STATUS_OK && port->hba->clientcert == clientCertFull)
     
      ## src/backend/libpq/hba.c ##
     @@ src/backend/libpq/hba.c: static const char *const UserAuthName[] =
    + 	"ldap",
      	"cert",
      	"radius",
    - 	"custom",
     -	"peer"
     +	"peer",
     +	"oauth",
      };
      
    - 
    + /*
     @@ src/backend/libpq/hba.c: parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
      #endif
      	else if (strcmp(token->string, "radius") == 0)
      		parsedline->auth_method = uaRADIUS;
     +	else if (strcmp(token->string, "oauth") == 0)
     +		parsedline->auth_method = uaOAuth;
    - 	else if (strcmp(token->string, "custom") == 0)
    - 		parsedline->auth_method = uaCustom;
      	else
    + 	{
    + 		ereport(elevel,
     @@ src/backend/libpq/hba.c: parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
    + 			hbaline->auth_method != uaPeer &&
      			hbaline->auth_method != uaGSS &&
      			hbaline->auth_method != uaSSPI &&
    - 			hbaline->auth_method != uaCert &&
    -+			hbaline->auth_method != uaOAuth &&
    - 			hbaline->auth_method != uaCustom)
    --			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, cert and custom"));
    -+			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, cert, oauth, and custom"));
    +-			hbaline->auth_method != uaCert)
    +-			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert"));
    ++			hbaline->auth_method != uaCert &&
    ++			hbaline->auth_method != uaOAuth)
    ++			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, cert, and oauth"));
      		hbaline->usermap = pstrdup(val);
      	}
      	else if (strcmp(name, "clientcert") == 0)
    @@ src/backend/libpq/hba.c: parse_hba_auth_opt(char *name, char *val, HbaLine *hbal
     +		else
     +			hbaline->oauth_skip_usermap = false;
     +	}
    - 	else if (strcmp(name, "provider") == 0)
    + 	else
      	{
    - 		REQUIRE_AUTH_OPTION(uaCustom, "provider", "custom");
    + 		ereport(elevel,
    +
    + ## src/backend/libpq/meson.build ##
    +@@
    + # Copyright (c) 2022-2023, PostgreSQL Global Development Group
    + 
    + backend_sources += files(
    ++  'auth-oauth.c',
    +   'auth-sasl.c',
    +   'auth-scram.c',
    +   'auth.c',
     
      ## src/backend/utils/misc/guc_tables.c ##
     @@
    @@ src/backend/utils/misc/guc_tables.c
      #include "libpq/auth.h"
      #include "libpq/libpq.h"
     +#include "libpq/oauth.h"
    + #include "libpq/scram.h"
    + #include "nodes/queryjumble.h"
      #include "optimizer/cost.h"
    - #include "optimizer/geqo.h"
    - #include "optimizer/optimizer.h"
     @@ src/backend/utils/misc/guc_tables.c: struct config_string ConfigureNamesString[] =
    - 		check_backtrace_functions, assign_backtrace_functions, NULL
    + 		check_io_direct, assign_io_direct, NULL
      	},
      
     +	{
     +		{"oauth_validator_command", PGC_SIGHUP, CONN_AUTH_AUTH,
     +			gettext_noop("Command to validate OAuth v2 bearer tokens."),
     +			NULL,
    -+			GUC_SUPERUSER_ONLY
    ++			GUC_SUPERUSER_ONLY | GUC_NOT_IN_SAMPLE
     +		},
     +		&oauth_validator_command,
     +		"",
    @@ src/backend/utils/misc/guc_tables.c: struct config_string ConfigureNamesString[]
      	{
      		{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL
     
    + ## src/include/libpq/auth.h ##
    +@@
    + 
    + #include "libpq/libpq-be.h"
    + 
    ++/*
    ++ * Maximum accepted size of GSS and SSPI authentication tokens.
    ++ * We also use this as a limit on ordinary password packet lengths.
    ++ *
    ++ * Kerberos tickets are usually quite small, but the TGTs issued by Windows
    ++ * domain controllers include an authorization field known as the Privilege
    ++ * Attribute Certificate (PAC), which contains the user's Windows permissions
    ++ * (group memberships etc.). The PAC is copied into all tickets obtained on
    ++ * the basis of this TGT (even those issued by Unix realms which the Windows
    ++ * realm trusts), and can be several kB in size. The maximum token size
    ++ * accepted by Windows systems is determined by the MaxAuthToken Windows
    ++ * registry setting. Microsoft recommends that it is not set higher than
    ++ * 65535 bytes, so that seems like a reasonable limit for us as well.
    ++ */
    ++#define PG_MAX_AUTH_TOKEN_LENGTH	65535
    ++
    + extern PGDLLIMPORT char *pg_krb_server_keyfile;
    + extern PGDLLIMPORT bool pg_krb_caseins_users;
    + extern PGDLLIMPORT bool pg_gss_accept_deleg;
    +@@ src/include/libpq/auth.h: extern PGDLLIMPORT char *pg_krb_realm;
    + extern void ClientAuthentication(Port *port);
    + extern void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata,
    + 							int extralen);
    ++extern void set_authn_id(Port *port, const char *id);
    + 
    + /* Hook for plugins to get control in ClientAuthentication() */
    + typedef void (*ClientAuthentication_hook_type) (Port *, int);
    +
      ## src/include/libpq/hba.h ##
     @@ src/include/libpq/hba.h: typedef enum UserAuth
    + 	uaLDAP,
      	uaCert,
      	uaRADIUS,
    - 	uaCustom,
     -	uaPeer
     -#define USER_AUTH_LAST uaPeer	/* Must be last value of this enum */
     +	uaPeer,
    @@ src/include/libpq/hba.h: typedef struct HbaLine
     +	char	   *oauth_issuer;
     +	char	   *oauth_scope;
     +	bool		oauth_skip_usermap;
    - 	char	   *custom_provider;
    - 	List	   *custom_auth_options;
      } HbaLine;
    + 
    + typedef struct IdentLine
     
      ## src/include/libpq/oauth.h (new) ##
     @@
 8:  e71df89b8f <  -:  ---------- Add a very simple authn_id extension
 9:  73adeb3645 !  4:  573a2ca3bc Add pytest suite for OAuth
    @@ src/test/python/README (new)
     +A test suite for exercising both the libpq client and the server backend at the
     +protocol level, based on pytest and Construct.
     +
    ++WARNING! This suite takes superuser-level control of the cluster under test,
    ++writing to the server config, creating and destroying databases, etc. It also
    ++spins up various ephemeral TCP services. This is not safe for production servers
    ++and therefore must be explicitly opted into by setting PG_TEST_EXTRA=python in
    ++the environment.
    ++
     +The test suite currently assumes that the standard PG* environment variables
     +point to the database under test and are sufficient to log in a superuser on
     +that system. In other words, a bare `psql` needs to Just Work before the test
    @@ src/test/python/README (new)
     +
     +The first run of
     +
    -+    make installcheck
    ++    make installcheck PG_TEST_EXTRA=python
     +
     +will install a local virtual environment and all needed dependencies. During
     +development, if libpq changes incompatibly, you can issue
    @@ src/test/python/README (new)
     +The Makefile is there for convenience, but you don't have to use it. Activate
     +the virtualenv to be able to use pytest directly:
     +
    ++    $ export PG_TEST_EXTRA=python
     +    $ source venv/bin/activate
     +    $ py.test -k oauth
     +    ...
    @@ src/test/python/client/test_oauth.py (new)
     +    with pytest.raises(psycopg2.OperationalError, match=expected_error):
     +        client.check_completed()
     
    + ## src/test/python/conftest.py (new) ##
    +@@
    ++#
    ++# Copyright 2023 Timescale, Inc.
    ++# SPDX-License-Identifier: PostgreSQL
    ++#
    ++
    ++import os
    ++
    ++import pytest
    ++
    ++
    ++@pytest.fixture(scope="session", autouse=True)
    ++def _check_PG_TEST_EXTRA(request):
    ++    """
    ++    Automatically skips the whole suite if PG_TEST_EXTRA doesn't contain
    ++    'python'. pytestmark doesn't seem to work in a top-level conftest.py, so
    ++    I've made this an autoused fixture instead.
    ++
    ++    TODO: there are tests here that are probably safe, but until I do a full
    ++    analysis on which are and which are not, I've made the entire thing opt-in.
    ++    """
    ++    extra_tests = os.getenv("PG_TEST_EXTRA", "").split()
    ++    if "python" not in extra_tests:
    ++        pytest.skip("Potentially unsafe test 'python' not enabled in PG_TEST_EXTRA")
    +
      ## src/test/python/pq3.py (new) ##
     @@
     +#
    @@ src/test/python/pq3.py (new)
     +
     +# Pq3
     +
    ++
     +# Adapted from construct.core.EnumIntegerString
     +class EnumNamedByte:
     +    def __init__(self, val, name):
    @@ src/test/python/pytest.ini (new)
      ## src/test/python/requirements.txt (new) ##
     @@
     +black
    -+cryptography~=3.4.6
    ++# cryptography 39.x removes a lot of platform support, beware
    ++cryptography~=38.0.4
     +construct~=2.10.61
     +isort~=5.6
    ++# TODO: update to psycopg[c] 3.1
     +psycopg2~=2.8.6
    -+pytest~=6.1
    -+pytest-asyncio~=0.14.0
    ++pytest~=7.3
    ++pytest-asyncio~=0.21.0
     
      ## src/test/python/server/__init__.py (new) ##
     
    @@ src/test/python/server/conftest.py (new)
     +
     +import pq3
     +
    ++BLOCKING_TIMEOUT = 2  # the number of seconds to wait for blocking calls
    ++
     +
     +@pytest.fixture
     +def connect():
    @@ src/test/python/server/conftest.py (new)
     +            addr = (pq3.pghost(), pq3.pgport())
     +
     +            try:
    -+                sock = socket.create_connection(addr, timeout=2)
    ++                sock = socket.create_connection(addr, timeout=BLOCKING_TIMEOUT)
     +            except ConnectionError as e:
     +                pytest.skip(f"unable to connect to {addr}: {e}")
     +
    @@ src/test/python/server/test_oauth.py (new)
     @@
     +#
     +# Copyright 2021 VMware, Inc.
    ++# Portions Copyright 2023 Timescale, Inc.
     +# SPDX-License-Identifier: PostgreSQL
     +#
     +
    @@ src/test/python/server/test_oauth.py (new)
     +
     +import pq3
     +
    ++from .conftest import BLOCKING_TIMEOUT
    ++
     +MAX_SASL_MESSAGE_LENGTH = 65535
     +
     +INVALID_AUTHORIZATION_ERRCODE = b"28000"
    @@ src/test/python/server/test_oauth.py (new)
     +
     +SHARED_MEM_NAME = "oauth-pytest"
     +MAX_TOKEN_SIZE = 4096
    -+MAX_UINT16 = 2 ** 16 - 1
    ++MAX_UINT16 = 2**16 - 1
     +
     +
     +def skip_if_no_postgres():
    @@ src/test/python/server/test_oauth.py (new)
     +    addr = (pq3.pghost(), pq3.pgport())
     +
     +    try:
    -+        with socket.create_connection(addr, timeout=2):
    ++        with socket.create_connection(addr, timeout=BLOCKING_TIMEOUT):
     +            pass
     +    except ConnectionError as e:
     +        pytest.skip(f"unable to connect to {addr}: {e}")
    @@ src/test/python/server/test_oauth.py (new)
     +    return connect()
     +
     +
    -+@pytest.fixture(scope="module", autouse=True)
    -+def authn_id_extension(oauth_ctx):
    -+    """
    -+    Performs a `CREATE EXTENSION authn_id` in the test database. This fixture is
    -+    autoused, so tests don't need to rely on it.
    -+    """
    -+    conn = psycopg2.connect(database=oauth_ctx.dbname)
    -+    conn.autocommit = True
    -+
    -+    with contextlib.closing(conn):
    -+        c = conn.cursor()
    -+        c.execute("CREATE EXTENSION authn_id;")
    -+
    -+
     +@pytest.fixture(scope="session")
     +def shared_mem():
     +    """
    @@ src/test/python/server/test_oauth.py (new)
     +    expect_handshake_success(conn)
     +
     +    # Make sure that the server has not set an authenticated ID.
    -+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
    ++    pq3.send(conn, pq3.types.Query, query=b"SELECT system_user;")
     +    resp = receive_until(conn, pq3.types.DataRow)
     +
     +    row = resp.payload
    @@ src/test/python/server/test_oauth.py (new)
     +    expect_handshake_success(conn)
     +
     +    # Check the reported authn_id.
    -+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
    ++    pq3.send(conn, pq3.types.Query, query=b"SELECT system_user;")
     +    resp = receive_until(conn, pq3.types.DataRow)
     +
    ++    expected = authn_id
    ++    if expected is not None:
    ++        expected = b"oauth:" + expected
    ++
     +    row = resp.payload
    -+    assert row.columns == [authn_id]
    ++    assert row.columns == [expected]
     +
     +
     +class ExpectedError(object):
    @@ src/test/python/server/test_oauth.py (new)
     +    expect_handshake_success(conn)
     +
     +    # Check the user identity.
    -+    pq3.send(conn, pq3.types.Query, query=b"SELECT authn_id();")
    ++    pq3.send(conn, pq3.types.Query, query=b"SELECT system_user;")
     +    resp = receive_until(conn, pq3.types.DataRow)
     +
     +    row = resp.payload
    -+    expected = oauth_ctx.user.encode("utf-8")
    ++    expected = b"oauth:" + oauth_ctx.user.encode("utf-8")
     +    assert row.columns == [expected]
     +
     +
    @@ src/test/python/server/validate_bearer.py (new)
     +import sys
     +from multiprocessing import shared_memory
     +
    -+MAX_UINT16 = 2 ** 16 - 1
    ++MAX_UINT16 = 2**16 - 1
     +
     +
     +def remove_shm_from_resource_tracker():
10:  ab32128f34 <  -:  ---------- contrib/oauth: switch to pluggable auth API
 -:  ---------- >  5:  4490d029b5 squash! Add pytest suite for OAuth

�U�Jdv7-0004-Add-pytest-suite-for-OAuth.patch�[mw�6��|�+�J�F�%Z�����(�S��c��v���e!�XS$K�r��?���h[����j�P$0�<3����������w�^��`�h���=q,8|���G{{=�?��e��H��!��N���z;�w ��}��x�Ng|���o��/_/��<����x�3q���A���o�$�wX���wp�{����^�1��?/;a������lq����?����d�	�1��`�8eW�<�57��<H�d��l��~���l��:�0V<a?���`A$3��Lxw?a��/�"�q�!��WY�����4�2�0��
n��o/��~c���"�A(�F��m0�z���vB�m;� �6�~�����z�K�z��]T'�\M'�W�;����^^�(�v� 
2�u���~��xq4���.;�����������������sX�r@�w�K�U>5Rj������3i��nM{�����V����_���aS��s��t�/Y��q]')��H��������~9vz�������-G]���&���a���c
P�:���}��+���v�]R�@���m�
�{T�����o�������t���}�x_o�~�!@H�M���� ��4���v�y����y�\����G�i���6j�i���0��n�?��*=�����:>SE�B�5-0f��Ut���:�<��s'_�1��X��Z�������7�.f#���f�^���-��L&�������#|e���F$�	��
p�/@��qz�h��������b;���
(���_=�)�������-�M�����-"g�����Q�8��<������A��p�y��Y@��i��?�4N�i0�e�����."������?t?�8�^O��I �v�l���?>� l{����@WN�8�0&���d/%������"�����D
��8�MQ�\�L��+�80hp�4��y��lF���������l����C
�['���t�^��0K���3T��I
{%N���!���<�p*�;�(NSq5�:a�p����������������S���7!����Z���="����5+�C��v$��o�F�+������btus�"#��2V�7���WZ��:w��s
&��d%ya��Q����'�[��nl�Oq���M�j������Z�����$��~A%�+d":���F9��~J��[�Bk���=akl��8��k=�06
�<�MEq'e_�M-O���aFsF9�^b����}=
�{A�]W�<!��K/N�}���!�c���V���\��k�4��wN�7�nw�y�d'pL�<�M���UM�~uf�S��m��|�/v�bg�x#��-�p�*9��"R/��J�X��Z{��O7�c�1x'`
��6�-p�,�bX�!��0k�z��O�gi1��������!&j�
fz�4���$}%KAt<!
�0�LY�Ii���}
0��Z"�	���1��C�4^������D�9�
e���	��B�8�L$3X������Ch��R�D1X�O�1�>L�2Jm?`%��0�w�/IxA�#N2�c��)|�����=���f8P��%q����4�������zy��ds)�9X6���b����S����4NbP��X��:���'��P��x

2^.#�
�C��v����`�q���9��)���?�H_��o�J���;0�-��R3����vpj`.���s�p�F�`��e:,[&
��v4�tA���1��������L�vx;|3�
�	�����QU.I,��)�c����x�n,��[��(0�t���s��F_W��XX��f4\+�������8���=��_�
hQ����M�6O���-�e�`�F|���v��x�����Na�|P��R���7�a2hi�A����`�������Rf�?e�(����qKq����.�4������!�����g�����`d&*66A_+m�E|G�G�7�Y���^q��$����k�p�*5����M�;�.�����hUR�j��T>ES��h\B`��8c��Kt^/<������E���m�/x���N��0�+�z �l���K����f|A��9��aC��XV
�v0��k��-����z����7��W��������P�z�����	����U�w���y a������,�	r��o�!v����H�����
n�uc�I��L��qpHX�XJ�*`Z���&�u,�9�<��e*#��~�sXf�S�.Hp�9�N1M8S�4ea�9{I1
�x�8U�)G�3��b��F��<�7R���>��]��P���������FL�f �Ua���O,�9m����KY\g3 6�F?}��Rsc�Bfy��
�|�:}����<����
X}]8��c�`0g���F�1��\�0G����Z��&��,G��R�W���G��}7��p'�RN��Y����������0@�&@V"�����bS%CiNE�������������g��tfpG���/����?�
p�[��N����;�{`�v�m�T��vVn���8�ZU�[������-��@��)9�9�g9iK�������;T<�E�fiM��'
[����q�&g�P^����F�Pd��)<�!�����s���!f�1X�^&u�~b`�%E8��WZR�xu�g*��� �l���O�H��j������������ �qU#x�.���@|�DB��q$lU�����JY����m����f`���3�ze��^���Z��;+�����2	���Y?_�];�`�1-��{����$��)�������*hF����s�p�HcQ
�b�0�jf���"'�������v�R���I �9b��+�
����2�< �N������aKj����jH�����")�����gi������	)��;A,P����M�B3ha���~��^��}]m��s��V��L�h	k)�@|���p���w����	RF���N�
pO�P�f0L�	����}�&xC��(q�����q)WB�X�^G�����2�W,��������Z�.��3�a���|��o���a>�]����/��@�f����#v'��[��i�jT��	�� �A
i�TDCA993{R�����!p��
�aD`|�J���*A(&m��y� P�R������_[��U���e).��+V�G�s�T�n��*�4v���4�p:q��XB���)��e�!�zd������qb�5���0(�)��H>U�D@���,�qY�YE���V�N����dV��~|��P*�haN5���0�QN�P��<Zb������.WnB
����
���ZO��\�~�~!��#= ,�a}i@/��x�j[��14a�a�����v(4���jDq�<���
��p�� �={V��fN���V�V�� �X�'AT�^�,)rG�J��T���*q�g�O_��)����!..s�QBvov�S!)f�����k���W��yw�yt|���-���`)�����:O0���[j��#YT�^)O������l��"j=uR�
[VYEBS���9C�m*���E/���nf��MIp
@��X��`�U[9���t7NYf_����K���SX]�S�Feo�5�U*����+GI6�x{������{��T��K
G�?������R����b;�2��),�l����.�$
�AdU2�(��l�������#���Z��k�d$�j���Eqj����l.$��WJ�e�I1%�*> �:����M�y���\��v�)I�6�Cg3�%Yn�*���S�*��(������2��	FX��WQ��APD��c�\�o?����3��2��0?���N\y1���+.x����n�u���U.a���x1�����?>)�����"]vp�@4
hX��!�`�Tx���V��a�Kt�J���6�w4
 y�6��$��T���u7��W������n���y��yE9>��7n�>��K�s�~�����SU����;M��<5�C��|�Y���A�VKQ�
k���*��E}�4\�E50)1����q�@�yH�md��F�M�������ewt>��� ���;e�G��	�eY"O���}�t�M�8�n��y��N<l����@���	��#��iC��X@�E/��W�E��"8����|���`��Pm��`�^�(

G��N$p�<�l>6�{��t
�kS���`���F'�zM9��J7�;�P��g1�b[�6
�i�k����[ �]��G���N�)&�S�^�s�����%Q���������+�������e
YeA��au
_O��M��� �)���={X�Y��_����W**�pu�a[��G�2�6f�)_������=@�Q�%}�kl���|f��$�h�7d��u�W�����5@O(�nbY?�w�3P
N����SBP�����z��;&��\����;`;F���^�Z����@V>������W�*=\n��+j;�:+�Mz^-�-��RM��+,��
�!��4�*���1Y��8���O��J�
b4n6?W�/�7���]��t5�t���Rx�s�-|i8�v�(:�PT�B��2�!sp �@�G�	_�1�WG��8bu�E=��w],&�~
��s��KU�A!
���Id�q��\O�Q#EM4[���H@�
���H�2p<��G��dV�Y��uQ�H���'����Iq���L9�h@�a?�0����}3�S9	;TeP��<Wb��Y������X�j=��
������kX	2���}#P7�G@������`�)aj[:=t�{�4�>7T�]j��������9���z��I���#vV�}��bl� �G���F9r����c�������4V�
��W����������C�~����"��?�����PK#������)�<�����!+�u�l{'�1
P5_�c�K/��"vn���m.0;jU�#��b!{/�fj2�C���fq���!�,�)!�nZ���
ru���yl�?A������b.gO������jW�:���u�$��k�f���X�����jPK���K4���
U�}zQG������[k�B���f��`���/�����Sn@PdT���m��<P"0��q]��������X��?����^o|���f1�U��_��YEM��S���~��L���a���(s'�h���i�_��rd���3E��y���J�[*�SK��-������9������������2lT�����LW!�S��QL���J������PD����Z��/��(�"
e4TY+8����t����Sd��)t>YI'���yy�=�J���K����%�������|�<l�vk��e�|C?��I�8N�(FV��<l�s�Ns��D�J]
M�+2�����g�/v:��x�B��Z	��V�J�J�N����l���v�������
����F�d+`����6��3+F�J�xP�������_�2=�'Y]zeK���:)5R�:x�?A��C��i�D���k����:�~�q'"�c�������$|���6y���^A�x{�����s���9�����
%	S;U�ZBW�<l���G�����~
�[��]���}4�UIC{u��s:q��k���z������z�����}i{�F����
��I��D�����cml���d�#{��$(!"	� u�������
�$���3�H������W�e��h��C�a�"��-#Z"s����C���_�a��B�$�/M�,\��6�T�F��;0X����R���Y���^1��������a6�\�UH6;=��G��������� �BSR��{b6�,rAF�T'�)M�r�������I�/�L���=<:����PN�
v%�)���[SE���y��MR���}�H��\���<�c�]$�������f�m6����|�&��4/k�}t�I`�g:��M�Zl���"Smc�6�72�~=�
|8��m&�e�Jc���d^���9�k.v�kYh�����
�e���J
������T�������<��oQ	���%�%����z�:��5P���D��UMGn�Nq��N�������=�
A
���9���'I���\g����`�Lp�����d�`p[�A8��w�!c��&��."m��/Op"i���p%�e����o��rp�o�vi��b����8�p)�QEn��q1�����o������E�{��y=�!�O�f��?�9_������Y�KG���������]���>���54f��h� ��
v��� 7��7�K��v"G��I�pz)�����<
�b2Y�r��J�R)�����6:L������9{�4�}��2��,���=
G&�����gY������P�d�^N!7����� �����6��"o
5�2;%��m���w�F
XL0a��DS��`�N�a^�3y������	�����=��6���`��D�u�]7�I��b8:	_
:>D�[3����:6~���-gq>�u��1�v��i�:R����8��p��<6$���h������\|@��@
�C�S���{���g����JQ{�����='h�x����VA�Z�
���Hx�P9���c4�W�?J�9��������0W��yJ���0�Of����-�/�&	H<�<���2V Z�h���s3#}fXJ5���g�P�"����+n�^8�|��A ������UGQn�+|
bS���@�$d$����(jR����s���G
�,����&�&���Q/q�����&{�������8�:W+����j�2�r{�c��D"��8�M�,�e���=�A?�KH`|m ��U���wT��'MW����+ c��o������D@Rj��d�U���t��]"�v�����f�[�`�����]�([�@���d��C���YA5��]�'�+��2jj�����]���l11�C0��S��!�6k���0N�O�Kr�A4��2C$91��my��D_����}0[c�g���w.�����K�b�!X�I�rD�Yr�w�o��H�xd-gE��J��[�[YY��
��Z4Azg89=���A%�b`�&����r��O+���h(�H�-�8H�cr��(�U�BP1���-P4��5c6*z
�����l���7���R��Pma�������^��ey`R�#��]��F�Jz���Gf
��fso��w��_���|�yPm������'G�z�5�E>0�3�6T������r
�zu������^��%p������X����.��)\���Y_�8��i�����fLS�Rq������L�_Wt_�@�4����R �������6��R
���d��=�*�fK��p�2x��E&�����@���N����P5
8~7��������]Qcf�L=;�th`����4T�GS��B�Y�������A?�(�b$��-H`�N�lo?�3��*�R�sq�<��\�
�F��xq�;����=�������-m�l4J���
��I<"1C](�s�Pv��.�a�Xn���P���a��l<���+�b��$f��Q��9����s�
 �������6�QH��+
;i(���w���}�WeCL�E��A93r=�BP�����<��*��B��<�M��8X���;���}-�E@�R������P�4E�#� ��'U�BcRb`�O���#,�P7��|��Y'��p�s���sN,S@@3���Y�=��i1i�NP��.��v��$2"\�s��&���_�(�b���5U�`D���#�5��`��	9��2�C~��JD~��Ep���� xA_�BK��%����	�a4^E^��m����^��c=�*�ZT�/i�N�����	k'pk��h/�
>�����`")��N��C��a��C���A����52���5�U+a�c���y`.���T�;:x�-����uc`�kD�����.?t+����N��4��S�)k�G������
��z�p��s��s�
�g�����[�:�K��^3��b�=�)>�_
`�QzYp8!�/p����W`�tJ��	@�T`	� ��<��MbC��~�E\��N$z��T�F���S	)��2\c���
��&�"\I{�`XjC�)�$����/��Wbu���
=Y!����BY�w�-i0�%{T��I�
=�%�a����B���|�\f�|�l����i����s�3�[G'D�`�l(���Z3i�X������N\��ZU'hm�.�;����&O'&IL-�U�9��b
H��.*J �[gZq����;����'��H�
����~�����g���u��_}qzf��[ELr�7I��A���x�o������/��w����q���h	Dgq�YIF�Oto����U>;;%NLG�����K���m����tL�.����-������V>9�'sk�k�����������O�9V���v�zW�[X��,����)	�c�[��8^Cqe�i,����7��9����	X�"��,yS��fe�l�P��
�3/M�;�Eq 7���@{�_��TRQ�����oZa)Z�o�-E�,4�pMn4��,����I
�F��-F��rKM,%�����t�D�E�h~II�F6���}�SM��	2s�+��ZL4��,h&kD~"D&tw��S�=HX���IV���E*r4���*�dxc?��it�K�
�NJ����>���_�X��m�B�jE6���/(A��xE�7��?�m�"��w����T�)�7K�7K�7Kp�,A�A��ss`!�vI>��R�9SXHG�$;���N�6E�e�]��D[�
�mGUkVi�Dv'}�
'�u`����.��!����2a��o_��<_��$�_�����/��\R�IM���0I��`3u�G��F3'ns2`+��mFw�����pf��%#U)nM� �%�m}�%O��9�tn{j- ���m��)t��8�B
i��;���[�c$Hw�_�iq���NBo�86�cO�����U�������"T��n�
�!�,d&�
`o��4��#���px��=7���[y4]��YT���:���-�
8u���tw[������)��X
y���>�������+����?[���V�����2D.����M)�i���^��@���D�`��f�
#n�J�������`�&���:K��x��m�TQ���@���f��0�t�V����������}�S�|������BA~=��WK(�r�n7�r���d �Ob�p�;
�
�;�b)'�7��H����=
R��4n�A~�T�Lr�=��X*�b��?�����d��Q`���h�J AG�������U1���u�
���Q������NGx��^|���"��X?�Xwy���z�t��d�#�#��/�3��St��v��Aa�@~���l��*��j�p1^e��yp�]����"��K�X ��>�����QZ~,\+������x�J�����0���z��sG�?v������Q������/��9)E.���4����^{�e�/���D"IUX�R���1� �����,�z�GP�|�7	���A���6g+$l��2�J)�Av����D]�ns�2ZH�}�r�b���?����x�q>�6�%(@�o,�?�Sd�y=T��� �\@�E!��*��/��DQ���x+Q����VP����2F�UT��)��mM��S��~wpGk�J��D\���q��������'�BuI9�ZlJJuw�z*eG �����D$V��U����Z-Z
?M��D�4�,z#����Q���6��4n���ax�Cf�_�c�?�z�$`���[$�&]����z�$��b�SH\'�D��e|���4�����Q�D�ef#E��S�=�=zd��M=����ycK����U����������8������H���Q��ws!��xp���Yn���u1�k�X��<GPTd�<iA�|��mZ��?����������Sf
q�E�!$~�8�y:�@	�g���i�Z�1E�c���-��
>�x@��y���Su�B�!�6��j��������P�&o�L{:����BU(����r�P��<O�N�������>3�;��@U������\@�u.�'�Lj�>0 ��(��)�N)�1��t%-D@'�@]Kl=$"JF��Zd�u;�����VY^�g���S4�M)���`��?�
����X�gc�yEC^�Q�UOig�w�nww��N)7n���'��}s&\MiG={I���4��L���)�Ek@k@�/[� H�YW��~dt?�:n�����!NG�*3��`�X�
��s�`N�M��o�]0\�=��4�H�tco���l+�@���0��04������v=�T��"��������^��h��I�����Y{#`@%r�����uf�)��O��/�����cA���oa]�qUbH��B�^�i��B��&h�M`DY�}��&:oE8�!{�B�L�U�����1OJ�2qF}��o
	u�Li�K0�������-���=�M�Dd'���H�f5��V�����Q���<b����D����y�
�{�(��B�rQ�����D��k`�	�Y��'2��2q��o	Y��z�����_�\P�g��fhj+�38�[���v�.���y.������U]�,�����g�i�8n��I$��m�"t+����ao)
Orp5X�.N�|]/x��C��bi�� Ej^�()�\%x�3�uf��g8sAGk���5nC�hs���U
uA}����F
u\����Z��9�UV"����T]����7���v�A"��g����Y�saS�K� �+j����0�{$
Hx�s2�����jI�!1k�Nd�#�7��
ZAF$�4$��$|W)�5� �
���|N���
����B�h�h�����u�0#N�jg��;`�!���@}RL��J8lp2B��������
x
���DPb.z���������W�����]n��#yV���Q�z%'Z��xC)g["�2=q�������	@�C��;�R=Rf>��j���R;M7����vz1Nnw��O��)�Q���L�d��Fq��"5U_�1>��"�%z
V�'
��;����[>���!�B�OX_$(�$�t�
�d��%a/����Xx������Z)�1����(�
����t�������j���]Q���bXK�\��7y��$�	jz����I2����<�o&uhX�e7����+.qI���)���E�7�5d�
-�1�7��@f(Oz&�b�����n������|����qU�R�!,
�v)k,>z4$��agcA��Vh�����+�(�.����ux^��W.-)�ON���3��X�=s����
������Lcl��
� O�Z�@������6n_����5A�������(�w/o���{GP���c4`����am6B��zh���qG��c�������,�BQ��F�G����P2��3D�-5b��K��;�^d���%�f�S���[>��|j��Tu��^<'�;�m�j,_���'����������g��r��g�=6+?B]�xu$_A+��K���|��y���P��<�d����W<��%��@��j������lOQ��j��^(5O�3=9'�'Rl���Go&��z��@�k7g��bX�R
Y��N��$�@\��h	�|u�:`'H�s�2d�4�I�72�;2&Qr�I"�\�E9���6O.�	Dt�cDJ�4�'�!�?&�C���fjL���1�"���I2F��
�����)�%U_e$r&������3%�CY�Xq���������?{��I�����Xp�hq
���n�.�a o��t�1��Z���6����}58�������
Ja8$�n�;�Ic��$�(���:��k�A;C�(����GA���N���l@���,���|�Rx)�Lxd^g�I�/����-/b��f�n�������f_-�]T(�1;`��2NQ����@Jl&��lX�E���Q�{�������,�x�@��_���������S���mH�fE����!�*^�y�Y��9�����@����
Ee��=�E�xw,7��E�Ee5j_���q����9]!(�w�qZr.vc������!vm\V��0��������
���\���es{��+���s���[j5g�?�`�=���:�����	���I���<<�c?QQ	�$h�%��%7Q�'me�D�(I�b�X���W�-,J�\�Dmse;W(����
"�`s.�Y�2�I�6��6
!�_�����"�d�!��*��Y�O�K2ky�PiP����%�U�g(�kP5�����m�B�o��
nmn���� �I��&)��D4����;V���������P?f�����X�*����~�;�7WfL��<T�L��2t�`��h��$�D�
���D���ys�$WQq��Ap%�l��w����i�F]�AI$�@/4m��'A�����'��d�;��RKQ��R7Js5��V�|�D'����~�zn�[����
E��q�j�1)����T|bk����H���QV��xL�A�2H�gw7t���r�R+�]&`�C���bi#��6�c�#sh���88�l;z
p7f\�����+<TF����
�P�;��w��m�
K
��trK91&����q���y&J#�`�b�
�v���=atj<�O��>��3�o	08�&fBS�z=�����D��8p��JdvnH%&�x��b�����S��]����m��N�.�Hukj��Y����go-
'�%z���"	t�5�M����/��Y����a��
�/}En"���� r�\��hx�Bm��L�[E[`����0'�#���PF�{4�S��[f��Y4O�`����K�f�qUek���-n�/�+��^���P��
���t���K��b[jl��9���9��SE��������*`M�(0vd���hn[�I>����
A�X9�0�����3��$9���2�QW%��:�5HG T�j���m��
�(�KW��a�d�R���,|?
�����f�X�w0^.��
��.���:��,tZ���_w�OQ�H�������*?�������@��a ��M`ay�$�Ws.�z��$d��`���<&��p�I}L��#	��B4�,��������js2��"W*
��*�t����*<-��yv��\���A�Y���u���3h-F�:PS���y���~.��4��K���*���3h,���|���S��D(j���+�V(��Rz�u<9��=���� ;�o�������'=�A����$u�?O����/A� =4q7��1��U�d
V�i�;;,aj��o����\����
�5L��;h�n�i�i���
K�����rf�`}p���0�G�>�uJN��������<X�h�VTdC�B���btw������=�[}��g�s�&��N9F�x9,����k�I5� C�
�AX<�qtk�>�|j�
|H��{m���a<�O�J�Hv�J�$Y�]����}��`
4>P����,:���J( ����Z��,<!,��PO���#����������/EI�fu���������|��#��@	�Q��!����j��
�V���T�} :�cd��M�+b���u%��,UWnw��\`G�|�	z@�5t����%6��g|�Iz
Z]n�aN�_]ZX���C��^�6N�"�>���!���0R|�>v��� ��M�&�F�^X�oBb���:�O�\f%�����5��B5��N�m��F�w����B�6��I��;��>�6C��)��H]�,��k��E�])���� �����k/�(��������~:	"m�	:Y� fH@M.q�������X�5����9���m����5v��0F?��2�1����`���$���'�AH�'�$u�Ng����2.rCOm�#����p���m4�(��D������S=�6��`�,Z���#~x~�Q �z����cMR�����P,-��}�c��������*y����8DZ`2�&��=�@>������3��K4�'��������)L6���mM,mEG;��r~���{pG�!�u��K���
�`���Z=�F�ss���u�:\�<
�)%�,�\|f{��'�](��To�h���k�:��J�����V�mQH
m����x0
�Y>E�����!OA�x`�pe6�KL�P6+�zl�G�����%=��c�xwr���F�)����e'i�'������U�P	o|�d����(~�f����Ji��Y-�����#c���[zD�I�x�����B�`��>���-lAt`?a���@j������;7�M��^D��?���
,��d�FN����*;o��$�e=�=��PGB5�^ID�~�6d�!h�??�b�E��g�<���)tA���d�;�Q�	
��H�e�e�����z`���%ir�t�q��(:8��H��'�Sa4�70�D�@�
O#�w0�!�l���2Y�e��W[y�|�B �lj|d�~�6��6l���(�9�pB�s##��'���{��o��z��w��U��#K}&~�W���fHP���-��;�F1�*$����cm�E9�S��<�|�:���b�������4O;� ���#nN�D }���0����U]�hEd����77Acn�� 1���0�\��������x
����[��4��^�-K�f ?�S��:Qc�jd�����z������+CNX�;��
��j�����n�kj_�j���l;;Q&���N!�b��rP2-c"cI����;f^XiI�'vI�`)���M�t�8��)HN�:���$=�@0	�m�d��C��2i\L-���l��M�����P
�ut��t��V�i2���w�U
=��Z3 z;�S:I"��i�D����d}�����;����(h��R���g�PO_70aD��X<���������+�R��z��G�o+J���
&��m�
J��{
��P�`W����z�e��q�S�-x���c�B4��0h�	[��]��G�Z�[G���YM�W�,n&m������*@�"�}b�=*����'��E��L����4���2����V��X�s.bg\���2��mlT���h���q�W
����A�,ux���x����r����jLH�#M�~� U���J�c2�8�M����	v�M�
��9��a|%�r�������z
�Di/��#�v���]�@������B��R�;�C��ZfZO\lK�����4��9��B��!�
�7��}(�IP�F��F� �1�e�
���CQ�6��	�M��9[aA������l8T����jT�������0��a�e����L��b)�rE]@��&5�������u���08u���~��m.���v3K�hA�t����Hh�%���!�}�M�kh�R�i�@�N�a%�6,Y�r��"����/�KP����?�l�H\[\�!���x�/*M0����8^XCf�C�EQ�d,7���j&$��h�+��������BF�
�}�\��l[�;O�F����<��
/'�$�t�{�Jb<Oh"F)�0�oB�i+A�=:?�1F#f'$C���~
�-h���Z&�@�� ���')o��5���"�mH]����Ecm��o
�QSC:}#������E�#������d�����9	��U(��%C��*���G��X~�(��S/�F��;;�v���<�iOw`D���X{'���A�G`�[|����! 1� h����3��C��G���g8n���N��wv�:��^�Y�1������d�(��N��]O�+q8������y�CD�������x�E�����wk=j�E���������V���L���3�������t?�(-��BO�
���[;������F���Z������
a�U)G��|,��?�O{���Ng��0�G�-�������{O;������yHv>kDJ�T��Mzb�����W��~:x�c������������
���	���2N�B��@�����H(��E���w���ZEt�@���M���7G*���.vObEMCy9�����=�k�5���C�T�[�q�> 5��AV�=�4 W�]rC#*PQ{�
L�8E#`��y0��<''m���
�E��H��Y^d24�+@�A��X��?������(��J�GS�D�8!~t_3���bjb���#PzR���i�e����k��]K�����
.����j����(��t�+���

���J�H����t���x���B�_��]���)�1v�8Bw5c���������c��(�z��X�*��v����*�@��q3�����?�4�>
d6
���Ap��Y���-���Y�8��/��<��M&�� �ds�8�*�!:
��[�*V����7�����Onr��]7��g��]�V��)��8��A��9����H�����(E��}6H��_�i:(�����`f�
�
�!`.��X�^{��C��c��p3�V���V~�L,�K_uq�|��k���_�����~����������6�����_�^<o��|�����?�������{v�|\wBJ��������j�rp��Xl��[�?�b���w��7�����������.�G
~�����;����������6D�[�E	i��?��i�
�(��|����
��G�/;/���@����em�:\����#g�D��B&P�����	���+�Y�\��:(<TG�y��_'n��b��U�2}B���G��T��oB����6�&k����Bi��,�1&�R�`A��*I2��C�>��*���7^��$
�f!nB����GM������
��W�H��@K�c
��Fs�:�RT�l�+���i��.��i�4?���KrLGBn*�!���?�teh������V
��ei�'�b�#A�Ny	��{�=����a@�E�D�YF�h���h|�f�b��0?�%B�b1����b�e	�q!���2�Uh��C����C���b���iI�d���!��z�9�&J�n�\�h��IO��u~�AC
�kd�iV#CH1����!8d��H\�3���8��A�5[��H�<��b,C//%3������S�j�t�
1D� @����%<&��1�D��H�Ol�G����<�F
ud
08>�;�t�mjP#������M�|�*aH�����N*	^������<m�/1�@N��%�*����#\��p0h)�c�Rt���������S�=KG���.(�J���� 4���TU�D?$�s��JIs�D����!���|bd�;�o�������H�u�3�y�%��YG�`�Z.e
��R�d�����b�I�(���SX?�t��#
�M��|wu5��!��@�U�y���/����+!��g��M�_�����C�w���ND+��~��}���c,F����
���|��!~�D#-��~d��-�T/���;t��aLC�+����\<(X�e����:�R��O"���[�����~[�?�������N��J��Ttm���;LA�
�jY����.�sc�@K��$�&5��!��L>�v�:f,���?"���`a�M�{�<���z�y�T�������@�lW�(�J�3����������	�d?xw�j?��)xu����o�zD�gj�_�6-����c������D[F+�$���JM�3yw����}����su��@��%�����[k#��n�#���;�&��`u�I46}o�����Q���
L�jw7D?��Ly��,�)]���?���o��o���W���;�?G������cwz�B���7��a#������#
)���%���6"������� �����4*���|F�d�=�Fb�'k��K��)�����D��&3":o������b�
����9��W���a&	zM

T���2��kj�@
:R=�
�[�g��CZ	�H����$)��J�,�w�s@��
��|��������>#�e�CI��H�����c�Z�RS\AC��~��BP<��+�Ba20��!6`~<������4hj@el���JjQ� Js4y$�`������U�SC8�c��,bjHs9#��WB����AG ��P@RB1L�������F28u'�^&�}Y=D��@Y���E�E�\��!OP+p�m�Yw�at8T�,x���0e���"������}���Bk�9�!�#zr�a���+���H ���}��3W���V��.�jD����GDa�z�����6K���]�;0�$��fD

�+��2[6�q��85GFN6�5�@�j3e������J����D����|�$N�X��:�DK9� �5�g�8�!���o=����|�Vq�t3��@�7�WKfN(Cw(Q��TPt�@9���n��_���bLe�
B]��)q5��o�����C�}�D�	y�����c��6�C�Y��1�a8��b\]K��d(�����X���?����r)�9	��cq�<�w�$d�'=�/
$��q���~��<��D�����Q@s�\�/�Xb*+��(l {(�����r6�'z?4��#����@�*����n�S���:!����7�����8(��k�-�P�z)��o�2���a$��WW�M��H5��W�4��i���r�!�U�92�.�(2|dz=i�L��a�4@9�����a�<���[c�������HN6��������B�{����EW�4n��W��DoGAmU_v	^���An��_�z�|��kEZ�x��7�|�@j��s�='��s(X8��2
9"�[\�R��	��P�FK7�H
�^������r,��������S�n��{�orc8���	�_Os���K��}��.��)�L+8������a_�]�B�X����������-�hy�a2�3F�t�SQh
Z����5lsG�mZ^�}��
"�M�	Dg����U�����9�]�~H
��e�	��\�h�d8k�9KJ��t(h1I}7Q
Y����r����l�c�>]���uqF��(����1U0Z�������z��ppxC��Z��G��@�]�G��F�����&�,LG*f�S���W���{0�����j�)!>�]#�v>����%�UP��^����8��:��)[��O=p��P\
Pzi^�`\)FDl���M�=1(�R@~7G�Q��OVi
� 1��q�m�`a�����&����s��j��\u��cw�U��=u��a��)g?�f=��S�s�I��?��r��f��M2�B%c*tC�!��=��)� %�����LE7`��NK��\s�?gN��]4���.<��ONd���n��p��l	}�AxC�5��e����MJ^�0a]�� \�@����WI��bi�}�{��X�N�"���k}���
e�!�QU���b>���4��.�	�k�<f�L��A�!�O��k4l��h7������,��q��U0��y��u�~_n��T���n$/K�72�[�14N,c����}�>���Z��|��2V��HQ�dG�zz�?S���b�)����]�&�]�'�\Q{����f�
!�EiE^y<��tI��D�@�O
�a���KB���e�AMeB[d�L�"��m���I��W��?�5����h7�(C���m�'�d��q�i[�=�K��\ ���M�ZFE�y�6R�����{.�L<"�x�|�C��A�� a(����|�����A}�	N��y��r���]F��6��?,8
��/����a������j�0�;���k���J�������P�:�6qJm��A�1���y 1_j���a����A���FI��K{
b�����Y|n
r�%����
�E��EPk�{�P��q��
1'��@4�I�L��qSxcG:����0~���������m��]���;���]0e�#���
c4��^^x���J!�5���?����2=�{������]�
���j���v���,��J��_&���F����{x�s�9������W���d�8O�w���Mb��
o��G|^�''���O�
\D�B�M=��L��P�7u_��5�H����#vZ)j�t���>cG��d�h�1.}��I'�N��W��'�SjE��5k�n�b@�����O������
5x�\K��D
ZHm�B����	�i��aAfCkx�en�)t���%L�	;H�U���Z��yd�����yF�d����{A�h�?&�P@���Z�z���S�2��A�
���\�!�,�6���<VW�*U���%l8I����	��XNP����P��z�?�F�������K���:���la���h�����
�����^2ki	����8o(N���yN��W����dSDB��!,�����l��F��G+�x�w.�����C$�@��6�h}������S"1���0���50}��UC1���<d�D�7dB[dBI�j�4�4�9��e����R�\xn�;
�w������
E{$p���5R*n����+�e(��%����5d�|�<M62�$+q�
��6n��~*J�z���#��,�.�H�Zn�BBMQ���3�c��bhpT?B��h��T��
���6MCr�'kN��0�����j�
�����$L��W�\�����]Q�]��a67��)�K��ZM,6���$4F�PH�����(l'��g]WlfA��f/=���5�G`�V��oY�kY�v�������Z/t@Z7��j�!��K����k7n�qq�������'n���F����38����{�h|T��C��C�J�$���������<��lm��>�qC>�q��-���R��]��f��K�6�Q�M6�RRM:�*��*����$	0����K�@�^�',���xU��X��<%M�U2q�%��{s����W��e��!��!�`�
��T��je��\���@!x���"��3����m#�*�	\�G�*1�6�/3!�i�sb
pO�4���
�]+�KU(_s�22��.@c.�B�uB&.��	�=��j�`@y��G�1��]\c��Q_B(Sn`���x�\���<���S9�Q,,��
���4�p��w�����"[���y2V����{�S@�cOq���3P�K���9��^�Z�E$���3�\P2��;{��,V**����`C��Lz���
��&�l#��V�[�kA# ��D�e-���������M�L7���4�@#��`���h��l^1��7~)7Y3�UlI�a���E
(<�����>�E����)@�'0�)�OPd����m��7�����9�6��5��$�cR�#%�J�p!�
1�����y,�>���(�#u�c^��&��u1�i[5�p�-��!��dF	w���$+h��7��A��-�Ha�
t�7�U<
je�����P�oe�����8� z��D�i�o���#��A���w{�W�^���om���.�\�b�G`����������
U	�t���E�}s��ZoH��E��`	�Y��vSp G��-.�`��z��/��/t]��l]�$�F�,�/tmxQ���	�`�� �Y�_(���\���e7}�$�~�U~i[�.�*#�
�h��]��R�� �0j���A�_�>�����4J+��%�A|*�����v!E���
��YZ�C�x�i�?�����|�(�A��`D:t_�)+�{�[�VW9j3��8���u����|i;���U9RD>8��|�'_��\y���(^U���G��Y���h�R�uw?��d��@=�oH#����
��[��YD!@�d��_�I�QLZ�2s�-(S�����+��w_��HE)^f�+A
��������	��������2$%��9}�[�Sr�B
���F�6T�=�FH��R���,��\y�g`A����T���h����vYsx��`����F����[�����R�~��9���2�l������$D%���t��q:��>R�?	U�e����:S�����60�QU��?)�D�6[G��)0��n&��b�?����A|���l��� ����9��t�6Z_Bn��G��o���������*�.f�/���gqC����j>h���Z|������FTc��o�\���z�M0K�
�K��Y���4b��/�z�j�[t��<��gp�@����X����m���x��D(<<?���_��$&�l#���K���G���44���HUXv�/��f�*�<���U���a��+�-�er@P�hHe+Y�/1��a�)�$L�U5�o�H/o`���X���|��f�����R�Gn��Wx������ u�[�ie���.A_H��3�",��op�I9
����/Q�8��`�b3S=d9�.
�L9�;�-M���k�b�
�!�,��%���L �I��I�u�P�x`&Qhj��.u�CXQ���Lz�K���b|�Br7*���"�2=b\H1�4�����n��*9���6%������a
�b���L�HmU�b�dI�f���f���&UWn��5l��-�B�ze��3�#�4�Fe.���1��C��BF��/z�;��<c�R����,�gpU�nr=R�7�W�{M�;���1��
����p�~�8�{�8I���!��d%�H;���g���>�S9�TR���
{��x��N�W!�
��x��<�,x��A�*EL$�����
c
OG��]���7@�2��%i+��6���* ����P�	g�����%q^�e�{�W���:��������?�=%��$�&y����nP����c����<O'�V�����J���H���)�aC��qp2�z���0U)���$�����7��E��A��7?�N�x��x�d��������++��Z�W�Iw�sU����Z�A��6�����N�r_�=���!�W�\[����*@��O��7��{�x��W+++�j/�X��?~\����V�k��fc�|��W������5f��E7�/�/�"5��Q7��Go����*�&bIWt��]y����6��cqb�VU�.c�P`��0`��FU�����`���,'x1>��fu#{=�?��Q�k�u�����c�n����RXT�b�r�)�-�����\�6�'k�^��sp��g�ls�a��`u�OV;�h5]��������a���8�<8~ypD2�����o@����g ��)*�
�
\����FY�
��"]� +=�!U�g
Y�"E�@^�=���)w\����~��764�orH�P�M����B5�-���/P{p9���
�S����x�2���K���<�p��~����E:�F���<I�t�>l-��D���@B��j<�E�@��g:�h[�����#���^����Idqz����J�k��M��G������M3A��g�6������I{:����l�2c�g#r��d�L�\b9���J����R��`��p��D��xCrQ�*9I88R�kr�g��8�]]��N��_�MNW1����f��,}�����vA��A1�����E3�l�GG}�I�	!�A���<}
��TH����9���"I6 "�������p�Ie�����M�c�<�)��(���$/���������j	\�����ooq����%Jf���q*wFH�j�=��0��,�/�B:�y����Mt,`�41��������eZ'�/�]����
D���1P�9s$�������i������	���u-��~`�yp����={�������?�yvdL���>q:0XD��]��nr=#>i9M%Q�%.BC��#V<.g���%��	�J�x��eD�*�i�y�!3]��i�>_R���~�H'�,86����:�L*8^JB��9g#�������|e��V�H'Z�zd���xU>Ez���m�{1��=P�]NR��R\s�*������5+�r��(�0@P�S����������������VrX��%�${��F�w�����b��k"B�
���
��(z�������(�RP���}�rkF�-�=(8z�����Z��k����O��G�=��n��9J���I:���m���C���@��r�Rs�x����V*)ul
e*�
Y�!S��Ky+\i�U�������E��Y�I�0RH�;���a2���tC�vL:��+�WuoW���,^�m�3-���~0�����tj��+�8��aS��H��������n�k	�/�+p��t�&��H�*�i�pU�p}���$;����B�C�1������2!8�FT���� ��H���}��See"{}�����������h��q�\y�I�k�zg�<NF�S<�(�*t�����
Q�(���R�C�!>�tq���y}��@��G� &Z���:��t�)uC����W�$30��x�=�bQW�����}���(�,v������m�
�r��q��pdfP�!��B��J
����!��#�=����P��X��$�O�����J����)��xr2�4��O��
���'��?�
 :"[�M�`hW�z�{�Y�H����qI��,��|0e��\�..���%I�^�JGA[��
�E�5;�a?
�g2CD���[))��',���.���!�������q�����uZ�*M�<��2��o��t�l����f��lo�;���`�i���`�l���$��;k���Y	F��&���v����`g3��
}�Oq����M��w����`�I��4��+4��U����@a�&S4�����s��h�9`}���[M]�q���_����O�t��4S�UW���2����j��������`�����������!����{'�R��t1,��n��5g�UP�%��F
S��H���4R�6�?�j#Sd�xp(���|@������>��
A�N�����0~f3D�Z�'H�cpF���iki �Za�a��`X�'�u:-��7������_����V��g���K�����������'�ia�������;���,�@�����7-�L��|90U[&A��4��� ����2�^���eK)KKo�2��Zw-Y��~����r��u�l�Gq/�����;G�������yb�.���3�
%n����9:E�l#�[�+G||���Z�&$�l��n`h����V�9����7�3yc��qj�5���n��f����6
�[K_�����BZ[��{��Y	_KwRkO�I����9s�8�Qv�������x:oC<���3iZ���X

6&������7���t�.5�r��E�[7�6�Z]O��������]��T�|����\�_=C�&�H&9�\7��*��G�����3��Y�����fF9�A0��u��df�%q9{R�����5�ci����uM��)b	���e5�D���Jm���+��cq�JN�Z����Hn���R�� �����\�����y�p�{������vk�����y�\_.�01\��A�M��e�S���MG����S2�:�[!;�@�������?sG������C����fJ0��"�U��F8�������S��9rG/�d#�4�g~t}����.�S���"G���m��?��;�-�m\�w����A���w��C�����o�]�.[��>���x�i<�aR�>���3�9�x8���i��Y��2�w5����G.��o�d�X��p��J|��y{"��f��n~~b���U���2{�mv�J����*���@(	����#��!(+>�P�j�����[��|A����Y)j��b���)��_�����{u�+���B�^Dqy�q�\a�,)tp'`���v������Xb%e�^�NHc��u����z>����������Z���g
r}����J-_s��	��?�jk��`�5����u�b9KTm�~�j��)�����Z_jc1m���'�s��j�g�h��s���������3�5|�
n��j�S��?^��9�Xja�j��������^v�����i�}���;
{~:�"6�7�*��j���5.5��M_:��[��a2�e
��e�d�=���%a��R���y=o��Y$��5�g������r�]j����|���@[���l;�>�_W����/^���<o~]eNI�(��9-�|
����g�����m��]yB�6�����������-�<�Tg��y��j�U�"���D�_�x1e
�A����K ������(-�-vB�QE����{S��U��f!2@���P�����V$Ce"Ltv�����]��-V
�IKa,�f`��0�'X��8�b�%�����X��Li!,qy�O����,����V����_R�����+o_�|�������sOK�iSg��\9]q��zz�[Rv�{v����Du7X�[�>��-'�ZN"w�e[V�uW��%�SUek��p{a��;r��4�I���_$s����s����7UW~T**��� �tB�y�SFS*�T����}0���o����|�s>U�8�	�@5���V����%�)���TT��m�>s�9^AG(m~���+BJT�m�]�E�=��7����$���'����l����U���P���%x��B2W>P�By�o�7������Y���o_d$������C�WI�"e�r��J����U&��Q����x�a�t�_b��n����W�d�`��9��-����YA���	����x1����!b�=To��7g�]����H����{"gs.
��uJB6�2>6������H��}�"=
`yneT6�/V�Yn�y���`�,d�<���*�G|���0����x�����(r����m�V
�0Sb����|��Y�|*
/0�����5pL�������9�XW��D����3�*=�q��|������|����������'{��
����ae��	��+��.O���FAU�LZ�Uy�&q�'yM�o�@�^�z+yr����o�n����#Z�
���#_r�K����3�I�Bv�����u����;���������|�d��N��A�����X_<
�	�K�P��shn�����`o�xo@z�'z�K��X��S��*�uC6\-����e
4?�`k{��li��UOP����W�}n��������V�r2%�L���y�3���N�		Tj�:�mA�K���`���
��������D��L�C�Z>��x����R���"�4 2��+����������Yj�p�u�
|�vJ�=|�KCl
�9��n1H:���K[CFF������|�x����}UO:��
i����n��l0�kF0�F�K�Q����(��.j�P$����"�:��:~�^�n���/�.Df�e�0���I���o��a[������"�$<����4���-n�YW�j+���t ���n��a�m��v6/�Z��7��E�Tt�����&��:�J����)�?o�smg����mv�j�Q��=�n�CP��G��"��:
�����ZT�q�QPtqgR8�I<���25����'��B+�G&��f��`�L����l:�N�](�#j�"v(�� 6zoG
2�RM��l	o1�w����8I����xt��d5�� �p@���^%	���h&���1\����-����`�Z'h����O��@���=���\����l��N]��$wU6��nk]>�%��5�����mHe������u9H�'	������
����������m���6��Q���� ���s�i��(��\W��gc���) ]��v'�Ev��Z����b� �tks��r6:e����6�L��4��uksG
	���qkSz���Q\K��xj�XOt
|{k���X����'d�7Ff��-�J���tCkG�I�J��t �M;O��I:�n�4�k
���>QP$�����+ ��zj��$%����F���gK����=��k
�G���7����>7�`hF���c!����/;�#�~�|�<=�is{��.(�5FwV�g_������)�:��bK��fK�����$��s}���tCz�v<8����
s��7Q�d:>�KO��$�����x\2�v{_�����6b���>mH�#�>k�X�d��m���4�
g�_�F�93	���C,�4�n#����^1��8�Yv�&����shPU��o���`�
�9��dfi�XB�}4�d1R-bvu@}��K�O+�gK'�n�]
����Eh�`�Q(�2EQL�Dp�B�N�<�pG_B�Kz�"%h?K��<�	�g��!��U<*x&z�	>����^����vs��%��������P�d�������������"�b�����
e��R���T�f?�%AE�VC�>�JCL��B
�
�m��
4�%��}��-�_�um/�+�;XFP�l�/p�j�=�W�^@�Q��@��u��a��m���kyzR��I���h���a7�����,hC"'`�����.����s�(I+����N�&� �����{�v��>�>��R�2�S�������t��e����p�������K����Q�I-:/����J�@������Q�3M!*LK�y�����m��� ad��r�4�?�nStY7}��!�������4?����gcL��.��t��>������\<�Z���
�[k��
x-6g}SQ(�t������qBv�H�o��mm��;�k^�y��-�5��S��S�����z��}x��^/�/4�O5���X����~��9�X�o�9��U�|��
	������B���o��#zt�O4��n�Sr�3~5�|2�������Bk��^�n`�w�a"^$�b�t��`���������8�A�����\�If#�Y��#{;�S�%
�Zic��f�y��b!�E	%/�*�k�������h}+j~�������

1:  c3698bbc3d = 1:  6434d90105 common/jsonapi: support FRONTEND clients
2:  0cd726fd55 < -:  ---------- libpq: add OAUTHBEARER SASL mechanism
-:  ---------- > 2:  13ddf2b6b3 libpq: add OAUTHBEARER SASL mechanism
3:  77889eb986 = 3:  0b0b0f2b33 backend: add OAUTHBEARER SASL mechanism
4:  573a2ca3bc ! 4:  0e8ddadcbf Add pytest suite for OAuth
    @@ Commit message
         dependencies will be installed into ./venv for you. See the README for
         more details.
     
    +    For iddawc, asynchronous tests still hang, as expected. Bad-interval
    +    tests fail because iddawc apparently doesn't care that the interval is
    +    bad.
    +
      ## src/test/python/.gitignore (new) ##
     @@
     +__pycache__/
    @@ src/test/python/client/conftest.py (new)
     +import threading
     +
     +import psycopg2
    ++import psycopg2.extras
     +import pytest
     +
     +import pq3
    @@ src/test/python/client/conftest.py (new)
     +    def run(self):
     +        try:
     +            conn = psycopg2.connect(host="127.0.0.1", **self._kwargs)
    ++            self._pump_async(conn)
     +            conn.close()
     +        except Exception as e:
     +            self.exception = e
    @@ src/test/python/client/conftest.py (new)
     +            self.exception = None
     +            raise e
     +
    ++    def _pump_async(self, conn):
    ++        """
    ++        Polls a psycopg2 connection until it's completed. (Synchronous
    ++        connections will work here too; they'll just immediately return OK.)
    ++        """
    ++        psycopg2.extras.wait_select(conn)
    ++
     +
     +@pytest.fixture
     +def accept(server_socket):
    @@ src/test/python/client/conftest.py (new)
     +        return sock, client
     +
     +    yield factory
    -+    client.check_completed()
    ++
    ++    if client is not None:
    ++        client.check_completed()
     +
     +
     +@pytest.fixture
    @@ src/test/python/client/test_oauth.py (new)
     @@
     +#
     +# Copyright 2021 VMware, Inc.
    ++# Portions Copyright 2023 Timescale, Inc.
     +# SPDX-License-Identifier: PostgreSQL
     +#
     +
    @@ src/test/python/client/test_oauth.py (new)
     +import threading
     +import time
     +import urllib.parse
    ++from numbers import Number
     +
     +import psycopg2
     +import pytest
    @@ src/test/python/client/test_oauth.py (new)
     +    finish_handshake(conn)
     +
     +
    ++class RawResponse(str):
    ++    """
    ++    Returned by registered endpoint callbacks to take full control of the
    ++    response. Usually, return values are converted to JSON; a RawResponse body
    ++    will be passed to the client as-is, allowing endpoint implementations to
    ++    issue invalid JSON.
    ++    """
    ++
    ++    pass
    ++
    ++
     +class OpenIDProvider(threading.Thread):
     +    """
     +    A thread that runs a mock OpenID provider server.
    @@ src/test/python/client/test_oauth.py (new)
     +
     +    def run(self):
     +        try:
    -+            self.server.serve_forever()
    ++            # XXX socketserver.serve_forever() has a serious architectural
    ++            # issue: its select loop wakes up every `poll_interval` seconds to
    ++            # see if the server is shutting down. The default, 500 ms, only lets
    ++            # us run two tests every second. But the faster we go, the more CPU
    ++            # we burn unnecessarily...
    ++            self.server.serve_forever(poll_interval=0.01)
     +        except Exception as e:
     +            self.exception = e
     +
    @@ src/test/python/client/test_oauth.py (new)
     +            self.endpoint_paths = {}
     +            self._endpoints = {}
     +
    ++            # Provide a standard discovery document by default; tests can
    ++            # override it.
    ++            self.register_endpoint(
    ++                None,
    ++                "GET",
    ++                "/.well-known/openid-configuration",
    ++                self._default_discovery_handler,
    ++            )
    ++
     +        def register_endpoint(self, name, method, path, func):
     +            if method not in self._endpoints:
     +                self._endpoints[method] = {}
     +
     +            self._endpoints[method][path] = func
    -+            self.endpoint_paths[name] = path
    ++
    ++            if name is not None:
    ++                self.endpoint_paths[name] = path
     +
     +        def endpoint(self, method, path):
     +            if method not in self._endpoints:
    @@ src/test/python/client/test_oauth.py (new)
     +
     +            return self._endpoints[method].get(path)
     +
    ++        def _default_discovery_handler(self, headers, params):
    ++            doc = {
    ++                "issuer": self.issuer,
    ++                "response_types_supported": ["token"],
    ++                "subject_types_supported": ["public"],
    ++                "id_token_signing_alg_values_supported": ["RS256"],
    ++                "grant_types_supported": [
    ++                    "urn:ietf:params:oauth:grant-type:device_code"
    ++                ],
    ++            }
    ++
    ++            for name, path in self.endpoint_paths.items():
    ++                doc[name] = self.issuer + path
    ++
    ++            return 200, doc
    ++
     +    class _Server(http.server.HTTPServer):
     +        def handle_error(self, request, addr):
     +            self.shutdown_request(request)
    @@ src/test/python/client/test_oauth.py (new)
     +    class _Handler(http.server.BaseHTTPRequestHandler):
     +        timeout = BLOCKING_TIMEOUT
     +
    -+        def _discovery_handler(self, headers, params):
    -+            oauth = self.server.oauth
    -+
    -+            doc = {
    -+                "issuer": oauth.issuer,
    -+                "response_types_supported": ["token"],
    -+                "subject_types_supported": ["public"],
    -+                "id_token_signing_alg_values_supported": ["RS256"],
    -+            }
    -+
    -+            for name, path in oauth.endpoint_paths.items():
    -+                doc[name] = oauth.issuer + path
    -+
    -+            return 200, doc
    -+
     +        def _handle(self, *, params=None, handler=None):
     +            oauth = self.server.oauth
     +            assert self.headers["Host"] == oauth.host
    @@ src/test/python/client/test_oauth.py (new)
     +                    handler is not None
     +                ), f"no registered endpoint for {self.command} {self.path}"
     +
    -+            code, resp = handler(self.headers, params)
    ++            result = handler(self.headers, params)
    ++
    ++            if len(result) == 2:
    ++                headers = {"Content-Type": "application/json"}
    ++                code, resp = result
    ++            else:
    ++                code, headers, resp = result
     +
     +            self.send_response(code)
    -+            self.send_header("Content-Type", "application/json")
    ++            for h, v in headers.items():
    ++                self.send_header(h, v)
     +            self.end_headers()
     +
    -+            resp = json.dumps(resp)
    -+            resp = resp.encode("utf-8")
    -+            self.wfile.write(resp)
    ++            if resp is not None:
    ++                if not isinstance(resp, RawResponse):
    ++                    resp = json.dumps(resp)
    ++                resp = resp.encode("utf-8")
    ++                self.wfile.write(resp)
     +
     +            self.close_connection = True
     +
     +        def do_GET(self):
    -+            if self.path == "/.well-known/openid-configuration":
    -+                self._handle(handler=self._discovery_handler)
    -+                return
    -+
     +            self._handle()
     +
     +        def _request_body(self):
    @@ src/test/python/client/test_oauth.py (new)
     +@pytest.mark.parametrize("secret", [None, "", "hunter2"])
     +@pytest.mark.parametrize("scope", [None, "", "openid email"])
     +@pytest.mark.parametrize("retries", [0, 1])
    ++@pytest.mark.parametrize(
    ++    "asynchronous",
    ++    [
    ++        pytest.param(False, id="synchronous"),
    ++        pytest.param(True, id="asynchronous"),
    ++    ],
    ++)
     +def test_oauth_with_explicit_issuer(
    -+    capfd, accept, openid_provider, retries, scope, secret
    ++    capfd, accept, openid_provider, asynchronous, retries, scope, secret
     +):
     +    client_id = secrets.token_hex()
     +
    @@ src/test/python/client/test_oauth.py (new)
     +        oauth_client_id=client_id,
     +        oauth_client_secret=secret,
     +        oauth_scope=scope,
    ++        async_=asynchronous,
     +    )
     +
     +    device_code = secrets.token_hex()
    @@ src/test/python/client/test_oauth.py (new)
     +        assert expected in stderr
     +
     +
    -+def test_oauth_requires_client_id(accept, openid_provider):
    -+    sock, client = accept(
    -+        oauth_issuer=openid_provider.issuer,
    -+        # Do not set a client ID; this should cause a client error after the
    -+        # server asks for OAUTHBEARER and the client tries to contact the
    -+        # issuer.
    -+    )
    -+
    ++def expect_disconnected_handshake(sock):
    ++    """
    ++    Helper for any tests that expect the client to disconnect immediately after
    ++    being sent the OAUTHBEARER SASL method. Generally speaking, this requires
    ++    the client to have an oauth_issuer set so that it doesn't try to go through
    ++    discovery.
    ++    """
     +    with sock:
     +        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
     +            # Initiate a handshake.
    @@ src/test/python/client/test_oauth.py (new)
     +            # The client should disconnect at this point.
     +            assert not conn.read()
     +
    ++
    ++def test_oauth_requires_client_id(accept, openid_provider):
    ++    sock, client = accept(
    ++        oauth_issuer=openid_provider.issuer,
    ++        # Do not set a client ID; this should cause a client error after the
    ++        # server asks for OAUTHBEARER and the client tries to contact the
    ++        # issuer.
    ++    )
    ++
    ++    expect_disconnected_handshake(sock)
    ++
     +    expected_error = "no oauth_client_id is set"
     +    with pytest.raises(psycopg2.OperationalError, match=expected_error):
     +        client.check_completed()
    @@ src/test/python/client/test_oauth.py (new)
     +            finish_handshake(conn)
     +
     +
    ++def alt_patterns(*patterns):
    ++    """
    ++    Just combines multiple alternative regexes into one. It's not very efficient
    ++    but IMO it's easier to read and maintain.
    ++    """
    ++    pat = ""
    ++
    ++    for p in patterns:
    ++        if pat:
    ++            pat += "|"
    ++        pat += f"({p})"
    ++
    ++    return pat
    ++
    ++
     +@pytest.mark.parametrize(
     +    "failure_mode, error_pattern",
     +    [
     +        pytest.param(
    -+            {
    -+                "error": "invalid_client",
    -+                "error_description": "client authentication failed",
    -+            },
    -+            r"client authentication failed \(invalid_client\)",
    ++            (
    ++                400,
    ++                {
    ++                    "error": "invalid_client",
    ++                    "error_description": "client authentication failed",
    ++                },
    ++            ),
    ++            r"failed to obtain device authorization: client authentication failed \(invalid_client\)",
     +            id="authentication failure with description",
     +        ),
     +        pytest.param(
    -+            {"error": "invalid_request"},
    -+            r"\(invalid_request\)",
    ++            (400, {"error": "invalid_request"}),
    ++            r"failed to obtain device authorization: \(invalid_request\)",
     +            id="invalid request without description",
     +        ),
     +        pytest.param(
    -+            {},
    -+            r"failed to obtain device authorization",
    ++            (400, {}),
    ++            alt_patterns(
    ++                r'failed to parse token error response: field "error" is missing',
    ++                r"failed to obtain device authorization: \(iddawc error I_ERROR_PARAM\)",
    ++            ),
     +            id="broken error response",
     +        ),
    ++        pytest.param(
    ++            (200, RawResponse(r'{ "interval": 3.5.8 }')),
    ++            alt_patterns(
    ++                r"failed to parse device authorization: Token .* is invalid",
    ++                r"failed to obtain device authorization: \(iddawc error I_ERROR\)",
    ++            ),
    ++            id="non-numeric interval",
    ++        ),
    ++        pytest.param(
    ++            (200, RawResponse(r'{ "interval": 08 }')),
    ++            alt_patterns(
    ++                r"failed to parse device authorization: Token .* is invalid",
    ++                r"failed to obtain device authorization: \(iddawc error I_ERROR\)",
    ++            ),
    ++            id="invalid numeric interval",
    ++        ),
     +    ],
     +)
     +def test_oauth_device_authorization_failures(
    @@ src/test/python/client/test_oauth.py (new)
     +    # any unprotected state mutation here.
     +
     +    def authorization_endpoint(headers, params):
    -+        return 400, failure_mode
    ++        return failure_mode
     +
     +    openid_provider.register_endpoint(
     +        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
    @@ src/test/python/client/test_oauth.py (new)
     +        "token_endpoint", "POST", "/token", token_endpoint
     +    )
     +
    -+    with sock:
    -+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
    -+            # Initiate a handshake, which should result in the above endpoints
    -+            # being called.
    -+            startup = pq3.recv1(conn, cls=pq3.Startup)
    -+            assert startup.proto == pq3.protocol(3, 0)
    ++    expect_disconnected_handshake(sock)
     +
    -+            pq3.send(
    -+                conn,
    -+                pq3.types.AuthnRequest,
    -+                type=pq3.authn.SASL,
    -+                body=[b"OAUTHBEARER", b""],
    -+            )
    ++    # Now make sure the client correctly failed.
    ++    with pytest.raises(psycopg2.OperationalError, match=error_pattern):
    ++        client.check_completed()
     +
    -+            # The client should not continue the connection due to the hardcoded
    -+            # provider failure; we disconnect here.
    ++
    ++Missing = object()  # sentinel for test_oauth_device_authorization_bad_json()
    ++
    ++
    ++@pytest.mark.parametrize(
    ++    "bad_value",
    ++    [
    ++        pytest.param({"device_code": 3}, id="object"),
    ++        pytest.param([1, 2, 3], id="array"),
    ++        pytest.param("some string", id="string"),
    ++        pytest.param(4, id="numeric"),
    ++        pytest.param(False, id="boolean"),
    ++        pytest.param(None, id="null"),
    ++        pytest.param(Missing, id="missing"),
    ++    ],
    ++)
    ++@pytest.mark.parametrize(
    ++    "field_name,ok_type,required",
    ++    [
    ++        ("device_code", str, True),
    ++        ("user_code", str, True),
    ++        ("verification_uri", str, True),
    ++        ("interval", int, False),
    ++    ],
    ++)
    ++def test_oauth_device_authorization_bad_json_schema(
    ++    accept, openid_provider, field_name, ok_type, required, bad_value
    ++):
    ++    # To make the test matrix easy, just skip the tests that aren't actually
    ++    # interesting (field of the correct type, missing optional field).
    ++    if bad_value is Missing and not required:
    ++        pytest.skip("not interesting: optional field")
    ++    elif type(bad_value) == ok_type:  # not isinstance(), because bool is an int
    ++        pytest.skip("not interesting: correct type")
    ++
    ++    sock, client = accept(
    ++        oauth_issuer=openid_provider.issuer,
    ++        oauth_client_id=secrets.token_hex(),
    ++    )
    ++
    ++    # Set up our provider callbacks.
    ++    # NOTE that these callbacks will be called on a background thread. Don't do
    ++    # any unprotected state mutation here.
    ++
    ++    def authorization_endpoint(headers, params):
    ++        # Begin with an acceptable base response...
    ++        resp = {
    ++            "device_code": "my-device-code",
    ++            "user_code": "my-user-code",
    ++            "interval": 0,
    ++            "verification_uri": "https://example.com",
    ++            "expires_in": 5,
    ++        }
    ++
    ++        # ...then tweak it so the client fails.
    ++        if bad_value is Missing:
    ++            del resp[field_name]
    ++        else:
    ++            resp[field_name] = bad_value
    ++
    ++        return 200, resp
    ++
    ++    openid_provider.register_endpoint(
    ++        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
    ++    )
    ++
    ++    def token_endpoint(headers, params):
    ++        assert False, "token endpoint was invoked unexpectedly"
    ++
    ++    openid_provider.register_endpoint(
    ++        "token_endpoint", "POST", "/token", token_endpoint
    ++    )
    ++
    ++    expect_disconnected_handshake(sock)
     +
     +    # Now make sure the client correctly failed.
    ++    if bad_value is Missing:
    ++        error_pattern = f'field "{field_name}" is missing'
    ++    elif ok_type == str:
    ++        error_pattern = f'field "{field_name}" must be a string'
    ++    elif ok_type == int:
    ++        error_pattern = f'field "{field_name}" must be a number'
    ++    else:
    ++        assert False, "update error_pattern for new failure mode"
    ++
    ++    # XXX iddawc doesn't really check for problems in the device authorization
    ++    # response, leading to this patchwork:
    ++    if field_name == "verification_uri":
    ++        error_pattern = alt_patterns(
    ++            error_pattern,
    ++            "issuer did not provide a verification URI",
    ++        )
    ++    elif field_name == "user_code":
    ++        error_pattern = alt_patterns(
    ++            error_pattern,
    ++            "issuer did not provide a user code",
    ++        )
    ++    else:
    ++        error_pattern = alt_patterns(
    ++            error_pattern,
    ++            r"failed to obtain access token: \(iddawc error I_ERROR_PARAM\)",
    ++        )
    ++
     +    with pytest.raises(psycopg2.OperationalError, match=error_pattern):
     +        client.check_completed()
     +
    @@ src/test/python/client/test_oauth.py (new)
     +    "failure_mode, error_pattern",
     +    [
     +        pytest.param(
    -+            {
    -+                "error": "expired_token",
    -+                "error_description": "the device code has expired",
    -+            },
    -+            r"the device code has expired \(expired_token\)",
    ++            (
    ++                400,
    ++                {
    ++                    "error": "expired_token",
    ++                    "error_description": "the device code has expired",
    ++                },
    ++            ),
    ++            r"failed to obtain access token: the device code has expired \(expired_token\)",
     +            id="expired token with description",
     +        ),
     +        pytest.param(
    -+            {"error": "access_denied"},
    -+            r"\(access_denied\)",
    ++            (400, {"error": "access_denied"}),
    ++            r"failed to obtain access token: \(access_denied\)",
     +            id="access denied without description",
     +        ),
     +        pytest.param(
    -+            {},
    -+            r"OAuth token retrieval failed",
    -+            id="broken error response",
    ++            (400, {}),
    ++            alt_patterns(
    ++                r'failed to parse token error response: field "error" is missing',
    ++                r"failed to obtain access token: \(iddawc error I_ERROR_PARAM\)",
    ++            ),
    ++            id="empty error response",
    ++        ),
    ++        pytest.param(
    ++            (200, {}, {}),
    ++            alt_patterns(
    ++                r"failed to parse access token response: no content type was provided",
    ++                r"failed to obtain access token: \(iddawc error I_ERROR\)",
    ++            ),
    ++            id="missing content type",
    ++        ),
    ++        pytest.param(
    ++            (200, {"Content-Type": "text/plain"}, {}),
    ++            alt_patterns(
    ++                r"failed to parse access token response: unexpected content type",
    ++                r"failed to obtain access token: \(iddawc error I_ERROR\)",
    ++            ),
    ++            id="wrong content type",
     +        ),
     +    ],
     +)
    @@ src/test/python/client/test_oauth.py (new)
     +    )
     +
     +    retry_lock = threading.Lock()
    ++    final_sent = False
     +
     +    def token_endpoint(headers, params):
     +        with retry_lock:
    -+            nonlocal retries
    ++            nonlocal retries, final_sent
     +
     +            # If the test wants to force the client to retry, return an
     +            # authorization_pending response and decrement the retry count.
    @@ src/test/python/client/test_oauth.py (new)
     +                retries -= 1
     +                return 400, {"error": "authorization_pending"}
     +
    -+        return 400, failure_mode
    ++            # We should only return our failure_mode response once; any further
    ++            # requests indicate that the client isn't correctly bailing out.
    ++            assert not final_sent, "client continued after token error"
    ++
    ++            final_sent = True
    ++
    ++        return failure_mode
     +
     +    openid_provider.register_endpoint(
     +        "token_endpoint", "POST", "/token", token_endpoint
     +    )
     +
    -+    with sock:
    -+        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
    -+            # Initiate a handshake, which should result in the above endpoints
    -+            # being called.
    -+            startup = pq3.recv1(conn, cls=pq3.Startup)
    -+            assert startup.proto == pq3.protocol(3, 0)
    ++    expect_disconnected_handshake(sock)
     +
    -+            pq3.send(
    -+                conn,
    -+                pq3.types.AuthnRequest,
    -+                type=pq3.authn.SASL,
    -+                body=[b"OAUTHBEARER", b""],
    -+            )
    ++    # Now make sure the client correctly failed.
    ++    with pytest.raises(psycopg2.OperationalError, match=error_pattern):
    ++        client.check_completed()
     +
    -+            # The client should not continue the connection due to the hardcoded
    -+            # provider failure; we disconnect here.
    ++
    ++@pytest.mark.parametrize(
    ++    "bad_value",
    ++    [
    ++        pytest.param({"device_code": 3}, id="object"),
    ++        pytest.param([1, 2, 3], id="array"),
    ++        pytest.param("some string", id="string"),
    ++        pytest.param(4, id="numeric"),
    ++        pytest.param(False, id="boolean"),
    ++        pytest.param(None, id="null"),
    ++        pytest.param(Missing, id="missing"),
    ++    ],
    ++)
    ++@pytest.mark.parametrize(
    ++    "field_name,ok_type,required",
    ++    [
    ++        ("access_token", str, True),
    ++        ("token_type", str, True),
    ++    ],
    ++)
    ++def test_oauth_token_bad_json_schema(
    ++    accept, openid_provider, field_name, ok_type, required, bad_value
    ++):
    ++    # To make the test matrix easy, just skip the tests that aren't actually
    ++    # interesting (field of the correct type, missing optional field).
    ++    if bad_value is Missing and not required:
    ++        pytest.skip("not interesting: optional field")
    ++    elif type(bad_value) == ok_type:  # not isinstance(), because bool is an int
    ++        pytest.skip("not interesting: correct type")
    ++
    ++    sock, client = accept(
    ++        oauth_issuer=openid_provider.issuer,
    ++        oauth_client_id=secrets.token_hex(),
    ++    )
    ++
    ++    # Set up our provider callbacks.
    ++    # NOTE that these callbacks will be called on a background thread. Don't do
    ++    # any unprotected state mutation here.
    ++
    ++    def authorization_endpoint(headers, params):
    ++        resp = {
    ++            "device_code": "my-device-code",
    ++            "user_code": "my-user-code",
    ++            "interval": 0,
    ++            "verification_uri": "https://example.com",
    ++            "expires_in": 5,
    ++        }
    ++
    ++        return 200, resp
    ++
    ++    openid_provider.register_endpoint(
    ++        "device_authorization_endpoint", "POST", "/device", authorization_endpoint
    ++    )
    ++
    ++    def token_endpoint(headers, params):
    ++        # Begin with an acceptable base response...
    ++        resp = {
    ++            "access_token": secrets.token_urlsafe(),
    ++            "token_type": "bearer",
    ++        }
    ++
    ++        # ...then tweak it so the client fails.
    ++        if bad_value is Missing:
    ++            del resp[field_name]
    ++        else:
    ++            resp[field_name] = bad_value
    ++
    ++        return 200, resp
    ++
    ++    openid_provider.register_endpoint(
    ++        "token_endpoint", "POST", "/token", token_endpoint
    ++    )
    ++
    ++    expect_disconnected_handshake(sock)
     +
     +    # Now make sure the client correctly failed.
    ++    error_pattern = "failed to parse access token response: "
    ++    if bad_value is Missing:
    ++        error_pattern += f'field "{field_name}" is missing'
    ++    elif ok_type == str:
    ++        error_pattern += f'field "{field_name}" must be a string'
    ++    elif ok_type == int:
    ++        error_pattern += f'field "{field_name}" must be a number'
    ++    else:
    ++        assert False, "update error_pattern for new failure mode"
    ++
    ++    # XXX iddawc is fairly silent on the topic.
    ++    error_pattern = alt_patterns(
    ++        error_pattern,
    ++        r"failed to obtain access token: \(iddawc error I_ERROR_PARAM\)",
    ++    )
    ++
     +    with pytest.raises(psycopg2.OperationalError, match=error_pattern):
     +        client.check_completed()
     +
    @@ src/test/python/client/test_oauth.py (new)
     +
     +
     +@pytest.mark.parametrize(
    ++    "bad_response,expected_error",
    ++    [
    ++        pytest.param(
    ++            (200, {"Content-Type": "text/plain"}, {}),
    ++            r'failed to parse OpenID discovery document: unexpected content type "text/plain"',
    ++            id="not JSON",
    ++        ),
    ++        pytest.param(
    ++            (200, {}, {}),
    ++            r"failed to parse OpenID discovery document: no content type was provided",
    ++            id="no Content-Type",
    ++        ),
    ++        pytest.param(
    ++            (204, {}, None),
    ++            r"failed to fetch OpenID discovery document: unexpected response code 204",
    ++            id="no content",
    ++        ),
    ++        pytest.param(
    ++            (301, {"Location": "https://localhost/"}, None),
    ++            r"failed to fetch OpenID discovery document: unexpected response code 301",
    ++            id="redirection",
    ++        ),
    ++        pytest.param(
    ++            (404, {}),
    ++            r"failed to fetch OpenID discovery document: unexpected response code 404",
    ++            id="not found",
    ++        ),
    ++        pytest.param(
    ++            (200, RawResponse("blah\x00blah")),
    ++            r"failed to parse OpenID discovery document: response contains embedded NULLs",
    ++            id="NULL bytes in document",
    ++        ),
    ++        pytest.param(
    ++            (200, 123),
    ++            r"failed to parse OpenID discovery document: top-level element must be an object",
    ++            id="scalar at top level",
    ++        ),
    ++        pytest.param(
    ++            (200, []),
    ++            r"failed to parse OpenID discovery document: top-level element must be an object",
    ++            id="array at top level",
    ++        ),
    ++        pytest.param(
    ++            (200, RawResponse("{")),
    ++            r"failed to parse OpenID discovery document.* input string ended unexpectedly",
    ++            id="unclosed object",
    ++        ),
    ++        pytest.param(
    ++            (200, RawResponse(r'{ "hello": ] }')),
    ++            r"failed to parse OpenID discovery document.* Expected JSON value",
    ++            id="bad array",
    ++        ),
    ++        pytest.param(
    ++            (200, {"issuer": 123}),
    ++            r'failed to parse OpenID discovery document: field "issuer" must be a string',
    ++            id="non-string issuer",
    ++        ),
    ++        pytest.param(
    ++            (200, {"issuer": ["something"]}),
    ++            r'failed to parse OpenID discovery document: field "issuer" must be a string',
    ++            id="issuer array",
    ++        ),
    ++        pytest.param(
    ++            (200, {"issuer": {}}),
    ++            r'failed to parse OpenID discovery document: field "issuer" must be a string',
    ++            id="issuer object",
    ++        ),
    ++        pytest.param(
    ++            (200, {"grant_types_supported": 123}),
    ++            r'failed to parse OpenID discovery document: field "grant_types_supported" must be an array of strings',
    ++            id="scalar grant types field",
    ++        ),
    ++        pytest.param(
    ++            (200, {"grant_types_supported": {}}),
    ++            r'failed to parse OpenID discovery document: field "grant_types_supported" must be an array of strings',
    ++            id="object grant types field",
    ++        ),
    ++        pytest.param(
    ++            (200, {"grant_types_supported": [123]}),
    ++            r'failed to parse OpenID discovery document: field "grant_types_supported" must be an array of strings',
    ++            id="non-string grant types",
    ++        ),
    ++        pytest.param(
    ++            (200, {"grant_types_supported": ["something", 123]}),
    ++            r'failed to parse OpenID discovery document: field "grant_types_supported" must be an array of strings',
    ++            id="non-string grant types later in the list",
    ++        ),
    ++        pytest.param(
    ++            (200, {"grant_types_supported": ["something", {}]}),
    ++            r'failed to parse OpenID discovery document: field "grant_types_supported" must be an array of strings',
    ++            id="object grant types later in the list",
    ++        ),
    ++        pytest.param(
    ++            (200, {"grant_types_supported": ["something", ["something"]]}),
    ++            r'failed to parse OpenID discovery document: field "grant_types_supported" must be an array of strings',
    ++            id="embedded array grant types later in the list",
    ++        ),
    ++        pytest.param(
    ++            (
    ++                200,
    ++                {
    ++                    "grant_types_supported": ["something"],
    ++                    "token_endpoint": "https://example.com/",
    ++                    "issuer": 123,
    ++                },
    ++            ),
    ++            r'failed to parse OpenID discovery document: field "issuer" must be a string',
    ++            id="non-string issuer after other valid fields",
    ++        ),
    ++        pytest.param(
    ++            (
    ++                200,
    ++                {
    ++                    "ignored": {"grant_types_supported": 123, "token_endpoint": 123},
    ++                    "issuer": 123,
    ++                },
    ++            ),
    ++            r'failed to parse OpenID discovery document: field "issuer" must be a string',
    ++            id="non-string issuer after other ignored fields",
    ++        ),
    ++        pytest.param(
    ++            (200, {"token_endpoint": "https://example.com/"}),
    ++            r'failed to parse OpenID discovery document: field "issuer" is missing',
    ++            id="missing issuer",
    ++        ),
    ++        pytest.param(
    ++            (200, {"issuer": "https://example.com/"}),
    ++            r'failed to parse OpenID discovery document: field "token_endpoint" is missing',
    ++            id="missing token endpoint",
    ++        ),
    ++        pytest.param(
    ++            (
    ++                200,
    ++                {
    ++                    "issuer": "https://example.com",
    ++                    "token_endpoint": "https://example.com/token",
    ++                    "device_authorization_endpoint": "https://example.com/dev",
    ++                },
    ++            ),
    ++            r'cannot run OAuth device authorization: issuer "https://example.com" does not support device code grants',
    ++            id="missing device code grants",
    ++        ),
    ++        pytest.param(
    ++            (
    ++                200,
    ++                {
    ++                    "issuer": "https://example.com",
    ++                    "token_endpoint": "https://example.com/token",
    ++                    "grant_types_supported": [
    ++                        "urn:ietf:params:oauth:grant-type:device_code"
    ++                    ],
    ++                },
    ++            ),
    ++            r'cannot run OAuth device authorization: issuer "https://example.com" does not provide a device authorization endpoint',
    ++            id="missing device_authorization_endpoint",
    ++        ),
    ++        #
    ++        # Exercise HTTP-level failures by breaking the protocol. Note that the
    ++        # error messages here are implementation-dependent.
    ++        #
    ++        pytest.param(
    ++            (1000, {}),
    ++            r"failed to fetch OpenID discovery document: Unsupported protocol \(.*\)",
    ++            id="invalid HTTP response code",
    ++        ),
    ++        pytest.param(
    ++            (200, {"Content-Length": -1}, {}),
    ++            r"failed to fetch OpenID discovery document: Weird server reply \(.*Content-Length.*\)",
    ++            id="bad HTTP Content-Length",
    ++        ),
    ++    ],
    ++)
    ++def test_oauth_discovery_provider_failure(
    ++    accept, openid_provider, bad_response, expected_error
    ++):
    ++    sock, client = accept(
    ++        oauth_issuer=openid_provider.issuer,
    ++        oauth_client_id=secrets.token_hex(),
    ++    )
    ++
    ++    def failing_discovery_handler(headers, params):
    ++        return bad_response
    ++
    ++    openid_provider.register_endpoint(
    ++        None,
    ++        "GET",
    ++        "/.well-known/openid-configuration",
    ++        failing_discovery_handler,
    ++    )
    ++
    ++    expect_disconnected_handshake(sock)
    ++
    ++    # XXX iddawc doesn't differentiate...
    ++    expected_error = alt_patterns(
    ++        expected_error,
    ++        r"failed to fetch OpenID discovery document \(iddawc error I_ERROR(_PARAM)?\)",
    ++    )
    ++
    ++    with pytest.raises(psycopg2.OperationalError, match=expected_error):
    ++        client.check_completed()
    ++
    ++
    ++@pytest.mark.parametrize(
     +    "sasl_err,resp_type,resp_payload,expected_error",
     +    [
     +        pytest.param(
    @@ src/test/python/client/test_oauth.py (new)
     +            "server sent additional OAuth data",
     +            id="broken server: SASL success after error",
     +        ),
    ++        pytest.param(
    ++            {"status": "invalid_request"},
    ++            pq3.types.AuthnRequest,
    ++            dict(type=pq3.authn.SASL, body=[b"OAUTHBEARER", b""]),
    ++            "duplicate SASL authentication request",
    ++            id="broken server: SASL reinitialization after error",
    ++        ),
     +    ],
     +)
     +def test_oauth_server_error(accept, sasl_err, resp_type, resp_payload, expected_error):
5:  4490d029b5 ! 5:  65c319a6a3 squash! Add pytest suite for OAuth
    @@ .cirrus.yml: task:
          sysctl kern.corefile='/tmp/cores/%N.%P.core'
        setup_additional_packages_script: |
     -    #pkg install -y ...
    -+    pkg install -y iddawc
    ++    pkg install -y curl
      
        # NB: Intentionally build without -Dllvm. The freebsd image size is already
        # large enough to make VM startup slow, and even without llvm freebsd
    @@ .cirrus.yml: task:
              --buildtype=debug \
              -Dcassert=true -Duuid=bsd -Dtcl_version=tcl86 -Ddtrace=auto \
              -DPG_TEST_EXTRA="$PG_TEST_EXTRA" \
    -+        -Doauth=enabled \
    ++        -Doauth=curl \
              -Dextra_lib_dirs=/usr/local/lib -Dextra_include_dirs=/usr/local/include/ \
              build
          EOF
    @@ .cirrus.yml: LINUX_CONFIGURE_FEATURES: &LINUX_CONFIGURE_FEATURES >-
        --with-libxslt
        --with-llvm
        --with-lz4
    -+  --with-oauth
    ++  --with-oauth=curl
        --with-pam
        --with-perl
        --with-python
    @@ .cirrus.yml: LINUX_CONFIGURE_FEATURES: &LINUX_CONFIGURE_FEATURES >-
      
      LINUX_MESON_FEATURES: &LINUX_MESON_FEATURES >-
        -Dllvm=enabled
    -+  -Doauth=enabled
    ++  -Doauth=curl
        -Duuid=e2fs
      
      
    @@ .cirrus.yml: task:
     -    #DEBIAN_FRONTEND=noninteractive apt-get -y install ...
     +    apt-get update
     +    DEBIAN_FRONTEND=noninteractive apt-get -y install \
    -+      libiddawc-dev \
    -+      libiddawc-dev:i386 \
    ++      libcurl4-openssl-dev \
    ++      libcurl4-openssl-dev:i386 \
     +      python3-venv \
      
        matrix:
    @@ .cirrus.yml: task:
     -    #apt-get update
     -    #DEBIAN_FRONTEND=noninteractive apt-get -y install ...
     +    apt-get update
    -+    DEBIAN_FRONTEND=noninteractive apt-get -y install libiddawc-dev
    ++    DEBIAN_FRONTEND=noninteractive apt-get -y install libcurl4-openssl-dev
      
        ###
        # Test that code can be built with gcc/clang without warnings
    @@ meson.build: foreach test_dir : tests
     +      test_group = test_dir['name']
     +      test_output = test_result_dir / test_group / kind
     +      test_kwargs = {
    -+        'protocol': 'tap',
    ++        #'protocol': 'tap',
     +        'suite': test_group,
     +        'timeout': 1000,
     +        'depends': test_deps,
    @@ meson.build: foreach test_dir : tests
     +      pytest = venv_path / 'bin' / 'py.test'
     +      test_command = [
     +        pytest,
    ++        # Avoid running these tests against an existing database.
    ++        '--temp-instance', test_output / 'tmp_check',
    ++
     +        # FIXME pytest-tap's stream feature accidentally suppresses errors that
     +        # are critical for debugging:
     +        #     https://github.com/python-tap/pytest-tap/issues/30
    -+        # Fix -- or maybe don't use the meson TAP protocol for now?
    -+        '--tap-stream',
    -+        # Avoid running these tests against an existing database.
    -+        '--temp-instance', test_output / 'tmp_check',
    ++        # Don't use the meson TAP protocol for now...
    ++        #'--tap-stream',
     +      ]
     +
     +      foreach pyt : t['tests']
    @@ src/test/python/client/test_oauth.py: import pq3
     +# The client tests need libpq to have been compiled with OAuth support; skip
     +# them otherwise.
     +pytestmark = pytest.mark.skipif(
    -+    os.getenv("with_oauth") == "no",
    ++    os.getenv("with_oauth") == "none",
     +    reason="OAuth client tests require --with-oauth support",
     +)
     +
    @@ src/test/python/meson.build (new)
     +      './test_pq3.py',
     +    ],
     +    'env': {
    -+      'with_oauth': oauth.found() ? 'yes' : 'no',
    ++      'with_oauth': oauth_library,
     +
     +      # Point to the default database; the tests will create their own databases
     +      # as needed.

1:  6434d90105 = 1:  9c6a340119 common/jsonapi: support FRONTEND clients
2:  13ddf2b6b3 ! 2:  8072d0416e libpq: add OAUTHBEARER SASL mechanism
    @@ Commit message
         development headers. Pass `curl` or `iddawc` to --with-oauth/-Doauth
         during configuration.
     
    +    Thomas Munro wrote the kqueue() implementation for oauth-curl; thanks!
    +
         Several TODOs:
         - don't retry forever if the server won't accept our token
         - perform several sanity checks on the OAuth issuer's responses
    @@ meson.build: if meson.version().version_compare('>=0.57')
            'plperl': perl_dep,
     
      ## meson_options.txt ##
    -@@ meson_options.txt: option('lz4', type : 'feature', value: 'auto',
    +@@ meson_options.txt: option('lz4', type: 'feature', value: 'auto',
      option('nls', type: 'feature', value: 'auto',
    -   description: 'native language support')
    +   description: 'Native language support')
      
     +option('oauth', type : 'combo', choices : ['auto', 'none', 'curl', 'iddawc'],
     +  value: 'auto',
     +  description: 'use LIB for OAuth 2.0 support (curl, iddawc)')
     +
    - option('pam', type : 'feature', value: 'auto',
    -   description: 'build with PAM support')
    + option('pam', type: 'feature', value: 'auto',
    +   description: 'PAM support')
      
     
      ## src/Makefile.global.in ##
    @@ src/Makefile.global.in: with_ldap	= @with_ldap@
     
      ## src/common/meson.build ##
     @@ src/common/meson.build: common_sources_frontend_static += files(
    - # For the server build of pgcommon, depend on lwlocknames_h, because at least
    - # cryptohash_openssl.c, hmac_openssl.c depend on it. That's arguably a
    + # least cryptohash_openssl.c, hmac_openssl.c depend on it.
    + # controldata_utils.c depends on wait_event_types_h. That's arguably a
      # layering violation, but ...
     +#
     +# XXX Frontend builds need libpq's pqexpbuffer.h, so adjust the include paths
    @@ src/common/meson.build: common_sources_frontend_static += files(
      pgcommon_variants = {
        '_srv': internal_lib_args + {
     +    'include_directories': include_directories('.'),
    -     'sources': common_sources + [lwlocknames_h],
    +     'sources': common_sources + [lwlocknames_h] + [wait_event_types_h],
          'dependencies': [backend_common_code],
        },
        '': default_lib_args + {
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +
     +#include <curl/curl.h>
     +#include <math.h>
    ++#ifdef HAVE_SYS_EPOLL_H
     +#include <sys/epoll.h>
     +#include <sys/timerfd.h>
    ++#endif
    ++#ifdef HAVE_SYS_EVENT_H
    ++#include <sys/event.h>
    ++#endif
     +#include <unistd.h>
     +
     +#include "common/jsonapi.h"
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +#include "libpq-int.h"
     +#include "mb/pg_wchar.h"
     +
    ++#ifdef HAVE_SYS_EVENT_H
    ++/* macOS doesn't define the time unit macros, but uses milliseconds by default. */
    ++#ifndef NOTE_MSECONDS
    ++#define NOTE_MSECONDS 0
    ++#endif
    ++#endif
    ++
     +/*
     + * Parsed JSON Representations
     + *
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +{
     +	OAuthStep	step;		/* where are we in the flow? */
     +
    ++#ifdef HAVE_SYS_EPOLL_H
     +	int			timerfd;	/* a timerfd for signaling async timeouts */
    ++#endif
     +	pgsocket	mux;		/* the multiplexer socket containing all descriptors
     +							   tracked by cURL, plus the timerfd */
     +	CURLM	   *curlm;		/* top-level multi handle for cURL operations */
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +
     +	if (actx->mux != PGINVALID_SOCKET)
     +		close(actx->mux);
    ++#ifdef HAVE_SYS_EPOLL_H
     +	if (actx->timerfd >= 0)
     +		close(actx->timerfd);
    ++#endif
     +
     +	free(actx);
     +}
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     + * Sets up the actx->mux, which is the altsock that PQconnectPoll clients will
     + * select() on instead of the Postgres socket during OAuth negotiation.
     + *
    -+ * This is just an epoll set abstracting multiple other descriptors. A timerfd
    -+ * is always part of the set; it's just disabled when we're not using it.
    ++ * This is just an epoll set or kqueue abstracting multiple other descriptors.
    ++ * A timerfd is always part of the set when using epoll; it's just disabled
    ++ * when we're not using it.
     + */
     +static bool
     +setup_multiplexer(struct async_ctx *actx)
     +{
    ++#ifdef HAVE_SYS_EPOLL_H
     +	struct epoll_event ev = {.events = EPOLLIN};
     +
     +	actx->mux = epoll_create1(EPOLL_CLOEXEC);
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +	}
     +
     +	return true;
    ++#endif
    ++#ifdef HAVE_SYS_EVENT_H
    ++	actx->mux = kqueue();
    ++	if (actx->mux < 0)
    ++	{
    ++		actx_error(actx, "failed to create kqueue: %m");
    ++		return false;
    ++	}
    ++
    ++	return true;
    ++#endif
    ++
    ++	actx_error(actx, "here's a nickel kid, get yourself a better computer");
    ++	return false;
     +}
     +
     +/*
    -+ * Adds and removes sockets from the multiplexer epoll set, as directed by the
    ++ * Adds and removes sockets from the multiplexer set, as directed by the
     + * cURL multi handle.
     + */
     +static int
     +register_socket(CURL *curl, curl_socket_t socket, int what, void *ctx,
     +				void *socketp)
     +{
    ++#ifdef HAVE_SYS_EPOLL_H
     +	struct async_ctx *actx = ctx;
     +	struct epoll_event ev = {0};
     +	int			res;
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +
     +		return -1;
     +	}
    ++#endif
    ++#ifdef HAVE_SYS_EVENT_H
    ++	struct async_ctx *actx = ctx;
    ++	struct kevent ev[2] = {{0}};
    ++	struct kevent ev_out[2];
    ++	struct timespec timeout = {0};
    ++	int			nev = 0;
    ++	int			res;
    ++
    ++	switch (what)
    ++	{
    ++		case CURL_POLL_IN:
    ++			EV_SET(&ev[nev], socket, EVFILT_READ, EV_ADD, 0, 0, 0);
    ++			nev++;
    ++			break;
    ++
    ++		case CURL_POLL_OUT:
    ++			EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_ADD, 0, 0, 0);
    ++			nev++;
    ++			break;
    ++
    ++		case CURL_POLL_INOUT:
    ++			EV_SET(&ev[nev], socket, EVFILT_READ, EV_ADD, 0, 0, 0);
    ++			nev++;
    ++			EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_ADD, 0, 0, 0);
    ++			nev++;
    ++			break;
    ++
    ++		case CURL_POLL_REMOVE:
    ++			/*
    ++			 * We don't know which of these is currently registered, perhaps
    ++			 * both, so we try to remove both.  This means we need to tolerate
    ++			 * ENOENT below.
    ++			 */
    ++			EV_SET(&ev[nev], socket, EVFILT_READ, EV_DELETE, 0, 0, 0);
    ++			nev++;
    ++			EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_DELETE, 0, 0, 0);
    ++			nev++;
    ++			break;
    ++
    ++		default:
    ++			actx_error(actx, "unknown cURL socket operation (%d)", what);
    ++			return -1;
    ++	}
    ++
    ++	res = kevent(actx->mux, ev, nev, ev_out, lengthof(ev_out), &timeout);
    ++	if (res < 0)
    ++	{
    ++		actx_error(actx, "could not modify kqueue: %m");
    ++		return -1;
    ++	}
    ++
    ++	/*
    ++	 * We can't use the simple errno version of kevent, because we need to skip
    ++	 * over ENOENT while still allowing a second change to be processed.  So we
    ++	 * need a longer-form error checking loop.
    ++	 */
    ++	for (int i = 0; i < res; ++i)
    ++	{
    ++		if (ev_out[i].flags & EV_ERROR && ev_out[i].data != ENOENT)
    ++		{
    ++			errno = ev_out[i].data;
    ++			switch (what)
    ++			{
    ++			case CURL_POLL_REMOVE:
    ++				actx_error(actx, "could not delete from kqueue: %m");
    ++				break;
    ++			default:
    ++				actx_error(actx, "could not add to kqueue: %m");
    ++			}
    ++			return -1;
    ++		}
    ++	}
    ++#endif
     +
     +	return 0;
     +}
     +
     +/*
    -+ * Adds or removes timeouts from the multiplexer epoll set, as directed by the
    -+ * cURL multi handle. Rather than continually adding and removing the timerfd,
    -+ * we keep it in the epoll set at all times and just disarm it when it's not
    ++ * Adds or removes timeouts from the multiplexer set, as directed by the
    ++ * cURL multi handle. Rather than continually adding and removing the timer,
    ++ * we keep it in the set at all times and just disarm it when it's not
     + * needed.
     + */
     +static int
     +register_timer(CURLM *curlm, long timeout, void *ctx)
     +{
    ++#if HAVE_SYS_EPOLL_H
     +	struct async_ctx *actx = ctx;
     +	struct itimerspec spec = {0};
     +
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +		actx_error(actx, "setting timerfd to %ld: %m", timeout);
     +		return -1;
     +	}
    ++#endif
    ++#ifdef HAVE_SYS_EVENT_H
    ++	struct async_ctx *actx = ctx;
    ++	struct kevent ev;
    ++
    ++	EV_SET(&ev, 1, EVFILT_TIMER, timeout < 0 ? EV_DELETE : EV_ADD,
    ++		   NOTE_MSECONDS, timeout, 0);
    ++	if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0 && errno != ENOENT)
    ++	{
    ++		actx_error(actx, "setting kqueue timer to %ld: %m", timeout);
    ++		return -1;
    ++	}
    ++#endif
     +
     +	return 0;
     +}
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +		}
     +
     +		actx->mux = PGINVALID_SOCKET;
    ++#ifdef HAVE_SYS_EPOLL_H
     +		actx->timerfd = -1;
    ++#endif
     +
     +		state->async_ctx = actx;
     +
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +		case OAUTH_STEP_TOKEN_REQUEST:
     +		{
     +			const struct token_error *err;
    ++#ifdef HAVE_SYS_EPOLL_H
     +			struct itimerspec spec = {0};
    ++#endif
    ++#ifdef HAVE_SYS_EVENT_H
    ++			struct kevent ev = {0};
    ++#endif
     +
     +			if (!finish_token_request(actx, &tok))
     +				goto error_return;
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +			 * Wait for the required interval before issuing the next request.
     +			 */
     +			Assert(actx->authz.interval > 0);
    ++#ifdef HAVE_SYS_EPOLL_H
     +			spec.it_value.tv_sec = actx->authz.interval;
     +
     +			if (timerfd_settime(actx->timerfd, 0 /* no flags */, &spec, NULL) < 0)
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +			}
     +
     +			*altsock = actx->timerfd;
    ++#endif
    ++#ifdef HAVE_SYS_EVENT_H
    ++			// XXX: I guess this wants to be hidden in a routine
    ++			EV_SET(&ev, 1, EVFILT_TIMER, EV_ADD, NOTE_MSECONDS,
    ++				   actx->authz.interval * 1000, 0);
    ++			if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0)
    ++			{
    ++				actx_error(actx, "failed to set kqueue timer: %m");
    ++				goto error_return;
    ++			}
    ++			// XXX: why did we change the altsock in the epoll version?
    ++#endif
     +			actx->step = OAUTH_STEP_WAIT_INTERVAL;
     +			break;
     +		}
3:  0b0b0f2b33 ! 3:  07be9375aa backend: add OAUTHBEARER SASL mechanism
    @@ Commit message
         correctly is delegated entirely to the oauth_validator_command).
     
         Several TODOs:
    -    - port to platforms other than "modern Linux"
    +    - port to platforms other than "modern Linux/BSD"
         - overhaul the communication with oauth_validator_command, which is
           currently a bad hack on OpenPipeStream()
         - implement more sanity checks on the OAUTHBEARER message format and
    @@ src/backend/libpq/auth-oauth.c (new)
     +static bool validate(Port *port, const char *auth, const char **logdetail);
     +static bool run_validator_command(Port *port, const char *token);
     +static bool check_exit(FILE **fh, const char *command);
    -+static bool unset_cloexec(int fd);
    ++static bool set_cloexec(int fd);
     +static bool username_ok_for_shell(const char *username);
     +
     +#define KVSEP 0x01
    @@ src/backend/libpq/auth-oauth.c (new)
     +	 * MUST read all data off of the pipe before writing anything).
     +	 * TODO: port to Windows using _pipe().
     +	 */
    -+	rc = pipe2(pipefd, O_CLOEXEC);
    ++	rc = pipe(pipefd);
     +	if (rc < 0)
     +	{
     +		ereport(COMMERROR,
    @@ src/backend/libpq/auth-oauth.c (new)
     +	rfd = pipefd[0];
     +	wfd = pipefd[1];
     +
    -+	/* Allow the read pipe be passed to the child. */
    -+	if (!unset_cloexec(rfd))
    ++	if (!set_cloexec(wfd))
     +	{
     +		/* error message was already logged */
     +		goto cleanup;
    @@ src/backend/libpq/auth-oauth.c (new)
     +	}
     +
     +	/* Execute the command. */
    -+	fh = OpenPipeStream(command.data, "re");
    -+	/* TODO: handle failures */
    ++	fh = OpenPipeStream(command.data, "r");
    ++	if (!fh)
    ++	{
    ++		ereport(COMMERROR,
    ++				(errcode_for_file_access(),
    ++				 errmsg("opening pipe to OAuth validator: %m")));
    ++		goto cleanup;
    ++	}
     +
     +	/* We don't need the read end of the pipe anymore. */
     +	close(rfd);
    @@ src/backend/libpq/auth-oauth.c (new)
     +}
     +
     +static bool
    -+unset_cloexec(int fd)
    ++set_cloexec(int fd)
     +{
     +	int			flags;
     +	int			rc;
    @@ src/backend/libpq/auth-oauth.c (new)
     +		return false;
     +	}
     +
    -+	rc = fcntl(fd, F_SETFD, flags & ~FD_CLOEXEC);
    ++	rc = fcntl(fd, F_SETFD, flags | FD_CLOEXEC);
     +	if (rc < 0)
     +	{
     +		ereport(COMMERROR,
     +				(errcode_for_file_access(),
    -+				 errmsg("could not unset FD_CLOEXEC for child pipe: %m")));
    ++				 errmsg("could not set FD_CLOEXEC for child pipe: %m")));
     +		return false;
     +	}
     +
    @@ src/include/libpq/auth.h
     +
      extern PGDLLIMPORT char *pg_krb_server_keyfile;
      extern PGDLLIMPORT bool pg_krb_caseins_users;
    - extern PGDLLIMPORT bool pg_gss_accept_deleg;
    -@@ src/include/libpq/auth.h: extern PGDLLIMPORT char *pg_krb_realm;
    + extern PGDLLIMPORT bool pg_gss_accept_delegation;
    +@@ src/include/libpq/auth.h: extern PGDLLIMPORT bool pg_gss_accept_delegation;
      extern void ClientAuthentication(Port *port);
      extern void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata,
      							int extralen);
4:  0e8ddadcbf ! 4:  71cedc6ff5 Add pytest suite for OAuth
    @@ src/test/python/requirements.txt (new)
     +construct~=2.10.61
     +isort~=5.6
     +# TODO: update to psycopg[c] 3.1
    -+psycopg2~=2.8.6
    ++psycopg2~=2.9.6
     +pytest~=7.3
     +pytest-asyncio~=0.21.0
     
5:  65c319a6a3 ! 5:  9b02e14829 squash! Add pytest suite for OAuth
    @@ Commit message
         TODOs:
         - The --tap-stream option to pytest-tap is slightly broken during test
           failures (it suppresses error information), which impedes debugging.
    -    - Unsurprisingly, Windows and Mac builds fail on the Linux-specific
    -      backend changes.
    +    - Unsurprisingly, Windows builds fail on the Linux-/BSD-specific backend
    +      changes. 32-bit builds on Ubuntu fail during testing as well.
         - pyca/cryptography is pinned at an old version. Since we use it for
           testing and not security, this isn't a critical problem yet, but it's
           not ideal. Newer versions require a Rust compiler to build, and while
    @@ meson.build: foreach test_dir : tests
     +      test_command = [
     +        pytest,
     +        # Avoid running these tests against an existing database.
    -+        '--temp-instance', test_output / 'tmp_check',
    ++        '--temp-instance', test_output / 'data',
     +
     +        # FIXME pytest-tap's stream feature accidentally suppresses errors that
     +        # are critical for debugging:
    @@ src/test/python/meson.build (new)
     @@
     +# Copyright (c) 2023, PostgreSQL Global Development Group
     +
    ++pytest_env = {
    ++  'with_oauth': oauth_library,
    ++
    ++  # Point to the default database; the tests will create their own databases as
    ++  # needed.
    ++  'PGDATABASE': 'postgres',
    ++
    ++  # Avoid the need for a Rust compiler on platforms without prebuilt wheels for
    ++  # pyca/cryptography.
    ++  'CRYPTOGRAPHY_DONT_BUILD_RUST': '1',
    ++}
    ++
    ++# Some modules (psycopg2) need OpenSSL at compile time; for platforms where we
    ++# might have multiple implementations installed (macOS+brew), try to use the
    ++# same one that libpq is using.
    ++if ssl.found()
    ++  pytest_incdir = ssl.get_variable(pkgconfig: 'includedir', default_value: '')
    ++  if pytest_incdir != ''
    ++    pytest_env += { 'CPPFLAGS': '-I@0@'.format(pytest_incdir) }
    ++  endif
    ++
    ++  pytest_libdir = ssl.get_variable(pkgconfig: 'libdir', default_value: '')
    ++  if pytest_libdir != ''
    ++    pytest_env += { 'LDFLAGS': '-L@0@'.format(pytest_libdir) }
    ++  endif
    ++endif
    ++
     +tests += {
     +  'name': 'python',
     +  'sd': meson.current_source_dir(),
    @@ src/test/python/meson.build (new)
     +      './test_internals.py',
     +      './test_pq3.py',
     +    ],
    -+    'env': {
    -+      'with_oauth': oauth_library,
    -+
    -+      # Point to the default database; the tests will create their own databases
    -+      # as needed.
    -+      'PGDATABASE': 'postgres',
    -+
    -+      # Avoid the need for a Rust compiler on platforms without prebuilt wheels
    -+      # for pyca/cryptography.
    -+      'CRYPTOGRAPHY_DONT_BUILD_RUST': '1',
    -+    },
    ++    'env': pytest_env,
     +  },
     +}
     
    @@ src/test/python/server/conftest.py: import pq3
     +        cleanup_prior_instance(datadir)
     +        subprocess.run(["pg_ctl", "-D", datadir, "init"], check=True)
     +
    ++        # The CI looks for *.log files to upload, so the file name here isn't
    ++        # completely arbitrary.
    ++        log = os.path.join(datadir, "postmaster.log")
     +        port = unused_tcp_port_factory()
    -+        log = os.path.join(datadir, "logfile")
     +
     +        subprocess.run(
     +            [
    @@ src/test/python/server/conftest.py: import pq3
     +                "-l",
     +                log,
     +                "-o",
    -+                f"-c port={port} -c listen_addresses=localhost",
    ++                " ".join(
    ++                    [
    ++                        f"-c port={port}",
    ++                        "-c listen_addresses=localhost",
    ++                        "-c log_connections=on",
    ++                    ]
    ++                ),
     +                "start",
     +            ],
     +            check=True,
-:  ---------- > 6:  7d179f7e53 XXX work around psycopg2 build failures

�!��dv9-0002-libpq-add-OAUTHBEARER-SASL-mechanism.patch�<ks�6���_��q��H��~8q�?f�x,��ws�u1	I�)�CR~$7���
�"%J�=�n]�9K��F��r��3�V;u������mv�V��k�z�q�1j���k��F��z��u`�=�u�Z��P�Vk�SD�?2�����<G~��������\3���c�}���2���|DQ�A��_��/T��j57��~�F�����������^�lk�}�f�0��\|��:��ax3�:V0���p1����	\<���`p
�{4�8:����j;�9�>\h�������;a
m���:�z������Z���ep�g��~g!�2��gNH��B.�S�m��2���r��{��@��x+�a#������/�����
�w��#6+���v�>����Ax��-@s�	���rN�2����n�k�j���h������:
C/���@Z���N,G,�p_.�5Qv��?�+���?�r��(�b�G��
.t�y��)���\�����
pl��A�����\�3X�4���I��|�yn�<n	����W|�L�=b	�k�9����'�<���~��%���~%�_%��$�J��Vo�*��3g�}��:ck2����Hw��4w|}7��c���|��e��8��W����������
�F��p=8��+`�N>����3AQ7Xc�\j
<��0��;GQ���AP��1�qg��>�1���R����
Nx����&�F�3|�Gd0O���;���<���+dv�	�z���>����uB�H����w�Q����5s�$����#�L>�O&ld��%��2��`��9��	J�����x����h�?�v}x�I�'�����O��yF�}����+0��b������.#*���1��|�K�F��K�8Qu8
���H����(���&T���\��U,t��
Y�l1x�>�C���3�-W�Tr�~r���?�nJ�����A�5�
�hn��K&�f+��]�xh�S�
����'���BG5���5tT��j�����m%V@u�T�`�c�s�G��j��6]� YJCy]�T�f�)��(t�c�r��.^iT=A���W����k W^�G�F���7��0/����-L^<���Bkjk�A,�BP��l
��RdB��L[�2����+`��`�AfC�		���6�#�H�
D���1_�2���`���z�X+�5�(&�-i�L �b�c�7@��n������y�c��P*����hbs�P)��Cg��bF��V�������
�&�V����v�i.G�3�	&�loeF��9�1��y��5��jG���w�U�aP�_��Z���9�)��P���e4��6P��s����m9\=�A�gQg��k��+�'����d��z����p�,�{�Fb�n�C�w[����������S_�du�����)��i�i�Z�����S�?q��Kf��	���]��HF��������)��H�l������P
d�Lg
-p��������D����}BY=R6��\E��	������K&fN�^�����	5<9}PR(�PQ_%���
Cz�i���In�:nM]���Uc~���w�%���;�]�@<���o3���~��;ne�����b�e_����b�.�A�N&��X�4o+W�0����L�I/�����1��Iac����dZ��h��q{�����.J�{�����m����24�������Q;mF`W��K�6�g�7\����va������\l��n����R��;H�d��"l�}'�9�_<��Ebf������%��i'�b���H�E��}�Ao�%+����
;�L���*�.�"PC��@>{�-��^2���$
��"�������W�7��qw<^V���e
���5~�����)�:n��v�)�R�;K}	C�w��Gzq���A�`�������.��6���X����Ud"�D���,�6�h�P��:n�R
��	�G*�x@BF��Z-��1���=�y����DKJp�
��H���ud��]��+��;�&�G�;��RX�T���������&��]D��0j�}������=�$�P�,Q!x�GG �6�<�
��������Z&�d��j���������7`�Z������"������������C����aV@��?�s Ah�60�����,Z
�������!K��v�9B��5[cdQ�,�B�"��+��P@��G��h������!U|@��<���F;6��&]�_�gR6��
��^lyd�1
�����QH��w���%�B�%5�S���H%�VN9�����%�z���c����i+:`�rR&dKI�������8��� ��;��4�����;R�3��4>V�>�H����e���J���S�-�U
���+Fqg�C]����!z�/v��W��T��T�D���f���]j�������o;��5m��k
6��50_�W�L:��*;}�o�[���< ���k���L������Y�����q�2U]���x���c���t�e��0��UW(�T
� f'��$h��9"Cl������A�X\�\��G����i	/M�����*rn�	}k�po|�s��Ty���i�:��BY�1�Z�3.y��C��z�����)��Ele��FSle��j�\O�d�z`y/���Il�Rb������L|n'NP{b�1���F/r�"��Zr��L:�,�g
/|�5IhQ������bV���iH�S���Ie+<R��
Z@��;I�b���{.W��O'D����4�q1&�TNoVG�GU0o���N�mj�i���f�j��:�\0'���95�!��bGOuQ�����������u�vQ��+��sx�~x]�[�kK�
�������.>n_P2�9J��E$�,�)��e���p����G-�7�'�����������c�Tq����'����a��l��^�=
1(>S3)��P����X��6.N��\�juN�������p���M"$�^<�I�\��[�YSA�Y�5��#�W%"��OO��������8D ��`��,����dqi&�v�{WL�d��6E��-/�/6����N��[��������a�6+	���+��_�����G�I�V�Q��n���:���D�u)M���i�g����H����#.����J�/������N�D���X��?���O�
�|%S^���LI��%�i��JHB���(sX�fX0�P&�����"y4b�|R�E��Y�������h��Qk����"	%S�d�x���FM�Y��B���~(�8���/��?
e�$��
������11��T�y��;�G��v��I�zqW���|Q��A�������7}����X��V ��/J���RU�4F���J�e���bp�E��;�s!��
i�>R����z���	.���>U1Y�����|�q�Zq}��`�1j�����d�e/_��MPC��@
x%��� �5J�{k4D�\h33w��Y1)_�^ ���l�x�%����y#���C��;���e���3�"[Qg��6���@M���Ntb9}�:�� C�i���^�����@"�����Q�W��Z���y!q|�|M��%�>	�Ye�J�,��_Q���.�Z.Z�[��*�o4:"�l4q�9+���)y*�o"g`>/�8�j�N���m?���@�E��Mj���hr�����f��T�fT-$;$���c4�M4��i }o�Q,u"x���"�Y�Z��
M��F�v�5�-��k�v�N�����U����'�E�~�Jg����sj��*'��`8e`�����T��1g2gm~�"�O�!�e="_iL]��
6-��3QI�S!�%jJ���fC.�b�|����8�&��R�5��Gk:"���z�5k��Gl����N��RO�t
e�5�����x Y�7p?F�
����^t��dg`��^|���Z}�p�<W�����QB=���8DCR��PJ�c$�u��t��p�*��#��5J&�F�Yg=�F��V�h��5��L2,d��)dR�mP���u����7�h���]=��a�c���m�0-7�g/t1�Nu��4��Ng��(zV��n�X�F�b�����C��A���#�].�+%:�E�O5���0/_�a�{&h`�\\iy�\[6ywF�4U����_�T-C�fp8n6D�A��g����t��v.������
R�W�+����1��]��psI��������X�
��a���"\�7�E�����Q`��n�`;Yv�����^��WP�`@	�p�W��&fmF�������B^�U�+I���h���h��=m���w�����Q2!Bl�#f��f(�t�F��"��q�*I�b��C���_��e�]��x������]�"�-�����Ck$��Dy~��~��O��{ �����,�`��P���r6�S��iJ�eS�

EdR4��f��V|�;O��S��IYE��i��=������F��XX�����q�d��1Ez�)&��yUds��Z�����b�/IE}+':����s��Z>#`wR�Y���������3kI'i�m�Q� �w1�/�!t�����19��(�P��Q�'������Z�����{&�s�������!yW�U�v�F�:4S��~��|K�`iRl���cn�L^�
DF:����h;��D�mopv|$�/�0�\�����/���"�z�v�����[������H���w|s�����-��e��N!��wuoK���gj9b���:����5�Oe�<=���!U�|�4��?.�
,���R���xO�:8�_�%�$y�^�z'�$Z��y@	�Vj2B��`�nV�6t*k��^��m�����vq����j�����,
�����C�FhQ��]��R� f'^�I^G�
;�=���1�F|�ws!&U�9\���g���������B��������?�s��y����
RlR�aj������#��/aN����oNnNT��.����W�'�){>.
*�l*�NE�A����z��waI��P\��:c�Lc3��[�R���D+��/�2�6Sh���L��E��N]�;�^��Zev�m�"��p9���M3�M]*�%qS��l�X��^}�����d���W�TN2&��f0{�[�LD�����t6��2[Z6������1a8P[��2���(�<����hs�r��v��hw�#�{^�U[�,��O�?�CJ���+/���8�D�_9�f�+��'��Z����wL%�S�3v�/���^V�"}Y���U��Fa6\t����e�o�����!�0z�W���y�h9���	c����������[8>�����R��,���(���d�I����BP�t��"	y����������Yp�>��V�����������sW�8/��P��|���o{_������7|�2�bKF3���4��������
�u-��*��N�}���3� 	�In�u��
�p��������Bn��j�6�3�*��#�~�� ���!F_��~y�g�\��^����\�0�t���ba�#��O2��1��)�=�A0X�Z�_��
������&�\������u�E&��% ����v����l����d��s�W�p����e5��n���������������f�Q��QC���
�����~�Z�XV/������I�����u|�(=2����7R�Pm[��X@�:�������T�����5�$�����4/�OOI�2����F4N�6��4�$����A�&�,h�������)���T���N��8X{3���s�A���k���01�L]I�A����v�K�
�D�D"�Yf���L����3����A2E����{5y6<������y�n�Rs����w9�t&�8�7d��4@��e4b���B>B$7�}������
S1�eE�NqS?���=���fcE�����^�������t�P]( �=��DQ�i�jT1�V��{�4�Q��$i��������b�|�{��?*����������FnE}�/jpMCt��U��Nb{��5X!��1c�'q�E��>�
'���v�v��������(�n`�g*C�����[����t8�5qww������O�	����������pL����LV:�����E�C)T+H����2 ��{��:@Ec�
���u������QTg
�=
�� ���8D��z��u�)�.L[[]'��V2��o���OW�Z�[	f�e��*zb���;��2���X��3�X��
�]��5�j,&�9t����3�ehAn���[u�|�_2��rPwf���I����l:�u^
����u��s� ��3��3��U�^��`������h�s��e�`��S��R]0�����"��D��d'#��;!E�q�44��P�F��ic�������chc�i�^?cP�pJ0�����
����
K'����1M�1������S�lGa���a�J�	����N�����-w�����t�.���~�h����o(����nc��k8�����AkVs
���������>����*t��%�:�
J
���^�0�G3�o��Y�������=�������1H���<�	����+B��64�[����x
DV���������g�
�<��NHO0YpH��5a�����
	�]D���]��?�����H�l��
���SH��<J�G��I2Jfi���E����E�k��`��%�MoA�d>��F�3���o������Y���_:i���l^�={��c��������"%)�����3L�z�lg����u�F��N��'���h|���4�Nw�1�M��b0SRa��Q�K�Dq��1�dL8��
>�D|�Rg2�Q��[�RmG�!�S
n�{�%�vAe$�)�=�1��w�}��M/uRe4@e0�$DF��Mzgv~�;����dr6��u�m����;&����+������\����
UV����#��N�G�
f���nj�H�%�h����6�`�
������Z�F-���.C3�[��(g
����>@�?���Z5����6b��}��R2�����F�0�Q���9�R��B6x*��4�e$�8bz�if������W�t����]2y�A���@LOD^�P(jC�/4�V&�9��L%OftQ8!h��$���X��I:}T�A��X
Jn�6���� @�����a����ao���6ss�)8I�P���"n`Rt���(?_����V0�\A�i�|g�^=�8��v�[�)p0�G��]#m���M��F�F���d���&�`�L�9��3���!4�|��
�R4����������(����4G�x6`���FY}���r�F�3���:f��E�p:O����{/�D������P��{��G��D"6<��'(�=x�������N,�����"`G�v�*`�o<�������	&�x����Iy��`z4�4OLF�ao(����a<����$)l+�F��K�v��5�b'����1}��%S!!����"b��W0�h3cF���C^k������
2J���7�7������9�tu���j�r��m��^�%(�����&0X��f�qz`&Dq[�zp�o��{�6�<d�����Q�]Mk��5���0�#[kt'��,��m�Ex��d��������W�
�!���>���$
�T1�����H���������1�h�Dy���B<@����@��5�Q����L����lzKp807�@���tr�+��"��#�����Z�j��'	�6b�<����*f���I�,�����L�		��Hj���E8�J)(B��/�t"��Q�+x�z�.d��Pt���q>i�0;TK�.2��K<Q@er��LP�;�
��gk��'�=*�6wB�t���}����p4z�8��i��5����gM�Fz�!�M��9�F�fZ$�'�r��|�����7'�jkgP�4�s�9��7��1�}����]�O�{��0E��N���&�A���YX��@�)���N�G� �E��`Yt�g�4�NK�1���C `���rJ9�U������ZZ��@�o"e��%!.x�8�"#EcQ��|O�n%
�X��hnS5�!�3�-a�++��DTA�B�'�;"����H_�cT��o�5��o(#Q��U����A�Q����&Pv���Q�K@
�����$�{�!S8���](	��1R`�O���;���^r�9fQi��|
���9���ff���;\fU��
�x
=�@>�����sO������QQ�b3"s�"1?%�5
��
�!� �{�E��]��i��M�4��I�}~�C��f�;6g��w����IU��}l�������6�����,������L��S#�5�#��$���
�s4*�E�?t���<�1g������X	��
u4�~-�5�7G�W���^�Pd�":�
�[!z����I��M��i^���?������f��N��{4�f��c�i�����)��A�C�)��QIQK�wdL���������V��\'���~��$���`�A�g����=��i����<�vfl�:I@>�������m7��/�d���Z[��x���K����g�����3�V����J�;��W��M���v����Z������)p08��.s�k%�O��"��|U;�"���~I�>��O(d�lV������dV���O�:����?�o�W����2��+���O*ltT���*��i�_u����������+��V�����O����O��;��p������A���pX&���C��R�1���x�|�N���U4���'�0����D�����M��0(�R�z�H�C��������	��])��K9(I�Q�$W:��}�n�'�np1���pB��4��	xC���l���oV�����_�i���#Ya>����F��l$
�HQd�i�A[�1�����pT�&���;'����@f�w���P3t������U&x���f_b������Q�9U5�������`s�D�Y��:�Bl��h_]���X���={��U��
,���������G�W,i�Fl�$��:<}�t���3
ho�XL/��xJ�x�/������}`S�
�����Z@GL��y��YC���\������SvC�)'8������a����7���!��t�q�;���+���,;���A1�8����v�6Q�c�%e���&yz%�%�(*��&�28)�)�I4G��Sf�pt�� f�,��kx,x��A�>����e<�-�����3Gx������?��t��R1^.s=?)�$gg�B]�/�k�2v�az���Q���dT}�K��i�f�9^�q]fd������k�L�e2�*���I
��[to�;�)���v,�c(�Px\������o����j2k�9�\O��=�5�*3�%[�.���C�kZi�NU�W$��[��������`u��H����Ym~ms{��[#��U�UOb;M|�	E���'��C���J��7�fiYR�#�����3�i�G�/�����_0��@jIh�8�g�%	���5���]�P�F��h�<�.��:�R'\��{w|�l�?k�i"�kPs��)���1r�!�<�'���p��	k�4/�F��j�L'����s�6������w�����3�=4^+C��Z��C�H�1F� ����#��Dk��r�m���C�(ez�)d��������%k�#A6�b��e=���-L@�f1��lq�����|�f���nnL�C���y���
4v��x�&���Lxw8��969��+N��K~����T�+��
�}��g?�(�j�
�����z�k�9b�_��9�2�c�^��-���	��� vT�v3���F�j�!H��!�G,�	�`^A�Du��F��[�X*�XY����m|�\Chs>�]<b�D�>f��"]x���f�T���(�2�x��Y'�#�P�����qk[b&W�8q�\'���y��R��J�����4g�NO-Y~���c��H��� �/�z+�oK���e�������\�n�������75+*hf�fL$�}p{R1z���R������?b���(m*
���f�'4�5��9�\�YW99�0����JB3���������`�_���c��/��z$��x��������\�+���Y,$#�� a����@\&�,SI�[���p
)�H7�-���3���b���b�����^&��������d�H���Y�M��s��c���c���X�0�\?>�u�}|V���*eC�1}���h��uOz��Ap	�"&�{�KR[���X�Q\g�$W������Y�R���^�;����i+x����S�i��v���r�:A ��
/�a�)h����[����?�	*�����g1��V�{��4T]���	�
7x�X�,��'XE�[	)M���6tR�8��89�^����
�A|��1B�$��D�V�U	�i*�X"d�8�&���`K5���x���L��1V�`�����d2%�^�8��
�!���@g�i��/���"<����7����V6{4���g�
�B+,/��lh��8�
�,��������g�G�}�!GR����Dv��i<���?
�
ss��~����9p�'y�u�8/qx��)O�yGKxHO�J�|����(!���_���R���Q��Z���9}q�^^��4�V�c�'�@�����T���O���'���
�M0����Y��O~��O��,��BgA�����O-�x�yw��y��v3����]���Z�+<H���H66���T��L�#�p�{�Xl�;��v�Q��8�3ob,h�p]�t5�Q���l�Qs�_�����3���������xq���6��r^�{]�^!�u����{
+

v�J4,_�:'EO�rSmL|y��.#W��m�@V����� ��4ip�}I���QU��
<���5s�Kr�E���Z���U�
�������zU���F����M��Q��S<
��z�Z[���]_���lw�aF��P7���B�4��B�����
��_pgs�s������
�������
�8fM��;��_�������}��G?��Q?�_���6�5�m�+7���L�F����������c�F@KS =q�}�~cg��}�>��hsAO�l��y �1+,��$3�����pp�a[�i���T���/�Y�������R_�Y�B��b:q�F\����������7����m�Ny����m��X�_�d�5���D�e��%�o�P�N$���A���E��I5���t6bF�(��?�$<�A��1z��g\��
F7��)u��{��D��A��������[��#�
�������������
����G�`bm���IR�w���n��Hu��5�F)*�#�"���p�$7����ax��W�������E)$�!�I�4�>{M��*��!|>�A|�;_����L=:�����H�� 	A�`u�pU�)���j
����D�������[B���CW^��$�N%|�����K��z?��v�!OIO�S81G}������Zr����a�>���I����T,9�����s�lw�� ���;����Q<�W�F��������-j���)��8����RQqM�W`
f����V���o�����h�n�r3�/z+�{��n���hK��L�2��1�a���!k>,S���y�9���f�AJ�0��g7q8i4����4����pvX�Z��"}�!���gS`��c�l��f�kdl�6q�\��E%(y�6�>d��Z8�J�G���`'���NTeT@��V�_dZ�Z��5�� �0RcN<���k-:k"��m�P��]��Q�bG\n{S+�����n
}��pY�-��%�(�$/�V��"�XH����*�L���@�*J�|D���k=��X-m(0�kgH��������9����s�j�5�`���T���,EF.f�R�~�t�s�+9�qT-�*����>�p.�v�K�<��2����)�Z�k�W��!�q�����@�Do)a�
��7�������,k����	���@�N/7[��P����^�rTy���"h�������l�Qt�L�����+�rQ'_l��G��)��������|���P4��w�V&��O	��A�s�l
�.hO���A���~%��$R\����R�!y���
�[�1�cDpG6�4����3!���R����[n�������1�p~n���Z�-�������� ���s_��H�*�#L-;?;�:?k����'%��6�UymaG�F�s6T��!Swu�9:9�<iiT��Cu�.����I�[z}Ib!��G�s*_����g�U:�y,A�=����fc��A����
���d��Z��=�i�������'�hz�R4eH92o�`Y���������&�7��g*�c|$����������Q��!/HD���deP����l�l�H��P���_#a��i?���S���G�Gr��m���w�����������[g�����/��e����Mn*3'����^h}�U������M��V#B�c
�[�VJ-'��R2��B��_�}�~	��(ASI���V��qa���d�aO��E	��o���(��|�=?��ZN+�4}RK��}B���c�Tw9z�e����5����.n����|d��m�
�wO�0��%y�{e?o����S��N2��#�-<�^�X83|eD�f3�h�L�?brt��gh�KO�_�N�:Xv���y��'k
/��l9���S?]���_�-�Q}����vy�
��I�&2����B5>S'�S�G��w�Sm�:����1�`���Mw�`�E���5#b��������9�}A��������&zaS�
��e���&��ds��A4���&�
_�����=Y�H���
�P����E��P2���)���)&����x4��G���F�>������%;G���j��R�1�l���Si�vb����0$������B����V����1th1qA��g�����b �5��A�D��HCGG��K�u�^���9�3�2=dY��3g�/}��V����{��:���<Ik��R���"�li� �����M����x4c@
.�`TE�$��1^�T�G�DE�B�2��Tz�X��b�Q�Yf���"8�#�U�F�
�k��W�"�M���1}�D�G�
�*&��C�c9���NA�2x3}�Q��u�a3��K��U��q���%��wT�zF������ �������kH4��Ws�X1��P�u��D
M�^��
�Y���X�m��0��f"Fz��Cd#i��Nw�AhN��<�nu���8��x�����(��R��y>r��:�X[����f�}C�V�[[\���,D�I�
����%�n`�|�F����/
��X^��A����� i����D-�2R�U�-����|ge��@9Z��/OS��z����s_���F��?�0z���)�,����k9oa�Y8��%
1Y��<|*��]N]�D��%u��RjP@w�)C:"��\#���q��r��\�D,��1w��j��
��"�*��
���r���H��
����&�t�j�B��X��%8�$m��c���{�?I6�
�U'������p����q��.�(+79����a���`>r��X5X-��E8�����)#�(�9�	��Z�v)�gN�ku�m�U�Q�i%�� JW�MC ���B��
�r
a���1�l��[�S�_�;��Z�1b���h�����I���
�H�c����9s��|��M� (�
�M,v<:�a/lz�~`��}	@U
��c_��
��C+�����^�������!r'�A��Q�����<;o�����6/&������$�8I���(�^�h]4���R���jU�gipr�&�����,>
0dY�b��u� �h��)	o0�
%dSd�m���� �gE�e�g2,��8���\��1�u�#�f�|E�
�iC���J�,�9�+��%`w���=5��~��%(�7����5����3�1�F��I���7���^�������M���GI�|���kB�2t��:(N�}�"�]n9�a��{�������_�;���/Y+$ �L�)�(Z&(y���2�~qy~u~|~��K�g��w�B;�S����
��#*�.)����e,��)5P��3
�TZ����3���1&��OPRO:kR/��������!�h�b�a���m�!N&����v7E��I�#F=��
��$�e8�RJ�'���<�UM����G��Y�^��7�N,:����!U.>!<����*��~��jn���l@�{h�m�n6�u��w3M.`C+��X
�l�@
`�W+�K _|�~�?F����:>����$KQ� ��Z������_(�b{�F��	9d~�Xj~�V�:�*��{�����'�!���Z��w=��)�!�.�z��v��\���O7�HlY���
-7����%�4��i��j"�z����;����.�&'E>I3knb]���
g\�$�S_C�X��c�Y*%JVJ�1��a�����*���}0p-����N
<@�p	��KEz
z�HK<"�$��u�|�������0CDw*�~!
��3�J���Y�M>}�>����P�kT|P}�$���K�.p:�L��^"��a�9��S*�����%u����]���X�i�y��=�p��9*s�:Y&y����h�X�P��U���S1��tgi��P�SNy+
���6!q�&VY�2�3,�����Z,���`5�A@����-��/�K��j���hlp����4Z>����}��tP���\[�9������v���$����\���]|�8�'��aZ�\^�$�P�>o�u����?�5D���~�z�,e��a~3�'�E����ig�)j������Jx�nuS�@�����|�����p���B@0��g�A��.f�U=��6�[
���q��M����f
H�92SgV�Jy�d]utp��-�7i�o:'�gM�g���gS4,��.����	$,	*.%�dt�j;������C��q�c�*����n�EEn���P�+�l���kX���t���I��]f��9��0����.� �6W���e��fE�s�XQ���P����������x*�{HU�6������d���8P	g�6[v�d?��������(���Q9d���0��������=�'>t�C��h��^��y��}��B�t�	��\��Q�?�)E���)Gh��u�P�����"��2��G����|'����cu
KIX�%$M���T��a�#�\�������L�Adj�� ��3�{�Q4�@u(�u^��8�b��}}�������x_��<�P����S(}+�bD���i�)��Y��.[^�A�t���a+�@�����/\�����GN_�hf*U���T=��jy�����2���~�43Qb�a�M�j3U�����'�P���|bQnr��A\��I7 �����=�����ur��G������Nv�l��������w�+=������|C�<�"�����W{B�0�12�9�US��6G+��x�C$��U�#��A��� ����F�����`�c��m���*G� 5�	����@��qG���5�OD4�A��e�n��U���d2QDfh��bH�Q���b�\�6I�[��MfDiX��T����Sc���!tA(�g���3#kl/
��C�������� :�G�N��w% ����t&x��
�L���H�����q��+i
����<�P�uMk�/��k�f������A�@r��L
���BG��5�����q�<>��yv�12�������B|�|���:\�������k>��$���CN�\���2*
g�EX�oD��%��Gi+n�����i�Q��[6@@�6#]�9��J�������R�23g
 ����	�sy$�t�����cf��'��8�����0=�$��h?z�8�Xs$R�`�Q�T���',l����7��������Th�'P7�|���J1����"R�-���N�2��q������G��3Y�7�����'h�U�{�+�'����#���n��&��20�J6��*�<�
��V�Zc9���nNd�������������#��	-*&A��p�dw;�D�����.RS@�1��a0	I9$�d�y,@0r,%t��x�?������&�R�A�Z�F��	���N�1��7=��8���	�5�K��� ���pm]y�+?��]������e���i1R�������f��R�w<��+����Z�
���s�����s�G���@~��)$L��zJ��� ��(:������=3������^��}���!�d�d�;��C�LFX�97��(J�r�n��X$}4`
Q^So����.��<��R�@n��j����A��$����������&^�B ]��9��1i��
�z��.��k����.>���*
���w�+�!���z4"B��y:�1���W�r�@S��%���y���%,
FY����h�}n���/r�+��39��Ql��������/�~q��z�j�b��3 A��z\��
W^�W����zE��.`:b��q����^��������
D#�n�lm/Z��`�S�
��z�t"OhH�X+��.1M�H!72�����U��A��?wz���A<��b�B���l��w�HT���4�hj�bf��M1����X�1���\Cg��(w�B��i�(�A\xf9�p�j��J|Mq���J'|���WG��G���v����ms�~�Yv�n�t~yR����������q�~�/��->������A�aX���k��`HhE��,Ou�,�
n�m���������i�d|�v\������]�������FD�v��&��0�v�l,���"����\NV����c�%�s�6/��F�K@��u��5���@`R���A,n��MZu[�7���������������a?�N�P�Q�k�T��s�x<@����j������b��[i$��-�����I�'�A��Q�G /�����9�����Q,���!j��v*�D��*�����L�8
,�(�;��r:7R(�������>�}������c�x3���2Zs�L��(�O����%|g���7
��`�E/�������Ewp����U�WiXNiX��~�����>[�Y��,7��u���'�����8Rt8>�	�+��?#�( ��z&�)����ndE�|���z�6	��K���-���C�(���zn>�����R{~�/��
��z�rtA}=����9@���5�����Q����Q�����Z��[��j�S�$������r
��LQM���������T��aPpgRi�v����h�H��[8��v���[[�r89���	�
���os�1$��q�@��I�m���+���z�t��T���5�+���~H �(R	%*�#3��;�cN���'3JX��d>����@��������
d���&8��;(/QG	�&����� k� 9A��7�O���}��$g�Zn���q��OG��N���y���)�~����<�nt"==jN������:(��yJ6}W}��
�z*��Z4CA�y��j�2>��0tLE������w�����Ey����7���K2�G
��N�,m42��!��u3qn��f�`'���:�'b�hz�����p ��(���%Z9f"���Bm0,��l�hn,�
�k�v�Z}���m���G8�pTT���,X�k����k����H����6QJ����&���1I���:%�f��g��P9(����8�����@����/����������'�4)y��\����7�!q#R&.7�3��1d�=�M�� &�[��|.h�y��q��������T���������
�n����
okx��������V���m���u�O�#��%�E
r�����"�1�Wk���N.���#4 �~����cvP_��H_1��}S�w�"�/�<�����n�R��d#�M,�ugS��0���#�6y������7�M�I���[xD8}Q�����B�X	J�
�x�~����a��hf&\R9��3Pv8�{�bz:e�*%*�6��4;�Y�Q|s;F��<A8z���r
����::������q���;?��v���r7��2@1�������p���b���8��$y��jr�Q�&)sN'�������#:�U�
�����r��{�D(�����,v�ne���~�].N���`��NU�$8��G�[�3lnP�����m����:����y8�9wBqr�V��&VE�7��/L.{���j�g*������dP�D������@���`�c}f�z��Ltk-.�Uh�q���F��Q�!#bS��ea�=�\�������HW���`��@]��NZ�����?(���=�p~���#4
>��y��KE51�K�V�t�2�#��hH?����y���o��L�<�6"�lZ�|���(/�^+�VAJA/�A�������'�~U����,�TCq��B��'&~����F��
R�6?||��k/��������2g��N�����XH���\����;�����<-���@�H��D�*u�I������Z��%�������bv�>�
��+V�k������'�5��'��8~���X��i)��^�u���c|R�b����e����M�ck���
�������pY?p����N��e�����������p�O��k<e�)Q<,5$ [w�$���s��c����
�_���c�d�
��F����hX�2�]wl�Ha�s�����Q	��pm�����p��@���d6�Q�r��P�$�\����|����(hN�'������������%�PJE=��D�D����7g?�p��
����`?R�L����h�J������ e����Mp�C�Dr
�G=!���A?��J!�������`{5�f$�]���{�8(z��e�Z��I8���AINb�
��w���+i�P�C���!�r	�W��Ye�j3��d��=�=)!d�>r6����N�M^��P{n�0���������A���+�.��f�g�_{�"���#;D��;�\~~B�S�c��yf@lmBK��d6�
o0�Q��o�x�!X�h]���V�<�7�e`;h��,[Hn9�Q�X�`��@��A�
nf��1F:F��{=�!��x��i.�����y<�v]���nKg<��A��W/9��d���b�"N�D��r]�>gWc���)������?H�Q���d`![*�	B�6�,���G����Z	�B
Q�MCC���n���r����shu������ S^^.���������5�(n����h��7�G���9M<�th�d�O���r['u��kO��c�:��}����������q����c�6���`-S�k�`'���|��v<+�Q?4�f�!�=kd����"�����
�f�N��,�`��"p�M���@>@��!W'VH�[Jc;��>��7���"�'���?���2���}lcI��Gq~�g�
�
{<����c�^�J����p�g���l�?�����Z�<}�c�&s[d��oY����z���p#�t7����U7�7�
]��V�#4��6���C�^E��>:�������j<�E�M�_��n��n�����z�l����Y��?���KP��m�[�����/������D0�|n�t���K������&;����1�6D�"���~���'��
*�j����~}{s{������o������ ���7 ����[.�r�	���QL�=������(M�Z' x�^����%�}��HC_uE������R�`m,&�N?j��y��,����E:K����2�h�u����P[�������E��u�
��u�
�ap>�x��/$2���'�$�=qkQ?��	��(]�R-"�3���X�t��7p
��/�V.�Rt��W���*��'�i�����U�Z�	��7a>kxe����=�],z�sqty���q�U�����s5�g��{���;SKn���e���&� �6��'���H��Yj�}���#E�le2�A���\��FVl��A�����9�L�d0����t������W6������Ed�N*oJ����f��&�����T?�$���%��7�
f���*!���@^�������
t��V8��9���X	�JU��t�f�1�+:J��T��l���hlwd��bBy��K�T�������cM��o�Db��zV3���5�(W��R��9i��/[�b�.Ic/���\����R�g�8K�	r���\\��@	�1�	��Ho��R����`]S�o������Z�D���1��q%vbD�pB,_5�.���NT����
�^�PXh&MO,�B)�\Y�g���Y��'�F0�.�=� G.l2��6!��"_�x���e����e�%���a����!�����Ew��8�g@����(���c�E��<W�qI�2$��2�tQ8��
��]��v�~P7�'8u�g'����\�b�wX2����I��L���K��x}���M��thQ���^��1����
K�����,
����$�����v����[��x��J�;6��M*nEop&Q�03�3��E�2y(������.�xK�,�o�0�'����*�C������K|��<�l^qZ[�w:� \��Ol��������Vq�Z��?�_����������g4�3�c�ah5�#8������8�c�����d)��"6f�e��/vs�,Ac��Z2�g^���b��6�]`1c����l��*��o�F�^��&�C��!����qc���I����a����0���hR�J08��6�v�M������B��}�i!�[�����I�;�����H0h��x:����jZHn�������A=\A�%1����	�\�������Q������i5L��@���Td���e����b
Jt7r���2#)6�B^��f�����F�a$?�-��"q�@8r&^D�./�����r�"�=x8�,���gS|������<�����K�8���Q���Y�Z��dD}�$�S��,Z��#��QdY]� w~���O�^,�Z�V����FS��`Z���D��J��y"�#�Os����v�
��Zq1_9�J�tI[�
t;��%���v�W���(w�.�f�.��z�	�����s�%�tE��{��-����R��`,d1Fo88��l��|���_��d�MI.�S��,Z���Re�0XS>e��9���I���^�Kj
�������jwP����S-R3�2�Q�B������eP���!����}Q>&�����.�V:H$:�F�{��bM#K�]G���v�%|j��P�l��T�g�#�+p=r��?��aC!��&�t���ps��N;_f+��1�����b�A���8�L���YX�R�})�j�w�s����o��
!M�^�}����_f(S�
���l�����R���yw���H{3?\hf5���t'��!KN���}><S��_3aD���j��
�a^�d<�%6Idy����Map2n��=�d���������vx���g�K��{[�~�@	?B�d7�c2}�-��
��9�c$�@�&�
$����=���a�-�����q\|�cA���X�D`�7�1��*+C�`�g�Q�np:�)�=�0�5N�
���<��
��������M����'����i[
�W��r[�O���4�Q$�Tn:�gS�`���h��)x�1�Cj\;�T���(t�� ���i�('p��Cp����5������D���
ra;�5������u�^�o�_G�-����
��������3W�$F
������a�fS^�4Xr��P
����5~�Lq�C���K��5���A�7
3P	�}�����Uk#��W���q�A�
�nv�E�jQD���e`I�0/M��� ��~��3�q�H�q�����[kn0�8����h
��2�<4��W�U&2J���:���p�Q���]ARA�I����qd��1��s�����5��|XG��������1&�;<�������7Ao61�DlBs�>r?A�1E�"*
��x��6�`N����S+YsU�@/qa
`D�d�,���v��m ���_�S�J��Y4���,Hq�V�:]��8���!����	�FP���H���,�K������v�A�5��_�=��&���r�x�w���7lAM[-S��G���{T���z�|a�� 4�aTV��JO�l�qJ
)f�$HT���N��1��q�;-<ER(�bezZ���W
g!�����I���}�kw4G@���	V�3M��";(N	�X�����?��8$(il��X�X���2����!"e?��]���9>�����+�_���C=5��T���
S�z�,��VJ��
��@�ts���
?����Z�p[��^�J�mG�[������st����T�%�����7h����q}lV�S��B�.Y��=c-��3���P
��;z:�B�h�p�3J��=X�jg���ND~�H'�z7�tg�
9'_;��9Td��xS`J��Z�J���:D�k'*�um#��=�9���}�X����n9�.7n�|sd1��)������1�,���|z��FF�����^_br>g��9
��4�k$�F�������+Cf��!���:qA9�^u�������������Pad���_�dtI4@9�Li�J��c��t����7����L������7����c��x�	���A8�����X�#���'^���$�pb�T�#�,;I�g��h��?����EO�� �1<	���

y�w��e|F�X�����r��G�%�}^�������<-b�)����aGVY.������;p����"���C�?C!�w��3"����T�c�\�.���w�i���3�1���
E���hxD���J
�{�v�8��~Z��$����(��bb��������*���f�f�����e�f0�1�=����/^G���^�RQr��`��3]�b�.�r-��q`�������k�����s�#�(������5���t��"7KT�C���j�J��'!��
������+�
3,���c|���c�t$���>���
>����������/3�P�-��g�����.��������Q�3M�{�qa�����l���PC�e��Z���O��r�S&�?K.I����f#�����e���[������|u�n�3VE����x��F�8�bxu�;���_��"���{�i��������_��PCN�������Z�+[}5�SW5��!_7��'w^�1�x��y�c�-w}��j��.�G3"s�5�rN�0�`�4�LP�D�H������;j��&��}q��Q4�Y���Z*����cq-e���3	���� *����;�H�8�!Q�'�S��$o��B��������Jo��%+0��������p�'��"B��zU)((��#����{�ta �{Wj��M�.8�v2���rG����L
*
> -$3`��Q�U4�GE�����7�Q
�C�J�
���2hCR��Fd�#t���2��7o����8?���h����j��'�"9��r���u{w��2��R/�+�;wc�a���_z�q
uJ����yz�)jY(0z��79���zwm���F��8���+�U)	y�wD�;�k�Q	�;ts��4g39>jwK������~@?����DY���H9�,��
����v��<���������M���u������1"d��P��=���Bn�b����D��9��>�����U��
yN����4�o�#{���,@�>�L�E�u�M�0���
A��S��G��r�$��n61
����8�	2zD����8A�K���m�����X=�>H��H�������7-���^Uj��x���NN8J���5�N���z��$��2�'d��,8R���2(�\��.��<��$s�a�x��?;��yN�):>�QO`-�)`����{/�a@G�9e0j���?��+�0�������I� ������/?/��wM)��!��>����[��-��SfK��}^�]7�����A� ��FJ���������y�e�e�<�����3���B���p�/������(Y��������>s|~���yX4���(���"����+�IR��S�c�������i��Y�������"�m�[������pDr�	�pl_.iu{��<���l8�7��`&�3�$J9�h��S�{jIHv�d���]w4����J(#s��������Af��S2�h\���t���.e�WL*mK���(,�
�GZ/KQ�	�8��o�NZxMrp��r�����I�%�y����S��0�7K���B�)��u$�I]��5�uiE:����O=T4�#f���	��Lz��
&��'����Kl�<a�U�P���-����aRj�w��|���Az�R73N�?����u�Q�&��s�L kXCZ�cJL��n���
+K^J�_�K��:;�*^+s�O]�I����>/w�v����esG6w�����g����;r����n�N�#�z��d&1��(�1���!�6]�.��Ljh���
s9�#D�|-9�|�|o��r7�����Q�j����^�L�o0O������w��}���y������;��C�'�c,�������h��i`��
r��G�v���!�ni���J�;4
/��d7�|�a�7��H5����s~JxL�������N����vz;��/�����r���2lH�D.��U�����=�C�jPL�
e��(���0��*�>y�����^���f���g.�:Kmm`�P d���'$����#���<F����
�}�Y��D���	��T"��#!&#��a+�a%�8�5��0M���hM�
G9��A��J�Z<���a�{�j+����
�ER� �
p~�h�������#�Qa��+v�h�S�9*���u����@Hr_uw�*�+����[���ttj�	��'(�S��:23�#/���]}@��b��8%o�ldm1�l����	��N����IP��� "4k�`nV2we�|;�$��kB<�V5�^������"�k�.�t{ �@��nv���(��"g&Y�3h��\��R�$�B�7��.����&��
�vh@�X��vs�T^�K���5k�|(W��7A3 ��������3�T��Q����i���({���P�4*5^A~@������6�u�{���%Y
��2���A��-�4���}y���k�*�u�W��&Ke�����i�l�����S!aKw\�&aC�R�������E*M�%m����5������������c����9�eBk�G������N���$5h:xN�1p�J��R����Lx\�x45��YF4���-k��6p,���n�2,��2�c{��#J�\O>�����_gAo��T?Q
�BF=NuU��������E���� ����������e�������OO�������]`���1����n��no���^�a�|sg3z��(�-#-��$.��^�������Mo_�-Kf_A����6s�����Bg�b:]�u�K���9��
S���$]����'2��0Aln���
I�OT!J�7b{S�S(���(��H6p�����-�j��Wt����������p���6@��>�1�U�7�b����,�!�*�Y����`������Z���9/��6�F "mo��OC0]��]*�le��_�W,p����1^�e��,��*:�4l��r#t�>�l�'	]�~���3�N�����O�����-X������_�h1y��w���8O@|W�4��F�P������g����$�wd���7��$�3����P<�WK|��Z���B�
��������xEa�][�ume�8�9���A
��)�}�`O�Wc]���2��k�H�?]4��g�~������b]\�������m85��d
mL�UeQ|^�r�
2���Wn.?���]!��
z���60�y�9����-�J���fhW7_��>YT�{����A,�I�����y�1���&~�y�"f�5���)`��@�>|��O�3`E����������o<�&�I���:����G��:��_��Z���������QO������A�	��Ma�A.\��q�����(�4	���d�|�}�e���=�)��7�^���#��p��M�[7����ZZ�[������g�p/zm5�7�����������R���t;/���] ��<O���
{{����_%���	�,U|k�����d��no��vQ^�t���'@����fi�E@�0Q4��c�7���HJ���_bB)���R����Z��#M���/�/���d���������>
�%s�j{��\BB�	�g|��V�&"�,`nr�@�vPuv�Y�� `����
�"^�}���� ����?��\�����o�k�?������J���3
[��h
��0R[)�6��\c���(
{�Y�9~<|����SF#�S�cu��{�f�#�)��i�\�O�|��k� �AP'��4�����G��������6��]�����S����'�	��h`���� �^D��TM`�o� A�����[;j������4X�og��;�rxX��|�����YK+���|��L_g����K���
_f�[��p~D7n�t&<5�	O,�Lm��u{���c�3���ZbLv8�p(�L��wm���Mb���y��rA
�
���Q~$N��0�-�cpia"���04J9�E.�����B���vw`%��k�{]I���F���rswC_��&TK�^��:\��L
�E������L\c�t�����F�sK��,	�%�<��$o�x,}J2��	�fz�w��(�|���6��>�x�l���$�+��)2:�{�����O���i��1���k������w0�O���)��7���a��|��|i�=%�\V���q���Er6����tfJ��35��?'��d��
�'�{��A�U��n����k
M���f�r���ro��D��t@0�/�
��C�%SP���L� ��F1F`�����������p�,���-1b6�l���.p�C�vyO�,I�3�~����4��9*�����u���t����{�pB�W�f�P�7�
���]N�JY�')��P^�7
��F�iW�$k��e��j%w�Lx�����4y�Y�O����*1���AW)#8f����]T�iM������Y�"~�����������9%����2��r��;�b����n9����%����$jO��f"��{/]K^W+~�����8;�L�A�o�2��� 7��38xH�XJI[��[-q�������4V���Ij8b���4S�JG���.QBMJEY�
��26�3m7X��{V��A���2m��5��&�y�
TY�.��V���\����=����0c�@x�n�&�l������#��4b:x=����u��
c�5x�v"�uB�����U[���Qc����Acx���a?����[�0&t�\8'^�t������p���:$��V~ G3
���[~���_��e�*�z�r�|�H�`�}�z����C����I�����qX%��?���gFW���X�wC}Uc>#�@��{�~}�x���
�lM
��6}�gm���F�q�F��gj�Y��������0�N��3����q��jh�oT�,��o�f�=���$GI.R��qA���	p��(&J�"$��V��6����WX���������M��<���^�)���x
?)\���:(�	'�?+xL\j�<\@|:;N�8�)nK(����fP-�	$�8��
[�T��>)JB�z������'��d�H�xdD=�l
���
"�!�d��I��a���o@jQ����*��{5�N��� �ZV�I�5B����+UlLI*�M��[e�6*�`��z;�XY2�'}��E��H9����k���^S������]�4)�j����m��[[��fS~�|HX��d��k���F������A�������hke��|��g���0kx���l[\0��+��w���n��`����N�U���v��2<��=�J�@�g���p�Z�La�I1971���!�LE~�u��Z4�_re�%��]*�t�a��cUF*���3r���F��t`���= n{av�I�������z�;[���f/������|����I:����DUx�Q��j��������H�s�Q`Cp�I"%2�/#I����m9���B�OH�8}�6]�ig��2C�@.s�I�Xd��[��RK�^�P�5��wD-h�}R1����Py�;���,�c���=���&p��4�z��l-E���������S��|Z�������g4
f�Ywog{+������; �-�sl[�7�}�ba�8~l�=%uKZ�R��q�P�9�q������n��Z;���
�&���S4[��?�Q$W[��)�l�U������~�i���C�6�\s�tv��O56\��6�p���|k5��9���Z���-}���IE����!���������c�i�u��OZh�����Z��m}��_��d{�����-������"������s%�RF�*�����U����O��_s���+���O��������?O&��M���S�
�n�j��Jv\4r�{u�qO����������x�r
T*����D#"s<3����M��7%v�Cn���#wA'>kr��f��yrPt�M��EM.��]�?��y�Cx�������p)�-={�����B2�y���9����h�!D��mBW�`���������H>��Y�4��C$N#{�����NX�������<LF
��;Z"[F�8��
VF�T�!��
|�G�l�G����~�P��cT���"N#5��G�3;t	�E��{����K[��PO��(�l��)����J�
iq������;
*��y�M�Qt�*�Q9F9���$vF�����S��<;zu�DJ�U������[(@�<�����/_$qd2U��O-S������C��bR�&B�EA��!�\G�$e��^���� i��$y_���&k�H�y��,|�:%S�h�&�{�7j�cI-i�ux��
��*79TP��J�>�fv�
��A���yZJ�
�m(�������]M�	%+!f����0��b�dYEp�C���
���g�p������=�)�?��-e����$�H��]b#����v7����A�K��u����6N�+d=�`�"6�D�fH%W����8������/�h�����Q"8wk=���
�
d�2��Nw����C����J��9_��1Gm��("��(/@Y�
�7������QT:���7��QZ<}�0���nX	���f_�pB����:j�L���Y���z��8����N['�����+�� �x@WLJ����w���,S���������Q�M^�
a]|����PH������ibJ'����h�WX���*��D��������w�WVb��E/������"K�oWl�k;O������Y6�\�9}=sj���}��v�v�j[G�!��J�Nm�Ir�����RX)E�,'3�N��3�&'W���y_\�#��U������-��A���=���|�x�m���lgo�m�e>.v�������v����%���(On��C���8dW�D�]�<q@�'Uj)���m���PT���n/����6����������r�ih��F"K���B��_\c
:z@�m���zP�j�'��0���l���;�OK��s������9�e1����YB�p�1����taU:p��q�~l9��&��P}o/�Wa�-����p�����*��Z��+��O��m���.Y��%(��"��.!������������85������M�&�L�
�;g��������2��W�O��-_<{�������5Qw�����^wo�m��4g_:O���,����Eh���kH

���f���c������n��R�J*6����3������E+��k���
��tj�-��E�i,����O������&����
��Q����d�����4��#���&����I�$���&��@i����t	^�'\��Uc�d�]�\	u>��#B��g�{�D?�"�>��m��/M���B����
��F�->���m�Q��.���]�@��N������r=���u&\��3t�.~j�u��t���A�9���Sx'� $A��4����(A%���!�s���[[�x�O�n)�6��"=�U&��*�\��bb����I�^�2�{[W���
��l*�zZ=/�.O����������w��N�^���qQcF�=�����{�%�C�=�R����a�����������N:��x��!R������2{��
�e����t9�
������'*�
���_��TR[�=�t����.�*��!�[��h�
}7������;%(o#�����g�N7����B3�3�����)A�����,����������0	����1:���a�����o���c��qV���6�9��zQJ�#D%t���|�pj'�9������zz7��pk/���ngks���N��w������<��,�3�d�q��~�,��P�I�s����S 3�N���6CZy�q�?�����5��\L�{�����/�\�_�V9�f��������^
�`����Aw����4RyB�7���I
����K0��#��%�[ ��%��T@ ���2�����g�;�;����]�7��Q��%����M�!�~{�DL;�h��?��O�Q���������)�_�a�9\����������+F�
�
?�kr�N�^�_v�ru�����Z]������

1:  9c6a340119 = 1:  0278c7ba90 common/jsonapi: support FRONTEND clients
2:  8072d0416e ! 2:  bb3ce4b6a9 libpq: add OAUTHBEARER SASL mechanism
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +#include "libpq-int.h"
     +#include "mb/pg_wchar.h"
     +
    -+#ifdef HAVE_SYS_EVENT_H
    -+/* macOS doesn't define the time unit macros, but uses milliseconds by default. */
    -+#ifndef NOTE_MSECONDS
    -+#define NOTE_MSECONDS 0
    -+#endif
    -+#endif
    -+
     +/*
     + * Parsed JSON Representations
     + *
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +	switch (what)
     +	{
     +		case CURL_POLL_IN:
    -+			EV_SET(&ev[nev], socket, EVFILT_READ, EV_ADD, 0, 0, 0);
    ++			EV_SET(&ev[nev], socket, EVFILT_READ, EV_ADD | EV_RECEIPT, 0, 0, 0);
     +			nev++;
     +			break;
     +
     +		case CURL_POLL_OUT:
    -+			EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_ADD, 0, 0, 0);
    ++			EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_ADD | EV_RECEIPT, 0, 0, 0);
     +			nev++;
     +			break;
     +
     +		case CURL_POLL_INOUT:
    -+			EV_SET(&ev[nev], socket, EVFILT_READ, EV_ADD, 0, 0, 0);
    ++			EV_SET(&ev[nev], socket, EVFILT_READ, EV_ADD | EV_RECEIPT, 0, 0, 0);
     +			nev++;
    -+			EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_ADD, 0, 0, 0);
    ++			EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_ADD | EV_RECEIPT, 0, 0, 0);
     +			nev++;
     +			break;
     +
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +			 * both, so we try to remove both.  This means we need to tolerate
     +			 * ENOENT below.
     +			 */
    -+			EV_SET(&ev[nev], socket, EVFILT_READ, EV_DELETE, 0, 0, 0);
    ++			EV_SET(&ev[nev], socket, EVFILT_READ, EV_DELETE | EV_RECEIPT, 0, 0, 0);
     +			nev++;
    -+			EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_DELETE, 0, 0, 0);
    ++			EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_DELETE | EV_RECEIPT, 0, 0, 0);
     +			nev++;
     +			break;
     +
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +	 */
     +	for (int i = 0; i < res; ++i)
     +	{
    -+		if (ev_out[i].flags & EV_ERROR && ev_out[i].data != ENOENT)
    ++		/*
    ++		 * EV_RECEIPT should guarantee one EV_ERROR result for every change,
    ++		 * whether successful or not. Failed entries contain a non-zero errno in
    ++		 * the `data` field.
    ++		 */
    ++		Assert(ev_out[i].flags & EV_ERROR);
    ++
    ++		errno = ev_out[i].data;
    ++		if (errno && errno != ENOENT)
     +		{
    -+			errno = ev_out[i].data;
     +			switch (what)
     +			{
     +			case CURL_POLL_REMOVE:
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +	struct kevent ev;
     +
     +	EV_SET(&ev, 1, EVFILT_TIMER, timeout < 0 ? EV_DELETE : EV_ADD,
    -+		   NOTE_MSECONDS, timeout, 0);
    ++		   0, timeout, 0);
     +	if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0 && errno != ENOENT)
     +	{
     +		actx_error(actx, "setting kqueue timer to %ld: %m", timeout);
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +#endif
     +#ifdef HAVE_SYS_EVENT_H
     +			// XXX: I guess this wants to be hidden in a routine
    -+			EV_SET(&ev, 1, EVFILT_TIMER, EV_ADD, NOTE_MSECONDS,
    ++			EV_SET(&ev, 1, EVFILT_TIMER, EV_ADD, 0,
     +				   actx->authz.interval * 1000, 0);
     +			if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0)
     +			{
3:  07be9375aa = 3:  20b7522228 backend: add OAUTHBEARER SASL mechanism
4:  71cedc6ff5 = 4:  f3cec068f9 Add pytest suite for OAuth
5:  9b02e14829 = 5:  da1933ac1d squash! Add pytest suite for OAuth
6:  7d179f7e53 = 6:  8f36b5c124 XXX work around psycopg2 build failures

�[K�dv10-0002-libpq-add-OAUTHBEARER-SASL-mechanism.patch�<kw�F�����e|.@�
v���8��������4R��������~��[B����{�u<uwUW��K�9��9��M��������{�z���u>i4��z�����
n4���u`�=�w�V�������D�?2�����=G~��������\3���c�}�Z�
����|D��C�����/Tk�Z-7Z��F�7����p_��v;�`[c��>0��a�����A�rp	����gt�`���|x��
\}<���px�{4<?\\��9�_]���\�t��|��0��xyr�N�W����p
����28���[������3'$PO!���s`�\��������L!t�I�U�����\��{�W�
�v�����u����r�?;��m(�� <������\��t9�n��Z��4;�j��lW5M+�X
b������
 -�f�v��#��x�/��(�����O��r�+l�\��`������<���\bI.ip����|8��� ��
���q.�	�H���$��q��>���|�F�Db�+�Z��������m�b�qfr?���
�J`����W�L���x��7��c��3>	�p��5]�rQD�;g
|Z8��r��������*��J������X����FH��l�Q�U0]��JC������@.5�f��]���;� ��}���8�3@����q�J)gR|�'
<�	x��H�i#�>�2�'�y��sRf���2;��E=�CS/B
z��:%�E��AV/\�;����\��L8�����{���g&/�S6�lZ���rDq0cw
��������<���h��D�>|���	�'����1�/NI��8;u&�c�X2�b��eD��U6���`�or����{E�'�Ga!����0E^�����^_�	������Q!k�-�G|h�4v������j.�O���@���r9
�1�`�a
��<@#/,�|�d�j�P��O-|���A���	%<��QMmw�l
�f�z��g�:��+�zP�J0�1���#pe��A�������"(o�K�j�L2To	��v�P��"��+��j$H\
��� s�b4C�����������1���)���4#Av���������F6EP
��PT�y6���)2��}L[�2���fk`��`�A�C�		���
6�#�H�-D���	_�2���`���z��(�
�(&�-i�L x�r���h�����@�Zt��X��)�K�ka4��l�����3�x1'�[��:������&�V����v�Y.G�3�)&�lwe���9�1�#4x��3z�ZW�Z��:5�iP�_������9�)��P��4��6P�����m9\=OA��Qg��k��+�'����d��z�����w�<�{��b�^�K�������������S_�d}�����)�
�i�i�z�����S�?q��f��)���]��HF��������)��H�l������P
d�Lg
-p��g�����D����}BY=R6��\E��"	�������K&fN�^�����	5���()�L��/�j�E�!��v���In�:nM]���������|������,�$
�����������[�9;=����|��[L��6�������m��f���k�1���������C�6&�
L-L��\�v-����?�vQ����<�.��A�>�����{f�,�~G�����.���xP��piG�����C���������)�-E��A�H�dj�������/���13��fP��������O0�X�����]�9�w���X��|�T
��31�:��(���@e��h�	0��
��h��
���� i�I��������U��_�xUR��5���	�z�ZTZ�l^l��q^��>��K�3�W��
��7���$�L�%�,~�HS�w�c!]�/-m6-%��%?^���D�>�%Y:m����ju�������T�q���u
�Z��f<�{��
�S�%���$�B-�$0����F;�7W���&�G��\c),U����z�h0<
���hm�G�����-�r��>b�$�=�{�=KT���������wC7|��(-���I5���p/��?1/�a�
F
A�V2��,4f����p�; ��`4�������`�;����HZ�
���'E�;�V�nx�"���G��G��w�fk��"
W�\,�_Drs�9C��1���������5�����B=��h���O��wK�L��v:�����-c#����:A�R�3=
	Rz��C���dX����p�Y�����)g~�����u����<�oy|0r9)����m	uH����h�2-�N�)��3!��������/�l����e��e|Y���R���TrwA@9���Q���P7Cn��r�����]����;�7:�Qo��Yc�l���C�|j����N5sM���F�-nu�W��(�����N_�[%�3�uK
mE	

��M��b&n�����,}�C���c��.Opb<���1��Y��2su����+\*��Y����f)	�g�����_!�S�l�?�����c�hx~r�!-A���:<�y"WE��:�o�w�M��vV��*�q1mTGy[(8�Q+|�%��E�uY��6�2<������L��l��L�S�U���X�����4�-^J��u�>w������	jW�=f����e.C]$VUKt�	CG�%�,�U�o�&	-���}����Jv2
��T��lR����cz���o�ND��X�4j������y�����?XN�c�K��fu�zT�&�:��uLM3�Nk�j�SU�W��R3�&2������GC �G����r0�>�*�,����u������qkicIR!:�88����C��%C��|�
!��D��b��<�P�����J0a�w���xs<8A(��$���K���g�>A��d�g����	�A����I���55����d��uq*ex����sJM������Kks4�T�L{�4&m0r�[
l�V]�V���bR��^��DR?�2��S��+q�@�'�*�Y�M#����Lz�������;�]������N�+��[��oMcZO���F���$,���L�R|Q�*[��&�[�fM�V�S���[k���4�,���N�b#
�%X
������k�r4�����cb:�_�c���8�.��|%S^���LI7�%���L*!	�����
`��Q��C��K.������q�I��g�V��nhZ�5nv��	��s�$�L-�-��fK�}�Df!�;����t�LZ��L������tnN������S�z�]������]/�&���]� �%�>,! ~w�vC��	*&c�fZ�8�[�(�7�JUe�qos#QV�3���iG0�O��Jp`�q�PL�&�K��b4�&�PT�3�� `Tq�d!�q������"����&�bH�!8��|���1@
��5��LPPog��v�(9���Hm�s����1�Bf��B%z�������~�|3���pG�+���6�
,P���lE�}W���#5m��h;������Hx�5�
#�WzH8�+��"���C�.Ei^�Wo�kl�����)�5
���\�4�gU�+��t_~E-vB�k�h
l�[�������,���iz���������X�������X�������R��}?/�}T�����������jJ&���OP)�Q��\��D�f��\�7�d{����A��dD�����z��hfc��6&�hjZmo�����V+#��`q-�.���8�C��8r�������CA�,6�3{A-�]�����'��P�~��|�� �Ll���OAd��8$�����+��k<����a&�"	w*�BMy���l�E\��Or������S�����xCG�"��I�Qg����1��dbt�*�
���
�BY��BY�cy<����8������qn/��c�3��T/>��h��>|8L�+�{��a�(��N~�!��h(%�1z�:~G:�z8\�I�����%�vs��`{��2a���6k�u�d X�$�S�����
?b�-�
n��:����4z@Q� �,
����aZn�O^�b�����i�Q����Q���)���B�`��#:�U_�����=���\NWJt��@�ip5caA�����L������ro��l����i� ��/���Z�,��p�l�x�����/�
�\��U=��*��Wg
�c����o���^'^�,����
�,5���E�Po*������~����v���E7�@��(��2���H�M�����11k���V(�RP���i�"���v�;�"#�o�e����dB��n���#�Ph����E�-�U����hk���9�`����i)��Mk����iE*T[�����H4�i���t
�2����@���1Y@�PE�rM�l2��	�����J��h������� ��
����"����6b��{X;����n���(��������=c��3L�1�����?kAw2�L��"����T<�W��KP����k��|������rt�@��������Y+:I#n���a����}Y���������������}�MkN�^�]�av�������qu�<$�Z�������C�f��:�o��L�M�|s�
������Hg�vm�z�����O�������x�W^�#�{����Q���^�Jw�+�-���g�A$}t�;�9��w�3�Z��SN!��wu�K���'j9b���:��z��j���ryz���C�~3��ix�\�Xmg���=<.$}���up�?�K�I�F�N�N�'Z��y@	�Vj2B��`VnV��t*k��Q�3;f�������c���s�u;Y 

-qo�>�����o�,:��|0:@�N����"�n�V���n�\#>������
�GW����+]}zvuz.���rA[�����������kf)6)M�05�z
��}��#���`N������U�h��3�����������U[6��������}q5|	����$Zl(�sF�1U�����-V��Dg��e��p�v�)��M~&���bv�!
���^��^gv�m�"��p1���Ms��\*�%qS��l�X��^}����r0�`�+_*'WX3���[�LD�����t6��2[Y6������1a8P[��*���(�<����x{�r��N����c����Q��[Y�q���4���#*'�W^6��qD���r���W��O^��R��������g(�$_�W���E���++��0���l��v�#�%�<�q�9*7C4a�v������rJ9p��bsC�C��;E1j�x|6�>99��-Y�q�Sz�W�E&��w��A���[�$t���W[�B@�?&g�m��#Z=Z��O:����y����q^.��RE�H+q��"^S����/�j����>E�~�%#���N.��
������
�u-��*��N�}���3� 	�In�u��
�p������^��&qf�OAb����d�W2��+���/������=��K���k���_P�#lvD�I0F}4���5�KT���R
_\}����X]���N����~��D�������3��Ty���s�B���R�V��Fm����{���4�e��iF;���nT�q��@��r@g2���_�5���v� ��u�<�j�n!J��v�����&T����6P��f�y�� ��0D4�oM��f���;����SR����}���A�
�>��0	=�#gP��a�D�h�E�?mn���#����d��3��� Ex�x���u�;LL���b'��v�e4��UjN
e!4a[Mf������9����d�"RZ?��X~=���f�E�����^
��B����t��Wx�"B=��DQ�i�jt���{�4�Q��$i���f�w���b�|�{��G*���������F~t�Q-jpMC�<�U��Nb������{��1��'q�EA�>��'��v�v������(�n`�d*������[����t8�5qww������O�	��������@��1�w�2Y�t2�R���$� � �{�c��%�<��q�[�B����{R>Fa��?xz�P~�3
=�a��!.�x�0lu�h@;Z�t<x��q^�
>]�k�oy$�V�����������:��p0p�/c���<b-;48q5��������
�SN�P�����o�D-�4�����Mb�&(B�����y���5�#�qC�{������y�����v��+�����6>���QV
F<�.%�C
8\K)r�LD�Nv2r�RDWH�ASHN�,a�i�6����x(m�;�6��6��3FY���i����x9���t�����4#]�h>�v�f����t���9k��[���r���K��b�k�7��������l��:�6�����X�M%�fp*�����hX)���#>z�B�aNQd��h��$X�0�1�@5
�{���%|�uc��m8�Sk�
�1
�#?�At���!LH��]"7x��
��l�>9��4O2�v�G(�mF��
,�&�C;!=�dQp�!e��M�{NZ+ $�wz�Gt)����� ���37<�~LO!9g�(�uo'�(��A�9_`��YB2����`����H�,~��h4r����j^tZg������>>��y��������f/�_������#W�?4�0��]��m����[Y~<:�{�X�jO��af;� :����6P��\q�LeHU�:F)E��I��R9��:�L�7�t&�[�:��*�Fp4�~���gtUb�at02D�#�jp�g���R'UFTCZABdhX��wfw���3�R��#g�(1��V�_�c��QH����x/�M��UmY���be8��=��4}�0[�b�������]��V�?�k�	��+���<��QOMj�h����-�M�����d\�R��W�C"Ca�Tj1m��WP)DUf`N#p����D��E��C�<�c�U	��K�<�4�r�����+�:
ube�.����fAm H&Bpl���Z+�h�sb��'3	��(���xK����$�>�� pk�%�A=��|Is u������Q���7e{���9��$t���@�	0):G�z����C@�+���{�4Y�3B�jh��-�8��#T�P�6���	�?�&@l�t�
#��}2kd�~�b&�l�|�Y�o�����O)�x
W��^����g�~�i��x<0��S	
�4��HN9����fh�d��a8�'z���S��j"��l8by3�}a������ ��
���	� ����lD�l�l����n��H�F����
F��<'Dv!=o�	��s3v����M;��j��Y���dOq��(��
����� ���~M8��f#K�f�@�TH�cr;,0��X����L���b�gt����%x9`q���~,�
�M#�����F��9R�v����z{�g��t	�DB�����~�>��k�/��I�F�����l��
3�|eEs�W�Z���$g6������I�?�wR&3��=d�u6p�������gH�� ���q2I���*U�$��.Hx����)��s$��P�����$�;"�xf�p�a����"��
6�����5E���,�=J1�\���5��V�m�I,��X4O�����,���BR#�/f:+<SpB��5�Z���GN�R
�����)�H�(E��
^��OV�#]�2h�O.�'���L3�OP�{�#���������Z �Is�����P/A#t	��j/x��%nc��a
7G?��Y���b��n�;n�������	��>�0��.9�	B�Z�b���\cR"����sLp�<�(�|����{"L����)l��w���k��4�}�N
�����9p���Ag|�KC�p����8BZ���,�����Y�X��k�[��5_@
�&RF�[�����'2R�1�p��$�U2�A�������6UsB>C������AD|�zQ�#B�������E8F��&]s_p��25�_�>|*�%�9-�me��l��D)n����� U�$�8�K���e�BIp��1��"���������;�1��H��(��k�����WL73S^4��2��oo��k�)��/XD����{j��F������;���)Q�)P���
a�C,*���Z����
oZg�)�N:����W4��
�9��;G�4M�z���`3�����Ln��;�h��oI� �������15+Q�1�|J���;�w�aXd�C�M\aL|s�H���A���*�P�-��h��������������U�;[�/x+D�Uu<5IZ��@@�8����Z��?u:?!|K�������l�|�=-�^�Z<��>Hz=e�:*)j	����]���� C@b�9��X���<����C���O����|�"�q �����9�G��1
R������-]'	�p:c�������������L�V`+��
���~)�p:"��l�c��u`�@��15�\�x����4���6P�N8�#7P��w�r2�����a��wam����>X����jgVeP�$��'��	�l����j~^�����*�<�I�C�������M��u��\��a����I���J}vV��?����������Xr����<?�����u>���~'�r��U6���T���x��Z*0F`�Rl�qO�/Q�	U���&���$�v~�0����)FyT�VO<)Zb(P�VS�0�1��+�l)G��5JE��a4"�����A������
���>N���<
oF���6��
�s����0���$�!�G��������C�)��<-4#h1f:>9��*����a����l���b
7j����������Oq���K�����}U5J6������
y���A��50J�S�l�N���e���-ap���wo_5/���\>��<��zty���l�6M�������@���8�P����������4���"9l_���6�����;��>�t��.�'L�5$>Jx��:?;:e7��r�1>�-�v��~�Kd1��H'�E��_�B
L��R��\���#9���ll5�1�\R���=`����W2Z�����h�(S������Ds�<e�GWhb����������D���=OX��������<;s��*[�����\A�*s��B1���r}>rpv�qJ�������)cw�7�
��zMF����d:L�Fk������eF�����p�����dZ&���,���0
�E�6p��:q�n�z+9�r@����U��_�&���q�&�F����$
��Xs�2#Z�U��:<d�����T|E���EYN��l!(�����4��X������6�W�5��XUY�P�� ������P�+��|�a�8t�����|Cj��%G7���K�9����F�qt�b����C������&����y&^�@
\kP�(��5
nTQ���V�3�r���(�q���w���v��f�&"�5G���\C��8�S����`��v�J�Bhd����Dpo��?�`{�[9xg*��8��@��2�
��8�4�cM�J;uO�&k,w�/!;=4�R�$�B�Z�~���[�6�1d�)V��P�cJY�r6���f���Z��z�~�
Pz�B�1y3
Ox���+���e�e�pZ�G0���X������O�8M/�1f>�S��L�+@���O����l���7����[�������9�{���l�9{�n�H��;'O����Q��\������ Q���Pp'�yu�!v�#pn�b�\ce�_�
\��-s
����w����\�)��t�
Hj6�
S	�J�@�:���Q&g�(�|C��B����m��\����r�?��i�K�B+�J�r,����;=�d��w,k�E'#����������-�8���.�;��r�N�I$zj4/f������=�17�t���I����/K��37��)�������}$����d�\r-f]��H��H�/�*	�'��O��"S�=P~��?��-^����lV�u��o���&sO<�Lo�f���P 7��
j�q���Li@$Mn
bX)�Pg ���x�K�gF�9��r���^�bz�X�f�?d��#1>gd)6yC�	Zp|�]|�f;�Bz^`��s���I��Y5O���-���Z`��E���=�m�%L�s�L��W,Imyr3"`AGqe�9`�\��*��Rd}J1�{���7�����!G�O9�!w����e���m�\B6��f����6boe��6�\&\��g+g�
�"Xi����PuUc�& 6���c��L/�P`�o%�PP4ed�R4��I!�l��`{��[*hX�a6�I�:�[�V%<n���cI���� ���F��m,�t:�����3U�X��V�j�����{)@�DR44�k��m���c��q��2��d�u���lG�#ZU��������+�
Q 0��� o����X7T������{�F����)�I�c(C���w��,�3�DH�+�����E�<v����x�]���x���b�<��u��,�!=�+�3T�*�p��2�~Z��s�G��kU<>6����{y}b��Z-��u��D�
R�[
>����pcN7�F4�����gQZ>-�i��>��s
�yYl�j�?���M�����5rh���cC�v�fpbj��� ��S"�h����S
^3!�x�5�!va�����1G��������Eo�u}��X�G����F�e3|�*rJ�;��7r����y�;�|���ye�u�{�d2�����)�(�	*��|i��=a�]L�1�=�����\]Z�	Y)�B��,pd"tx���E�%a30;0GUx�7�<����q�]�Vj�[�V�7������UY[��#��7�gdG�&N�\�Yjm�sr~t}����}����C�|f@T�
!�@F
1�~ �+D�A��-���r��4��_��6X�Lt�5�/�D~
gS��O�
��T�F�$vh|Q�������9���72auoG{K_ge;�	K
-M���9l��u����������=E�����t����~���H�n��w��M�Ml����S97��xf�?oz�6BKi|�f
a���Qq]�g<^:�_�>����N��_�UN8�= gf��Fc!~M���x���I��xt�In�d��I�D@i���w�zRF��i2���Q0
 ��OAz	�b�|8B����W�e��M��tJa��6���E�0��Eb��:�V��CbF�Umy �,t�p,q3���b�<G�p6��'�X[��h���]�m.D,/R�bj
��Q����D�Qk(� I��j&�d�c�v�:�c��aQ
�u�j'���^@5�J�i���%C���m��1S���F�x`��<HBP6X];\�p��h�Z��&51Qq�)zz��������� 4��S	����o�=��O��]c�S�Sl�N�Q�b�4�k���\wG�7}���y0r���c4KN�)�4��?��Dw0 *��h�/�n��Q<�����3 {w����g�c
�;�|�+<�TT\�����n�=�� �����~)Z�������^�
��E�eGl9�Rg�����@��z�s6������j�w��|�Yp����L���M
N
*���9
�ai<�����:�HE�H�$���
p�X2� ��Y��M�.��h�J��M���7�N����Qrg"��1�G�D0�U�������`�dM}|H6������=s�Z������e[�T�lG���h�������J�>�0-�[C�w1\�h�}|I1J,���lF��;�E�����+���<P*3R#7dPEO�
j3VK
����|�}��q���mvNx7�����}�;|#q
�`'K�������_(]��J�|U���j�'@���?�K���R!O����#PhDnD
�����,D��)���_�8P2�[J�k����c������6���;��5G����)��S�����x2�s�9AnW��D�;u��f�h&��8[`�$�8��1��J��\������q�|`J�&�j�=�e�!>M�� ��������S�5`PE��![��Z�u)|�#1��_���.��� ��lH�}����u����
��=�p�L���*�����V�=>=o��yL'������q���=�4�7C?:He9�\���$��
�S�������Z�����II7��vU^[�Q�Q��Mgs��]�v�NN4OZZ%�P]�Ka�gh����E_�X������/:7��}�N��@�U�`���A�>����{(�� z�uDF)-=Ys���e�s��qF+��+�I-���MR���*�F��f��s:�$����M:��
��I2��zg*���k���CH���s�%�C�D9�`�!�?�?��2�v��H�=v���'�z�u����ob[v.���{����e�����Y�����_��t�|{�c�����I�4��Z_�FDf�d$��E��|������X�����R��}���k������W`_�_z3J�T�l����rFa�:�m��wQ����94�23o�O�<����J7M�����u���x�X6�]���s�8l1g�/������E��2Y���a[e�����%���I��^����$�k�Tt������s1�W6�_���2�2����]
�����S���������H���+���o��da�m��-��}����U�+~�aa������|�j���vX�`A�����G*���
��6r�Lo���8y�����;�@���pD���E1M�wM�W���JA�����y���K��v���������5L��	���ht3�M��P�@E���#Z9L������n�D�E�f��+g��G����������}<^5� %��\�6�b�#��J�8�I��L�
�������`����:�N�-�
���$���{$�����?�=�0X_��Q �n�s3��1h�'�;u�./!�p�k�(���n���IX�F��5���4&
�1��NI�<�&;�j~a���eFA&��2�/
*S<6�8g����i|	�6b����`N8F����s���A�8��&oo.#����������Xr�H)"�"�D��+(E�eh1�����6���~�4`����>��1+r'e���`~(d���[%�
�i`���,�u�~F_%���`��h�\���@���+����D���$�O�&�
�.g���)*Vo�O@���`]�F {��,��[�����%����3�%lA��p����
���X]���L�������	�\G@Q��$���� ����q���V]���~'B`���7�?D6�;�t��eC�����p���CZ��QJ�����
�=���|n`�&�zK�5�
=[�nmq�'_AR;�I
3�` <B0�|�������.2H)F�c��f��Z������[��G�`�HEW����t�J��##���'V�"����F���+��*�����QL��/>��\���v� ��De�����q�s-�L/��)�?�m@Q�Av#�4�k����Q���)��@t!$�
Q���c7�"
$p��7��E`�)�"�g��s������3�c�'��L�\���%����>n��#e#7P���P�6��,^c�7F���S\�A`����,����������y.c�a=�r8��#G�����'	�(L�j��������-��9�V1GY���/�(]�X
�af�AlZpk�6�a����	o�OAp|����kA��K�Z�����#&��oC+�"��%_����q��n�qf7e���0@n6�����H���uj��&$��HF�BkW@�$Z)�>��������\�u��{8����%�&N��y�����T���r�&WS��a	�I���@�U��E�����C�z��$�P��BL���6�If&�����h�q�Z
�e�#EZG�MIx��(�Jknk�(�E�`g3�p�=�a�>�a0�G�zd�A��xaH?&m��P��L=�T"f��A)^�@
-
�S���!^v���,A���eg�����E�
��4�fN����1 ?��/���|u�n���=J:��w�_���[�������d�������
{�!�_]]����]� �+���B����b��Qc��v=-3���W����m�Dv��e.��<(K@�8��R���1��\��,�br�
�<�=���J���|�Crq;����YZN���eojx2���:Hy*� �sn�ut~����7����M���o�����}�V%`�Z$Ey����x���&��@���\������K���ja\��-�������'���`&'-[������z�����L�����h� ��,�
�OP���
4������r��OIty�9I��'H��0�r�q��������auB��)��������G����h��!i���I<%��(�]O(J��H���������{������M%[V��eCk
s|�mI�
%<G���j�����3��=���
����O��������vg���G��_��\^����p�J	�������~�4��)*��ErD[T�s���S��\�?cs�^C�.$��H<�2�b�#������x�f#L���
�_E�����o�z�O������q�A�Z�4��*�P�c���g=�����/���X�c�y%~�����:�������X�i�y��=����9*s�:�6y����|�X a��U#��S�@�tgi1��P�mN�/A���6!��&`[*S�3�f����Z,���`I�A@���-���
�K��j���hlp����_��N�7�NB_G�'���5�~iNtr?����g�3	�
AP.�?�f_#N��I/u�V)���
��T��[x�5�{��d�����',a8K��g�_����F!F�3�G�D}
]�Pv8*��[�~�}�?`?_��l�;w��M���k,�R�Y�DUO�1�
�Z��e�-�A��+0�Y�l�����8
�CW�Dh�_�[�����7������Z�~���)�Hw?kJ5���2+m6z���[L�pu��H�8_�Be�V]����"7~��"O(u��b6F�R
6,f�1�:�f�$���.3����P���$���g�����2rr�"�T:�S,+��t(��NDL�D�BAm��}���6���@�m	����N��k>���m��4�~�k����I����C���#(	�a�!�3I��5X{O(|������V��T�����"p�,P)��R���n3��S���S�����.��GA���E��e.:h���51{#Q�W7�
������KH�r#����c�Gj�P�8�������W�9g��h���P*�"��{q��8���Vg�q;�����"yH����]�Z�Vn��`I	��R��S��]��h&���N�C�V� �>��!�`�5gg^2=��m���	�T�7S	����i�sT'��|&����T�]D����7��e�xT
�o�3��B�����U���+a@
�F�
D�A
��=�����ur��G������Ov�l����
���w�+�������|C�<J������W�C�0�12�9�US��6Gi;��x�CBe��UjD��A@�?!����F���0a�c��m)���*G� 5������@��qG�+>�5��DH�A��e�n��U���d2QXjh�baH�Q���d�a�6I�[��MfDiX����T��l��1�s��H	���j\
���5�� t��rq~�nv��O��#K'������r�XD����6r_Y��^�d
���k��
k��T�U)������5���`�������h��p�L4=�r��ke��{Mf
�~��l��}�<;�� �I�$�fxq!HI>����l��`����5fE2���!�������� T�",�7�	V��d�C���W�
T������^�-4��
��.����s��Bt��fP�u���(��fS�������7�G���9i��:ff�x2:��i�k\��4=�����.��#�5G"e�5L9�z���QN�*qN�x*a)�(I�-zu��<��3��/*"�r����)����?�=��<D�E�sK2{/�{���X5���}��h_"a��U�F�h�)Qc�d�L
���
��V�c9�)noNd������������
R#��	-*&A�!��dw;�D�����.RS@�1��a0J9$�d�y,�qr,%t��xH]���8oCUM��0���V��

�����/b��o:z�oq�-*8sX��5uAD�������W~��!�bWiw����-(�b,��g�!��3���_3D�"�x��W`�M����O���������7M��wSH������0�B'QtF�o��y{fz#�Fe���1���C��F�w(='�4d$����;r
n�-Q���Z�X1����DyMq��S����G��wKA$�e���Bwn���l��:���&��x���-���~`��N�+<���`��Md;�{��`t���(�������l8����8};��t�L�/_��yM�:��hJ�Ax�{�9fe�'���������������4Fu�E"�6�_:>����y��u�yz����$p�V�+�2�
������T|Y��%��U\G�6�>�k�������v_�P�h�
`B�&$�Ak��zj4��c_�a�O�	
I��ke��%�)I#D$G�vv~�
2�����NO��?���T�bZ�S���0����];��MM_��)�V�[&�#������Z(|7��0��,���Tmu\��)NTX`C���������b��4�n^��m��os#������/O
�����T�x�8����E�����"��[Y�0��"�t�c�U
�h�����.�g6�M�-�����[#9M��������q�����6��������n��dU���.���\�5�������X��{���r����9����	�u����fQPH�
LJq2���T�I�n+����A���]�5�y;�3�1��g��
�#�|M���}�����w[��B9��wV�w�)�������;��<� I����<J��ff�=���#G���7�%�S>D-R�N%�^4B%�pr_����!�%E~>SN�F
t��p�P�'���5�;�o��0PF`n�i`2e�����������a������0�����A�����J��*
�)
x�o|���g�1���e���n���D�{@T�@��'4�#
����gD
6^��?%R;������6Q��&��v����c��w7whQCB&^�P��g�7���Xj���e>:`�X�H�B�.����y��<H�����X���0�u<6�^��\+�rK�S�xJ�$��R�T�����,���TCQ����
�1�	N�L�M�N��|2��{�Y��n������{+U'�034�;R�B��m�>��sb5��5��
�wq��S"�?��Bo�����re��	�O�E�#E��d���	u��Y��dF	���'tB8�a�9�����4�� ���G�w��%�(A�����c�$'(|C���It����g�x���=�����u�i�]5/<:e��� ���'��N��G�	��t�Q%{>O����O�`|#�_O�Y+�(�4��S-���s���)K\|������5�(/��_�j�]rI����������F��<$��n&��^��,e�|�]G�DM�>��Ar$��{q��D��L$�=V�
F������e�A|
�.b]U0���i��x�SGE�����5��r n�f�����:m�����qj������m�S�j��{V�	���<.����{�t�=/a����x|�M9�!J��/<�u\�
7"e�rs8�N
#������8bbF���4���������g�Y���ztsCsM���7���t����5<�%��BcuGR�\���zR��:�'�|����"9}VaaU����+��~U'�Q���e���H��1;��c`��[I�����;	���W
���[��h7�h)qD�E�&}���)�a�F�]�<}h��a��&�d7��xD8}Q�����B%i	O�
�x�~����a��hf&\W:��3dz8�{�bz:eh*%*�6��4;�Y�Q|s;R�Yy�p�e�	��9=ut�9:=U�����w~j��l���n>%�e�b��o
������$�q��I��1���bUR��NFi�9��%GtHU� &��;��15���J+�P���LY&����'t'�
�\�(;q����JgIp^� �8Mg����E�!,�%<�:���u"������s0���� 8�d�M���o�U_�\����v�T��0��J�Ae#�k����AZ����Y��q���2�����_Y�
�Q�"��F)���
L%c���:����2J�>|�#]��Z��C�u�:i���l^����.[����e����P��'�X2.��X.�Z���L����!i���B*��+^��L25�(��d�i��
�����{U�<OX(��
��U~*�xO�U�`�vjB�R
���������O�O��+H
�����������b�Z~��ur:E���Bb=| ]s7sY,��/�L&2N���rMnA|"Mp6����'�*�CZ�k���\��o������e*�K�X��/��/�$�<�����f�c������z����h���E����-Wr���s+W4����k���7�ld*�e��q�2;�j��*�6�c�'Wk�qh>�:���q�D�����li48�I��C�����A���+~���1(��7������a��v���J�5�Yk�CzG%�K��)f�6���*����0G�r�-�B9��0r��3F�)�:���a8m�@3�&�>�vCh�Wg���B)��6-
~��l��|��
��S���HY�3������J++�����6���-r�5dA��x����Fk(�lK�����e����\���v�j�����=3��j5Kv$�Hd��%9�*����]2l��h��ECi�"����%D�_�#g�5��.��t�p���x������H��f:)�y
j�A��i�T�w�Nc�'9�����`.�1�]������������s��	
N��i�
��	e,uo��\C��H�Ga�e����`1�uQs[���������	(_�m!���Gic��}c��A+��E
@���\��6��jKL���#fMs���:���)���8����C��4�.d��3�L��-(C1q]�w���?*4��wv����b���Q&���^U�^�JF���!�`�ac��;�zT��|�%�-���44<����<�.gJq�V����Zo2���`��M���N�!��;Psa�bU�D���x`#f�����sC���@������,�uLgO��6���So�l�����7Xn���o�w��mk�Z���<aN|�9,�xV��~h��Cp{�����=E��y�z����mY���	D���VA�{���+����
="���sLo5d��m�AE�L����]e�}�2��2��,�������2x����p����I����n���,����/��vy���hM����7���iK��
4�F:�n�!���n1n�#���	��fx�mt���<��Ha}t$1�N�����x��>���Fc7�z����{���z=��E6F3�X_���?��fm3X���l����Q�Z�������-�0<z���>S��d[� �?���E\$�������[A�[
�^���oon��������
y�0c5$c�T������vk�etCN7
oy7���g���p����V������1Y�d�Yi���Y3�S$j���l��G��5��������Hg���UB�
��6��Ri�sz~t�9�h��N:��g�[o���
��.|!���<$a��[��	�O��D������@�1���BG[?��k����lId�J�����x��P�2<=�6#E��Ho�:�H ,�	�Y�+k�e�������b���������������6����<��+|���Zo�'�/�O6��Y<<��fE
}��R����L�(�e�+�	r����7�b�(��-����d�� ��&D�|������}���������t�l_8-"kvbPsS*�46�U6Q�U�����9'i����.9��I0�xvW	U��og����W���������a_��XpT������c\0��E(��P��@p��\d��Ec�#�����S�\�(�
��
�Ekj�|C�#�8���ID��'����I�}|�"x��vI�zE���=��*<S��Y�L`��l�b�`J���N(��Fwc����=�0��2��x��#��h4�&"���9���+�
#��V��yt���u�2V��;�V�
���@3	hzba��JY��"��<������z��=
4���ui�	�8r���@8�	A�0d�7��d8f�'���.�"��7N��
�������4(���Y�
2�=�D�$T�/B������K��!��h7���;���ll8��4������<���<;�8o�]`A�P�������V��L�D`2�3�_2=���-o�>�C�B���&��qe��
X:���gdQ���%��.���E���r,e`K~$�����n�/p+z�3�9����I�.2��=�O��$�wA�[B0d
}��y?��,�Vi��]��MH\�K���e��S�����I!��|b�L/��-t	�����^�Q���l6��/w�8�q�i+@�q�����d���S�e?�&Kq�L��1�/��|��{f	�h����<�z�=K��9���kE��e�W��6�2�g�7z>1��g�<}N��Z�#�$���7D��V���q��
�;HnR�cu��`���[O!�b���L���$%x�A������a?ngUSA@rS.~��%
���Zy�y���L��"���gn��"���5��0H+�`��l2o�
�Ff/��.o8�������I���B�4K�^�w��~A����hKs#G��������K��x!"��\�{�$�����nv��5�<�����y�a
��FT�rp���);�_�'����&K�����(�|�XV�2h��2����K�V��$Et|���Q�T���&��-�&�v��q����5��Ej��o�^�V\�WN��6]��h��pa�CA}����B{>'����������H�D���'�f�\u�$D�����f�/�Tk<�E��N�"[�8����)]S����
0<�g��T�1��O��{���9Cg��t��WG��������n���T<�&�T�L�ta���F�)kt�a�S�m;@�!:x�G��I6#�4�K��������2��f�X���g���q��f	�Z�&�%[`��9�����
�E��v�O�}�PH���	9]�-4���v������
;a�?6Rv���y� v6k!q��Tb_�D���]�y�@����z@H���j 1�C���o@lq4[x�����l �E^�]�������Y�y�$E��@xh���}g���9��LQf��������l�K.Y���F�
CY&B�vqS,����E����DO,6�|�D��{��^?{���~������'P�����M��@_aKF�C%t����5P>��hAH�w3ar�vv��`}�p��X��8��
��
`w���6��}�R��fJc#u��a��'1�`�B���>$�
3��{�����	�@��}��b����#��V����5�b�H7����G���=��� �z
�yL�����t
;0��k,B���y�.���7��4vf�f��w"&Q��e�\��m���s`�x]�����C�xK����E���k6�p=��U?��B�h;�e�$Fx��4*����8T��p�xG��/S���>����d�u�v�M�TB`�nE���r����U�ew��r�kC���s��Z-�iX9�K�<-H��_r%��LI���h��������$Na5�3B����!�.�Uz����?��{�1}T��iW�TfR��y�xa�h���9��b�+5��d;���@2`$@�I������y'�M��M ��\����E��hLQ����G,32�M(8S,7A����J�\�&�K\(�� �1�fr�Z��e.�n��T��b�A���0�@���NWu+�6j����wd�����;�ym K�4vut���!�`����r���<�n��#�G��%�C�
[D�V���E�x���8)�^"_X:,�)CU���(��R�0�a��E@
�#	d��S;xL�s�N�_�T
��X�������Y���h�(R|�@����5y����@������R�E`dd�O�&	>��-�`+)�}������cxv�H�O0_�s��� �ep��J��<-�POM%>�h9o�T�(K������z��7�!�\�����y�|� �}����/E���V-�t~<�]�iw:�C~��6�9�
�v���@\�U���O���	6�g��;}���J!qG�C'ZH�M��byF�<�+V���������dZ����,6���k�48�����@��o
Li�RkY�r�Z��y��D���m$��2g�S�������-����-�o�,F~��!%�"?�|�9:f�E�
��O^��������KL����"G�5�fp�D��S4|�9a�`�;S1$R2^'.(G��Ni7~y8����*�,��a���.i���)-DiQ��������F���)?����Fu5{,�O>a|�>'��������Kv�dNl�iAs$��e�#)�l����{_��i7��"�'
 �>U� �.������hKp����B�����a���}u�:{����EA�#�C��9��*��[��rp��`���YUD�(�g(d�n`LyF!QS���raL�����1w��8�>sf7&�~4@Ht�
�H�^YI�������O+���=VT��[L�v�6=Z�^S���� ��S���O�.9���T�����������k^*J�����c��S���Y�� <,��yw��y��U����b`�|dP$q=���=60�x�Ud�f��s�?Q}�B�9��#d����7�c���a�E����:q�����}�����c����v�!C�<��`
�����X?v�%�����"��0ju�){�?.��_������
5TQ\���%=0���X/�=e�������+��a6"��9kY������*�X���W0�&Y0cU4
���m���.�W���,	��M)�
J�g���8�\�9��e5��jO{j������W��1�T����u�~|r�u�����1�N�r����vn�z4#27X�*��#p	�J#�u�2j�T(���f�nb����p�:E����{���\IN<�O�O0;���9�
�R�J���T��#�Ip;%@+M��v(����I�����V]]�M��`k=O���y�M/"]�W��"rY;�}�-�J�b�w��xn���� ��l'��</wK�<������B2�:��\9c@A~T�Ik(8y��8:���0}��!�6$51�[hD�8Bg���.��x�&�^���C|

��Z���]��,�#�-'��\�w�-*M`y/��R�2��q7���

���w�`P�z�Aq!��W�B���7
~p�S�~�w�6�^m�W�C���_����yG����v��p�C7GJIs6���v��
~P�}�����}0O��=�������������k����,m:���
\��[�1\7����y�#B6��5������)��.��,
N�
�3�/������[X	���4���lL��{��1?��h.1���.��t
Y�\7p�$�
�*��>u�vdK.g>A�!��f�;�B�
� �GT�������y���Y������T+�D�����9�z�N��U�V�p�W-�k����O�X��$H���IR�*3}B���#5��/���U���(���O2�������c����t����C���������Y���B��s�S�&��	������
��j+���$	j��
L���b��x�����!y���)�Q�%���X;0����U�u3X�?�d�
��*j��X�z|M0��Yf[��/�\9s(�/�����{��X��%���<��!�3��g0[���E���k����+>�z�R�$E�8�<o���nO�^�6��e[���H+�zF�5
�w�l�
G$��������V��[�C�����{��
f=�L��3��;U����d�QH����uG�1Z�m}�2"`0'NQ9|
��d���?%���u9|J7���QV��2���|��q����}�5���p�����j����$!�,��!�y���\������8=Eyl�y����,���2	XGR�4���]�]�f`��C�<���CEsJ1b�\��H��w��`�H}y����f�S�Xe�f!���]j��&��|7H~�������G*u3�t����-�^^G_El�/8�����5���:��4�V�.y�����$�Uq��������2'�����d_�~��rGn�K��]6wdsg����~�����#�n������:r��AY;Af������k�E�"�������0��?B���������6/w#_)����������D�������{!+,z7����������>t{�>���N�����vo|�� �+nA�l7�=����������C�0���Hv��1���z3��T�<�A�n1������z��(������h�����b��|(w�o.���I�B�[��`���C>��4PvP;��+
c�����'xO���>k�>�|���D���B�*[�zB|/�8��J ��c4�}0�g��mL�����j@e!Y>1b2B����V��3\�
����F���p�S�������C
v�����/�!\$uq���������|-8b���b���J�1�����\'hi�	�$�Uw����2(.�����@G�V��j{�:��a��#3�=��m��'Dz-�X�S����A�����>�p
P������%h^	"B���f%sW�����@r:�&��\`U�k��z���Y/"����I��
��f�L���,rf��>�&y�u[+UK�+�yS�"�`.P)k���0m�T�Ul7WH�5]�THz@^�&��r%�`�q4B!\�����09�JE\�l��F;�����9UH�R���i���mo�X��W��_����y+�Q��I�(J��'�����"[�LqU;o�TV�!zZ��6�HY�� �<�t��i�1D)UZ��N��Y��D^Q�V�@?_���+ �{H+��*�8<V����3,P&��|$�Q]����xNR�����
���y�.�������u�G3P3��eDo������l������,��2�(�?�'-;���y����c�H�
��u�V*O���(d���TW%{���y�Z�+qn)	��iO�9�)�^&!xa>0I+���*_}������@aq+���������V�7w6�����2��<J��n����/J�������������1A`���|�q�k37a��~��/t�.��E�Q�����Oa����0�=p�O��9)�A~"�)�
��vm���D��y#�7�?�B-z����d�+������?E�[��kY���Z~
�|�+l���\%{�*�`��>�b��b��
L
y.�8`�9/����l�h"����4��u
�����6QFX��x��X�eX�����R���3I��;+7B�#����q����W��H;C�y��{�9}��k��Y�����y^�{�Ek��W��x'�����w�N�lD
5���zz�@�{GFnl��x��K9�<9;
���~�����e(?(�h�`���)^���W���E}P�V������`8�2�'�4}5�E�~/�I�F�����E)~��gO[~�����,������/\,��S��K��$[Uf��* �h�z������r�����n jC�����|0:I������1k��q�p��
��E���q�O����"�t���{�W���o����.b�]��}(�K
������
�T;Vd���M���z����n2�D�i����?y$/�si�u����^��H����qz�4L�[-�4��;���e>1�����rK��;a���O���'[vJ��2�}�E�8��7/��u���u��Z����?�
���V��|�no�=��.��-���N��]�/��R��������.Y�U,��p���W�W�F=��z�J����fmk���M���hq�l\P�k�F�QDEs�=Vxc����d��)&���(%�AK�u�>�D���������Avj���M�9��@�]2���g]�%$t���yV
�w��oUk�!2��&'�mUg���z�	vl8
�(2�������"+���Ca��|��������^x�t<�:�e:�0��#%��"j���5������w����������!N
J=e4�8%?VQG����a68�����%���Z��R�Pu2@jK#`^^oT����_��kS;�e��8�ZA	r�`�A��N :"�E�M���V4�J������o.�I����q�(��*��U^������>�����O��������upV	��P������eV��
	�Gt�v�M�`�S3��������;[�@����?�>c\<�%�d��p0����}���
|�$�J����(�0�,� x�G���3��;g�&r� �C���]�2�.�!-��~mwVro������t��k�>k.g0�
p7��hj�A�d������u���0^��{p���5�N7���	Hm�9�d���0�^2��I������4!�?��o�Gy�]���w��j31	�����&�H����"����I:����Q����=p���:�v���
^*{s�����R�{��fz��_�!����s��Qr!��aA!��<��?k^$g3?1�oJg���9S#��s�OK&`=��|2��KD�Pe{�{]���$�/n�+��H� ��MH���G����`l<��Y2e������lcT
f ������j~�n	G�r�����!fc��Y=�b
G;Tn�����d�1��g�~�LJ#:���r�����\7A��O��J�|�W't}�lF
�zS�P
��������q�r��e?qcp�|�aT�v5H���9�\&�����Qr����Oy��N���e�P��H�3��@t�2�c�j_��E@�����l`j[�N��)��kA}�^y���j�+�S�1{��.s�-����3,6����sq��	_�j�xJ��dk&r������u���)������a����+�1�)�rc)8C����������8����[��L\Jc��-���#��;�A3�t�
���'��T����+CP`#:�v����g�����; �	[��n2�g��@�e��o�����o�I��3��	3�
�w��h���X�H:���A#��������\�I0�]�n'"X'$0Z��-\�����5����4������=Q��!
cBW���s�EqO�1�J�g?����Cro�r4�`����W��~\a�U�Y6���G.g�w���{����l����=��Ql�T�
��U���
��zft���5y7�wP5�3�4��G����7?�@�6���lk���|�����lTG�i$�}�&�u�i-Jn([���4x9:�LW���v�F���K�vnV�s��Mr��"%�$Ix�G��b��)B2:iu^l���l��)��k�}�hQ�$��S9����������%h�����p�������������d��������n`%@����@���I��IeO>���$�����	}�hI�Q�$�GFT�s�����1� rJ�j���f�����������W����}r�e5��X#��AyA�\q�R������$���U�o�J�.�����%�p��_$���3�1�!�����5�^���eH�r�F
���&�����o6�����\I�9�&��Ll�8Z	�N4lJo�i���P�|��xFH�	��G</����s_��B�}�	/��N���a��t�[��qkk�/�������|f	�G��������sc�*
�2Q�T�w_���E���%W�Zb���RpO'��?Ve�B+h?#7�Y
k��N��L���f�������^o�����h�o���Nm^?���LN���m� �zAT�G�h_���(�����?'64
��$R"S�2��I�_��H��O d����Gn`���v6�*3D
�2�1�4�E6p���%�-�4�U�|Q=|G����'�s)���G��x)�r1�Y��s�~j�8O������RD�^{���>e������ynn�yF�`v�u�v������z���}���R;��5���(f��a��6�SR��U,��'
��1W����P�6X��S����p�n���I:�@�5���EBq%��^�"��Z^|�|+������6y�94n��57�AgGZ�T#�aC��>l�
�����V+��/��5z�����{��TD���|}����[�=6��['���V+�*o�����g�u�H�\;j����~qko�/2�,}�l<Wb�!�`������k_�����$��5��K��^��d,�@�������d���}�
?���!�6�v��d�E#���Qg�$��^{����/@���KHN4"2�3��{N�t{Sb'<��\_9rt��&��9k6O�'E����X�����E������?t��7M��>�|�b���7��1�^($��g��p�s�]�>��B�90��'tEh���X@`{�y���30^h�uH�?��@�4����� �K��e{*�;���d�@/��%�eT�`e�L�������x���y��`�qn���8F��M)�4R�z��;�C��]T\��~
��T�%(�dH����a����q	M�d�`���<_h)��bM�����Ew�r�c����MbgT���<�y`���W�M�t]e���y�������-����EG&S�����2uL�;^>4�(&�i"�\$���u4IR{�%���
��9H������o���dn�� ��'��S2��m���}�<V�T�2�VX�j�PK�r�C�_�4�of!��������40�����l8�����a�P�bV[z)SZ*&�O�U�?��A�A\x�a0'�9�_��3�����R�@�>�MR
���%6���nmw��Phn`��{_��X�k�T�B��6+`�MATi�Tr�K��sN��/��2�f�/h�%�s7� ����8z�@�-�X�t�X�;dk�-�d_����msD�V���!��Aq1�����e{����i�E��+�}������':�����`���i��	'�;�
�����K�]����~���N���:����u�i����r

R�t��d���~��=�2e�a�����Y��������7IP������\��&�t�HH	�Vz��N��K4����9i�>zwze%V�]t�", =����'��4�z�f���t���/�e�����3G��x
��'9jwog����q�2�������$w�8���*��R���r2��$�>S�n�pru/���:��X�n�m��
��AA���o�s�?�W����6K��v�6�f{���b��L��n��k��o)Z�O���Va�>�>��CvEM���yR����a���l�
E���������n���:�������.g����k�!�tn�� T/��5����6����~2����O���M�3
���_='
������#\c�Z{�%����-,AfQ��g�
g����	k������x�����o_i������Ep�";�h�f����%�^��>/
�����������J�CQ���H�di���	���Aqv��A]�Z���.�~��|e��>!����g������^�u�z/���u����NKs���1JJ��_��W����@��m�X�=&J���Y*���b#M�^?�?ln]��/�������I����"\4����z�
������ymParz�� /���	LV`y���}AC�:B-�qj�
)
��Jm��k���/�O����|�UY5�H�[�e��Q��="�}��O��.�����������M-�X~��p[l����=�F�E��A�]
����
4(�����]I�-�+O�Pg�|=C��2��ZG�M�	4���Q;�wb
B�HLcx��TZ(�:7�����%��������jCz�!�#Ye
������a*&����K��}��@.sQ���u�P��������R�����
�<��/[:~�I���%��5fd�C�@�����X�=t��+��pY9f�i�<Z[ N��Y��������"�kz|*��+0^6��
�\J�3�-�k���{���0]z�� �I%���3M�|QHa��"��2:����P���p�w#M��-Q��S��6b`M��p��t�;�)4�9����^�4�kl�"M��
���~�
��jIc�#J���)
H�p���9��pgU�o����T8BTB�8\���v2j�����:���w3����^����w�6w�o��Kp|��9�}��<`�28so@������
��?
������=���Z12���/i3��'w�zX��[���������O������m��i��;����0�
����~tgp�;L#�'�|�I��pz�����[;�._���,Zb�ORxO(�:z���v��a������u3O�mX�(�O��R��wL������)�����`�a�� �5���]������h����5����%�o�H?��q�����g4����&��D�e�e��� W��{������H���

�[K�dv10-0004-Add-pytest-suite-for-OAuth.patch�[mw�6��|�+�Jw#�-���jO�i����r����e!�XS$C����g	R�#����jjS$0�7<�B�M��d�^��hr|������}���������H�z�#��.���D�vY�wB�X���i�
2'�{��cv:��$���L<}��n~�S�x��_��<'�Mt��>��B���Oz'�G��;���|������jxs���������g6�}�,2!3&� l��r�g�F�Z|��THv��f����~f3�0!���	�y�o"��0�f���5|������ ��&|��b�l����]�����������o��T0_d<��h������{���\D�,��8�e�Lf���GS|��Cb�a����%Ez���;
����s)4M��4e��������yp��qfh�@6��w�n��d�m#���T��L�,�F�z�������I��I.OQ���+&iM������U��0�]7���u�dQe��v�G�]���{���/��\u]L�YG=���i1g,����������
:+������RN�ew�x3���[Rm&���{��L�N���������U�$��H�dD=e����#��1F����f�������W���[-�
����}�&���vV:\}V*&! N�=�R��m�����'�>Z��Z�,0k���sk�T����}��1�<D4��B�i�@���
��De��h����G�h���6�h������i��>eZ|�<���f���r�������:�l4iR�2�����'O,�di��������f����K0���'����F�&����g|���d���F$�	��
du����������?��Cl�w�Q�
@��x�2��
;�>{���������F��vc�����e)����
�P�q��x|�?:�H���%��c�q�H��,S9����w�y�9�xt��������s���`���]�2��b���D�^F���<rO���$N3�	�<c���s�">��Z�s���h�PsZL�!�N��\�L��+$����S�
��{d3�s�>�������x�q(�cs�d��voC��+�>&�I�=��+8Ia����a73��'<3�t��b@���G�n?�Y�"_?�}��R��T����������ko���z~u~���0������������|��Xc�G��7��X#^������vn�S�
T���R>1t�(�������i7����f�;�M���p���ZZ�����$��~A&�LDt��k�rxM����kl�--��q��R��P��+-\���������o����'F~tG�h����&�N� �m����$P��p5���^���d�g|�qr�0����q��)m��t���V������Fq���v7�`r&�	l��������8�+�e��	���'�b�/v��7�@M�B@(9
���U"���4�5����W1�tS9�w�0Ux7��m����>�N�\����N?��8Ks����^8����p1��0��S�P��]"����@:�^�B�,��$G��u�L
�h����������aF/�y��S�a"�v��2nl����	!,60D2[���7�WDB�t��/�A�|��	��AL�)F�� +��>��"�0��h�If y��7#���sq��g?�\��Q��}�q�>H*E��������p)�9h�h���G>O}���&SD�8���P�)K��L�&2�L@�F��d�4#�
�K��z����`�q���9��9�_��Y$�/��������-����i
�@JB>~aEu9;P(�������L�e�$A���&��i=`0&R Q�x�8*@E��7�W��� Q�������Y��h�u�L��yB�y��][����e���K�aZ���V}]%�a����p����_p4���q��`�,����Qa��N�:OA��-�e���F|�T�v��x�����N��|P��Q�/�7��0�4�����c�X
�l�����Rj�?e�([��h���8sA�vTPq�Q�P��0d�3��]�QD025�������]|KY��7�Z��@_1�('�e���q�-K8x������@������{�6�4�z��5bC*�"�)*�2K@�1l�:�
����D����h�6��x���A��0�+��@*�$�����'�f��"7ui3�

��@�
���a�GX����:2��3\���Ql�U���H�|�*����XW=�� ��2�^�}�q��5k}�/��=cIN�9���-��2�*�u��[��Xy �st��P��U@�2���M��X�s�yzf*#��>�9����
\rN!�SL��)UY�a��S��%�?����?/g+�E�0��������v;t-vscC6��&����n�I�X�������������!����Y\g3Hl|�~�^����x�R^NV�����j�W�/O�Af���_�]�p���>����1�	6��
��\#��
b1C����z�[c��!�q+@m��"WI��#�����E>�	�R+	t�f��.�!����A�
 �P+����_���T
�95"TC�Y�^_�q�?��t�����@}���.5?�����j5w��N��iv�9Z�v����o�TnR�7q������-
�Pk�!�c���o!l��K�p	�����8�^��1�%;��@;�4YtNeA�F��6
^H/N�%f���?f�����/�s���!V�1h�6��D?1���"�t���.^������mL7[m���6����j���gp����d���j<T�| <�� �!���*$f���R�.�o�A]��F�Z7��|Pq�/l��U2�Q���^���N{y)�����(�Y!	��=YA���"(������M��w�������}����)����T+Y���v\/�a`4���/@n�
�m4��F'#�Xs���v���P)�����[
�p���W�e�y�0;�5����aK+����D
����V�H�:a7j�Y��i�YQdQJ#�.D����f����,Z�����W|�K��Xf��=��*�!�]�%W1j��mLr���j�����c�A�i���=V���BN�-ji�nSg�SJ1�]�[k�Zxu0B����\���kU��#aOp�H�!���g�&ztp��&�� e�:z�i�In|@���yJ),�sX#�Z��!E���a���1�}Ke&�Hj���7���P�A��,5e�f��G 5Evkw�����:�F
�yi8�X2�`}������'�N$E:2�+��X`[�Ls��c��H�D����X
ME�i0'g�tL4�e�}����
]�������`Q�WuoTb��������K��F�E�Dk��U����R\j��4����s�TZo��j�4t��5�p��!��_rdL
&���Pa1�zO|n�>�Bi��(Rr
�����h"�&��E���wU�K'���]�S���S?��(��P*�hbN=���0�QN��(Ex�(N;1��-�y��r]
����
_����\�\�~�`���) = ,�akn@�.�x�j[���|4a�a�����6���vU6���h�*�hW�
P<��T��aN����V�$U�<#���� *D/X�UDG��
7�������8�������>��R��7����h���,���k������yw�yt|���xfGCH���f�X�`��~/�
z����l}�����-�I|�V-U,eb�Q�3R4%�*3T�4md��(�3,T��
-l1������S
�����i[�`��5�B��&��-�"����q>u!�	>@���1����Q�=���`��J�����G����Mo�;�;��|�)M��Zv������Y����^���HWEwOT>�.�,���fg����$i02��%�S �"_�����vQ�Cy�[�T�N��	j����a`�������
��}�y�c�t���Xup*t�[�R;�x�M.�O;3���x�BZD_E��ru@����U���"�����"�A
#|q���������=���|����+�B��D:�x��|Hc]=�"�bl�@�}����p��{���t����>X�G�v���W�^cX�t���H4�F���[D��
�n�.���p�c��E��R�j��V;��<YZ	�L��GjDui=����f}�f���a�B��~^c�����[����qA	_�_jo��T�Z���;M5xj�N&�++�'
8>,,�+C��
X���V�g)/0C�����
�*g�*j��*
��C*�;�bf�l`��7������Ew�v���@�(�~s���z�6��D�lo��*�"�8q:��e�p;�x8���sM���
K��#��C�_AAF'��E!T�
Y����|���`��P���5a�^��
G���.5�H\6��JX:�%���%�1MB�.���U��������<�U�D�-a�����4�������p��").������S�S��::o�WK_�K"}�0WCM�O�V�������e
YiA9�a������2>C���SN]��l=����>�i����X��������0���
l �WS�h�5qkz�>'���_c/`���3�?E��-��-`+�
H�f�����=�|��fu���X�@)8���k\Ne�:6�������1�5�R�]�������3z�m	�/��$��I�A���+��^.�����Z��N%�I����eTV�_3����Ebu	����iX9���!�ZO���|7+��q����Px��v����OW�����G1�I�s�5|arT���<�D��su�Z�$����(
�&|�����	8����ua����/;�n�������M}�AA
���Id�q���������&�-���M$�`�G��H�Cp<����2+�Thi^1�u/��}.�R%�1S�
��:	d�:�:���n���N����"y���R����X�X��Vz
��������d;���,4nt�������	�nAR�h[�<t�{T4�>7��[Yj������q"9���z�I���+v*�>�K�16+���Oc��s����c���������V�
��WP�������\���jc�}�E��_����:Q�#��MTj���^b�{_����}���N�c�p@Q�|u4�M.� h���Y�A�n���y�Q�F�U��;�0��O���:�+��jqM�v��?�������c��\
K<L�P�Z����Sa�:��F�R���U�����q�v�Q�����
��eh���0a|Cul�n���oU7{W*� ��0�Y�<�,H��5W[�@�7�
���#��5-<�5�?�}��X�y��]��~������tt������?����y��-�����
�����>�c����/s�!��Y~�d��`��_�4�LA%W��������u�l��J�sR���L�o���-����J��r����Wg������vx�?�j�
�m7��`���k��AL���Z�6�X?��� �+t�>��2)�
TQOe�q��7�W��O�A��2�T���ZY�{���������]Q�~3�KNC���-�j
x8X�,��������2������q�ES��4�aU��;��U�V	l�}�����}�ug����C:�_I����|	Y�i����k{G�(��_��$��+���8`��fc'������ZvI�tK�����u����j�,'�=�����j��u_h#��W���u��
���]�HN��a�6��5���R�!v����{���l~�;���rv9F��=
e(s��E��Y&�B��]��B]La
Z��SA�`���B�����H(�96� ����F������,�R�N�C�����B]NRq�Mb�F��S�������]�2��!���
�Ao�w��������qr�6�P�F���8H�m�0�^(Ep{�����};��h1B�7�g��
���'<�����3��w���wirw�tQ��tB��
���H(_�P���J���w���MX����q�R����"��m�%�*���G��1,��U�-:������� " �=K.����=�R�!Wd�z��A����W!w,�k��|]q[����y`E<],h)@���R1�uU�Wq6����C���p�9��$������`ftlU|����a$$M0��m�|�
w�����7A����4�M�[�iW������	��|v'v�K��GS�������5Ic�����|���g�1����C"���1_�����_~'*��ia,"r����Rpt�v��1H�Tq��X�V{��^�A?IF�y���#^�w��R����^���\���5����	�K������<��@��*�<��aV;�H$��Ab��~�z!��_D�i�������O�����T{�"2�i�W�q�3O��_k/��
3V���8-�q|������	 ��+tp(��H��!Er��dFq���ZIf��k�Q�.�0`����K��\
Nt?��[�PZJs)���]'�'��5
�g�����j��po�p
Hg�B���rv�9��s"7�[���]#A���z�Y�z�c�����Q���A��uRu�8��5��^�1��Y�V|����D���[��z�:�t��<>��U�==�(nD����+�X����?y����{ Hn�D]���5��v�����6��sgV�'���L��U�N����p
.�	Y��d��+*sW
�������U�
��|��d�	Y-��z~����m�V����z��&�~�����-����a=e	���1�������;u�-����C����1P{4�����0�K�#��.��9|��56���Vj����c�xm�W�����#����Q�������7H��_]��������TI�(�x�
����iU�u��R�}�������L��:��5�����z��^�}�D��*g	-�\�����H=���h��(S9���I4�c����;�l��!����]�=]��x���1U��H7r���V�E���4�8��Jm��O��Y�8%�%���36��>����r&�HOG��wY
E��h����d7S�hl%����
��
)�ri��D�-�4��j��^ �>�=��������CYl�����
i��k���E���`�g/��j���W����
��m��/V�W�3��/\�J8�<(���h��\�#y��6
������g^����������z���97�T`������S�{>&��bW_��$���� ��2!c�M��u�PFuS��d_p���`D�#��8�>.�q/��v����,R�z�OVN#*�8I'�K2�I��r9E��"�%UU���h-���&
Y_��hLr%��,��@�Y}H�=y���4���7\�t��(�������(}���n��RaGQ���/��n/�Q�_�]\\`
���$�3�t�OA�:��q���������oY��Ja��)�*	
`����s���W�
*8!����Mh�[���"���7*�xPQ�(m?�wFf�������G��h!�����������T[����e�&w���A���pRL������VUG=���*�+gT�mU��rJ�����7�a���=�_"T�~�ssjc�s�2������U���A�mV�^f���� 7}�QB�n�l�CMSK���l'��mY�_���|��
7����x��{�W$�9V�C
�����s��/����f8�HE�[������6Y��)4��5y�&�
��jZ���!�Zv,[>6C/i��W�Rl�U�^�,w�������b0��.�.C4� ���ir�Y����0�W���T@�kd_�&1	��������������O����JI�M+���8wH�~���5z\"���d�2�{{t�?x~�����/�*z��>�yV�P�F���nl��RXe���*h��4O>\���{+?�Za�M��J��O��0Io�����i��rPa������+�.�c����N�V���P�`G�����`���W�{J��|�rz7�+pV�n����!��j�
L�T�~
m���i�;�������Fp��@n������)m$fN.L�������=�9:���?�L��6R�)h��~�����������Z�?6���W��vp��;����W�0��W�c�_��YZ��d�?����EyA��?l�5|`�Q��������P������J�Z���'�4L.p3�A��#9N�q����+�:���2j���a/���
9R�qFa�I�I��M�hd;�AFn\�?r*��s��i@4e]+�W\�G���Q�������MR��J�h��~���}����I��w�s��UR�S6���c��1&
���7�q~,J��r���e�Mg���Et.�-EY�����23s]���3�e�X��vr��6�x�H�`��..������8�qrp�K�y��p
�ms�@�=������J��~V�	�~�=i{��{?x��k�s<g�(a6�tz�����\���|D[��������O�x����s�������^S�_m��F{�����`���:����?R

�GTO��,�����w�<w_�56�KAC�*��HJ�|�Kh/y0���C[�����u��.8�3�~������3�#[���eJ�aNOi�17�!�b��|.�`X|��)~����p��[���k�-bA?~'��/\������=�����A���<$`���h�QQl/C�	��kv���|���u��0r)4�5����"�R5
���?��O���W'��z��k�Q������]�2���m~1�llDo%��8�������`�A|�0P6p��d��z#r3�T1��&�zx��S�X�DL�?MIc3+^������P<�~s�l}*j�YWaR�����TW�G��kq���R���@3������
���
������7E��m������^(9�9�>�ga�?��
���~Y)boA!�ry�n_/;��l������	����n���ucgX�s��[�f��H�*�O���9����"��eqj
<"?�_S�Ql���C�u��,+�vc~r�x�X�-�8��'u}mT��G*���9���\��=8K�#�^X�c�"�Z�|��9)r�R��R�#���p����C�[A!AE�uh�������S���T4&�Ew���
�
%��Ir$p@�
���(�	�Mo��t���.f@�=��6�����Tj��@�ml�O�
�
U��Y��?�U�_F�57����z!0����ok@.tL��Y.6��)c�S�3;A����*��/�"o��G���%�}U����#�EF]�H�����;�p_<�����u���M|��k�Xsa!��b_d�����4����8g�Z8��T��^w�4��6}�;\��d]�-
�y���#'3�����]�d����Tx�����n7���l������������S�;we�����2�G��&�>�b�p����������\q7��'���C.�I���7���v$�5��w4�y+�����������~�6��-tQ�R��j��v���3S����t��3��S�����<'*B�r����?�w�P�f%�i����)I���U��Ws~��~�12�"�5�N`������f��v�ma4�L?ea��=�S�X�/��u��}{�r/`R����O�
�Y��[�~<��i�5�?J��p3!�����v�`���������������R���LqY2�c�|&�E]e,��I�:J_������.mRPS���_9|��L�x�n�2��A8���7&P;��������w?P����c_�h{U����P�i�����T������*�����$Re�����_�g��'.��Vdb�-G��r����!��
�WjH��iTea@x�z6�������dV�U
v1b3)^	]3q</$�6T�k��i���������u~8�\�e���y���l��W0�����B�e�����(��./v9=|�M�z��tS���{�!'I������8'W��n����e���(eq��*�@�2_r����3�rN������R��6��I���M����AY�m]S�>�3e����1p�u&�L�x���P�Y�::M�*2e��i�x�j��>[�9A!zJ!?������K&#\���������@Q��O%f�tD���O�-E�q��-���j�Q/����RH��DQ]�6��#�
-�NK����%%7&���Vd���~�|��B������0j���o#l�<&
��J�4����G�1��
�hD�$�+�^|�^f�
�ts���
����6b��B��V�g���7%7�-�o��,Xpj�JOUnuOs��t%_e;/�d�������p�;�\�k������W	���+1�_P�������2�������&�<�����|o������i����+�c�Q�N�vm�����F�
��?�pHiL"�/
�K��7I���;�x�����;R:�IL��&m�����)�H����'TG�vU0O�"�5Y��&�Z���N�����������.�-��R���w�i�7r��,�Y���e�x�p_��w�Y����UZq��������G�U�4W��G�UU�j��(����|�X)����)a��Q�)=���`)����N����'�^+Rt�)CW!%���P���E-W)o0�_*\h��!��m�@���aK$�=N��}X���4����m�3H���J�R������:=��l��4����[�+�^>����P�����j�����/�4�5V7�]QJ�a���)��1�
�9r�S��%
�Nc{u���JA�L�s"��oIZ���r�E�X������1!����R���XK��)��'����%gsL#����q�z�G���"�o�_�r=�v�GD�x~"���]�J��|X�,q;�i1���M��\�������H"�\[�
��m�U���P1�
��~�Spv�����Y��|IO)!�w���W�R��S�mZ����BY=-IT��%u������'���\����[O766���<V$%�7�}S��J�G�I�����T!�P���Q�KD&�qt��q?/P�OC+�����WJ�9
qZ��.�3Z	���~�
�k��F����G�������R���p^.��@ft�
�i�����>.l������Y��"s�����K-
i���������L�K����d���d��=@9�R}�q^J��0�f� B��2���P���4�vO^���YQ�8Fs�Pn�D��Y)��D_	>�R������a���W
2_���<�/���	)�+�f4���2���#���~���d,���_n��Tp�B�^:�H�V
�5AO��.2�I�WQ��X=��U��������G�b���������r���X����Y���]&�S�%z�%��8�������L	����5�����%F��J��V�XU��R����H���l5��d�u��g�I�P�l���=w8CY��`s�X$�4������{=K=��p���\������r���1W���r%���!/�+)�YTA���X��h��v�8��3�E�������@�a�����{����y?���%��b��{{cQ�u�QO�����=_���������\Wy���Yx�<�;eG!\�J�U��������[)d�[�F�SJ�,@6��L���^��
�E�F�����Zzi�[�7Z��j��8L��I2
h���������W�����0'���d(l��2^IB����O�z}�%�\lYZ$$&��Y0�����6����
�����=�"<��sI�!TO��`!(�b|���O_}I�}be�����Z�
���u#ke�2���Z���7)���'��|��L���I�����\��E��5��
N|57q5K7�����X�A�������Cj��E�8�
`������-�{����z����h���|��*���
�������x�����f2Y)O��	��6�%��	�S�Td�������a��+9�q�{N	��?������T�����+�4��"��wV��������siv
���NM��R26�LO�6���<q�R��t�!�-O���/J*/�
�n��++5$�{����?��K�]{���#��S���%�/�E����Sx��������e�vb f�NN���O�����v�u���R�O7����(��?�S��E
S1n�F�q�a��n���P}s���o!��OC�kzU��j����I�I�:}Y�^G�������L�����3�����F��-���l���%:�y�8� ���U��Y2,�c���b���p�=��1���~��Qc�\�2�4L��Y����<�����u�B�U/�Iq���X�Q�(/���/p1JB��C\��UE���=�>�YG�Q�o�7�M��E�G�k�9Db�`��)>�*>!�D0�0�@,�G��+����e��T3�t��JR�����8a�/"�?e�����W_I7���{;K��$��N�Ib$������y�d�:��j��R ��3�u�0�=�X����]�"����]!���cf�(�!���h���W���?x/���I����Yi�N�Q���Qi$��Jd��c~���:�� q��Y����&r�<$����������B�*�bV���F�������*)>��w.v��0�6G�+03
�1tL��P����&��,��G�\Xx�,yC��Y+����3�����E���&�����iTz=K;�8�:�{��QT`�
���o�Q� `�)sP2�����D��`C�4��������0������n#��=z�h��}�m�7�G��������=�����*�O����|~��	����C�Gt?8~�����q'�\;D%C,�wI6>M���~Mc�{Ha�d�|6[��/�(���:0>��$J!�N&Y����LY[���~h���~9y�_�^��79���;T3f�PgISj��P���LKU��#=�|���$�[fQ4���`���\���c4�v��N�Y�%�&>^)�h/����`���8����������KI�m�6�4�E�2����*@�#��k�~���p�.�b��?zL�
�~&�Q�gMJ
��b
xNc��5���p1�������P�52x��*D�wYg�1+Ky�.���<����[

1�^����q_��x�*1�-m?�;�v;O6���2�qA�l=-�����o.��np=�C�r����#8����8�.���e�����s
y
���&�
X�IgH�����~��o��V��D��aNw5�1'�Y:S���TKQR��SxxzI
������1�K8E�i|�����iB5����\e�����n-������,������������(�^��'��p�D��U����k�����������p�������}9�]	��������	��qBI���5#�]
����\Mv5��������~�4*Gy�B�Q���V�*��0gY�������uy�3'��w��"��B�G�L����J0����#3�
�{��B���AVuG�'�L���6����?YM�I����~.p��,�����,�s�rn��?F����[g���>����Qk����0e��lr4�)���E��n�:Z�M-�|���u��m���AW^d.���i�v=�����2i��RX|8����uc�M���h�qZ����[<%�Uq���9���aV/(%�����Gj>H(Cs�v	?������B{��Fi�h�X���-���������lq�RX!�(?����j��'s�J|-!�~2�<	?(��8�N�0
gu�D�^b�Z��&��R\������� QQ����g ����M��V]X��2L~�Q��pK���65
�
��9v�dx#[�
��t&�/�����wB�)��AKy�+��b����y�7�G�#�10�)&���J
9ltR�������>l��1m!�ZKI]u����/\����E��w�5g�xM�
��9���+�����[9���#�N�����u�p
8��y��v���}5_^0,���x{+k������7�v���J�T!(��^E�j�Z����#�]_�5>��b�3k�������nAQc&��o���a�t�b��yE����%cz���m8��H��������VK'�e�
��5��j`z|,������^��#��=��$�V��5�#���c��Zj����oi%�[P���eC��h����T���p`=�=T���.�Q��R��u{����������f�����X��d|�\����H�8eZ{}�\��o~��<H����v9k.>|8p����x5
�w��{�;��!#a���{�� w��fq��Zq��������/3��h
������C,�+��c������n�%%�C��e`�����
~2�~h���6S��������t�R��s�V�����# h��#
s��w��EZ��b�L���c�������v�@YL�#��2I�{�h�����������>5���MSK��W�;�m�j���9�a�����������`��sQ��W���$�1����c���>���^���8�R��
2�.;D���-�~l*�B��77�������i|Jv���V>y�
[h��JN� /Nl�8�q/�^�7���	��\\[\���*���n=?[,�<H�h�,�5�:�$��
O��>�gdm���
����Z��F���.�A=��Yt���L��I�>Gi�U��4z����i����jX���/���9�F�X����=Z�V����K�rNU�e?�
:�%���v�XJ"q�|���xH�W�<j�9�4q�p��S-
D�C����[����#:E
����Xg�tgB
�}=8���
�YdX�S�c����������*a$B����+!-5d�3�N�m����z�r'bwg�Ks;9��>�~eJy�`A!�a>g�M��8�JP��%j����o�pr1�#'�k-�H5���+���Zj_�����d����fp�&��/�G�������;1
0s�5��*y
��<���	iO���D�����nv������\�N�nV���������3.�=@����
Ecy>%�@���*�/�yD�Ce#j?�����W�rTk>�������<����B[��
{6-����� ����
f#_
�����wiD��}�
����{ ���j
�s��6Z{/��R_D������'��������hLD�p
x!-�IzX=i�(35��Q����h%:�pHT|nu�_j�25����h��7Gs�S�r�~�.0 �J16�1��vng~%���d�+���:��i2H�b1��b�%m�R�Z���5������@�;T�)�*5s0������W���{s��;�[5k(��R��I
P~�
:>x����K��UL��c���������b�d����sgFl�*z���>�a�6������0cF
	V�@%���4���4�2]�6�j�a��d�����P�S�A��K<8�k1(�;w�C��"&%����S�S	:u��jl
EX�4�L�S�������$���p��3�����yG���H�i��*�j�Q	�M�Ol�w�:)��R����N�3
Gl��Gk���d	�L��n��AY��B��K��?���<T�1�u��eJL��L0����I5��9vJm(���<@0�,H�<2F�Znc
��ey��a>w�
�a)"��nCo���L�O������shMKe��=@���
Yc���U�I)�-u��-B
�����H���Z�� T���G�p
srC+
Ox7�G�4�HE�6fi%�8�Kut�i>�>>Oxl����ixA�Cm�X��EM&c���=��7q� ^����j�[�&��esrIZ�4t,������D�[��X�����qM�B^)WD��lL��$O�|�%���R��):�<|�������j�ur�����j�}��oEE(|h��-�v�Tua�VK���0�979ui���j���'bWAo��@Q�0����T0cs��M�c��a�
L��	P'������FE���pU��DP����J��ts��q�$[z�l�[��U�g���e���J
�\�7C�"D�
��g��4�,���BY���;��}�)�w����j�:?����:�:�@C.+
0�3����q����<6���_TU�Y`���g$x����q$-�Q0�"�5+���h�0�4V�m���Q�Q�:���k����*B1�{�){���E2�)�-�U�'�=k��Y�O�w����}���;��]5
���J����I���p��Gq����c��F���*��M���W�.�bmV�.�W���g%�S��0�'������U�O���W�)��N���uM���e��u>��A����@����H��v	�In`"���C�#vt�&�,��Eu�0w���7�a�u�ot`G��-����,�-��/b��E������(��J�FB�8L}�
���0�eD���E�>T��%��T	7�8O�V��I?��E�D��c~�I�7��r�k�M5�!�`���A�x�����sv�,j9�(����I�!��ax�^�zHhW�7�������>�Y��F�Y���=:;Z6MB
�(a�#Mi������Av2�,tE�P��Yu1�W�%��h64g
��rry8aB�q��+F���?��$/=J[M��c%���p�H�c11�beW��|D���:�.����(���J=��A�u~i��.G�\�$�O��+�=����)�c���H��j���1�a��t2�e<#BJ_R�]��A�2��M�f��T?���������},9����N�4Eo�+�K�n��M-�xO
F
�����
L�Y����@��g���>C����p�-Z����g��E�[	���q�c��*�������_r�U�`�O;"��=�&��i���Hz�������*�q��N�Q(��&�Y�O1� �b��@`��La��r�#�ho�koe���U���XhFM��!w�\����>G���BIG�2xh�����q���s?�6T�`�,�\���C������0�"��S�5kQF�mt���	D}��7���(Y��I
Lh�e��0W�(l`#L0qL�1����KK�=�L>Cz�L���j���(�w��z��iL9��r��|��-���#�r3���|�:r"�8R,{�+���1��Ft��=����e��p%��������0�Bk�,�z��v�����X��V*kT�����0�V���������`�dc�Yp�L�4�P_���3E	��g0�+�(Hq`,��~���:^'�+�V�*�����c*���q����r�+y����.2��rm���#4� n�Xx��J������b������@N��q���=���	x����Dp�t�@�D>���/lAu�h�JX]\`�$�^�TE��z�����I4�/���+���Q��y���Ij�����(U,0p�����m}%�0
9+Eh%.����By�\�/�X�w����_�����05��U�]��/�2�+T��E�L��$0��K�3���-�x;
5�3'����s:-C���L"4(z���=�7��R�HyC4��>�JQ��F:����������g��g��oN����t�R�t=G�~��������I�}�
y%�>��g��t��~�lF�H�
!��������H���1��X�S�"f��#�������J����qa8zpgq;���+�Q����@����" �(	/���D�,������o!cn��� X��h��W��l<���h_#��%P��V;N�j�z>��[3��)Q�x�P�*;7��s7�����T���+COX";)]���x5��vS��5�/K
�xF�
P�(�B����`�^��	�	+P��h�l,+Y�:4����� -� ��rNA����K�
��`x�����cu��� $H:��R#��@U��QV�m���I{[����X��:
n��������1���j-�;NU ���&�h��2st9,���Y�`z5�?�
���
,
|������6hL`P]�Ha��/n���H2V�k�+�]
vm
�&;�J5��F����?�1(�m�^K|��B������v>y������� ;e�Bk?u,���u9�A3�|}8��`���>*�E�?����I�����#��Tv5��F���Om��G��@����I.y���q@s���9�F&r]|��:�!v�bIM�!�lS��D��'�.��_����!6I�4�2������q~z(w�-�*��?���WIRe|�O�I�����~��=�m�R�O��k6����#J���Q���g���Ak/��CF�V��f#����@9z�!Qq��h5��t��.�I�������1���6�������
��C�*���i��7����^||2��k�6����P��Z���&t�L��@P�����36�#�dBfq��c�	r��
�4�a\q�:'$��*$�RdGpD�8��p��st���8}���~��c.���~3K�h�@�l�sZ
�Ih�%���S� #�+���6���
����� N�c%��-]���<"������M x�1��>2���h(0�6��FJl��}�/�.�J��4�a_�r�����`�i!:��a�����^X�\Z/d$����[�;�����g5c��I�9���1e?��O�NGSx���K���	M���A�f�m���UA�� �!�E��x������/�##N��o�k�oB��=��1&������I7k����=�AM�������osl���g,Y��0�b������{�_��(����U*�O������a�K����7�^�~�FOz�g�e��'0���P���%%�l�(\7���1�R@R�A���G�W*y�Ho�/�p�&���������ngg{�U�1���������:ER�%��%gW����%\�A���~B.C�~8�wA]�:z�Hx�����������|�<G���jln4v7�=�3������.)2	K'�.9c$��i���l7��J��<�.|R�n>il�?�Br�H���hlm66��
S�u�G��|,6��|��g�h�Y��5���������u����;s��g"��<��)�S�N7��)�>��D��>z����Z'�o�~:
R�E^@�8�#UV�����1�@h���
r��2%t�����8I�tFWT��	�C������5��?��B�.	OCM]G9���k�=�k*4���c�T�Z�q�%`3��)�U��58�l����

D<^g@�>��(a���,%Yc�S��H������wWy��<�,� C�	�C�;��E6h�
�-.���3jI����k��=Aa����")c����2e=d�����=��/���.8��.�����U��8��
�+(���
D
���K�Y�V~�U��N��0���v�*!m#��LY`��E�������_����{��������B�8?2�1��FO�Tl�@
X�����������W��FQ�8s��0�"�;�8Ih���_J��9����7�gQj���D��l.g��\oH^�`�+b5�����v����gOyG�����y<�[�����B�r� ����
aE_&d��d�V\�*���]M�q��i�Z2���Q��C���F�M��d>4�=��
/#[��[=�o���I-��WM]��-�����4/�7���?�^�����������������_�ha�������rx�KC=?zq��;.�s����G'G��^�~><z]l����xy�����������O��E:xa���
�=:~���|s���v�
~[!�[�M��
N�~<x�:>�l�������'���0<|�J���]
Ql���0i������S�G0J!4�'�Hhv����+7�G�r�|3�*�I��;y���
r���J7w}"�$�7�[��K^Bro���8~�7i(��Q�~��NH��taX���Z�NG����gC%H����:�"�j�&�������������(���2�l����-r0G��!EE�����=�vp2������9�t����p��
�!3k�Od]���
�"xh���FV�y���D
��c�B��^�z?xI�F��#$U/3s��<��#~&7KX�����?e$&�����-�1��a��P����.�A"��P�}6
Pkh8x��
e��E�xI�K3V
�8��q8��%�68��������!I��*T��sq_U�Qn5*��H	h�h8��_��<a%�J�|�;�HI��
��!��rze)U���^DvM���5OW���`fFt��JcP���']�����I��������g=��NB
%��p�I�{����������ZG?y��m����T��~_���i���@�$��hpu��w?<�<�Hp�1�"�b��
�������G.^�4na�,F*�M���9'F����l��o���4�I?*�s�S��+|&���V�d���������W�K6<���������@l9q�%P����VHa�n��F��8|���������8��3��O����3<��L�J{<pd'�������7������_�O�w���PK����cj��N��V��q]	�����;|�4����Y��t�|�����l8a*C������
*��eA��R6�R��O#���Sm<�}''����>nV�9R���Z)���A�M�������h�V�]
�p�����KG�L�,I��;�T��|���u,T�Q�C 4r�������7��X}[+�O�.��5���t���P�Ftu&h��� EV+���\r�?z}|�^�p���J���g�4_�&#���hc�s���%�X�(�%���AN-g�N�����L�s}�� ������;���"&���5���S�<��� �Dicd��� ����6�v��qY6��
�����M�1��5 .��x����W��Ue��	�~������Mp|p�.��a����(�[�m�Ta���o��C
F�- �~t�����������IT��[�����lP��d������<
���8�����{�F`�z�x����4d��o�|e�v����	nCQ�2@���>-�OY��XAG�'�4w��,�s��R"��8}��L��s��2�y0e���\����������X�<����H��V=}�A-7�T�TPW|�_�=�'vTR(*��kX`�h�R�5I�O��L|<����*���\��e1����QO�>5��U�+�"�A�*������(�o
A���%0������7����h|��9���J�i-s�-k�Ir���:A��Q�=S�EB��TRe��]�(F��u6��/���:��.��x���M�V���0=0�K��r�eR1|����}.;G98s'���JK���QU!��I������{�"��R�+��(X����jd
A�+����8�qt�8�NN��5I�hzC��v��
q��v��.��H����� k�LX�N�:I(K�Ark���Q�AF��U�z��N�|��V����f��7w�KV�$#�P�
F� L�`9���o��_%��b���u&]�2
��$��b��7�uh��Q�>g"���xA���y��Ft�P;���xM�2
����N1���@q2\htx%X��B����tj����BG���@C��`	�0��yq"y��+m=��e)M7������l��{���OL�b%������wu������D�U�����,B����|g�{]�r�nH1�
��`��^Jj��wK��
�.�z��"_�=]=�"4��z��y������;�~�|���Ek������%3Y�tV"d�Q����3�����~?8�H��B4��w��95nOz��>��������Zy�Bn�2�P��1��^Q�����p��e �������o{�/��R���W�>��yr�sCy�x����
|X'n��s��=c��s)D9��:
��-�iyJ��S��F3������L� �X�/?�������Bp�.�x������[>���z���D�\*���3��R����4����r�?��}�2V2���e1�h)'Z���T��LH3���T�����+�a
����f���Fi_���l�(����R�1�0w��� #��G� ?]F���������`�B6g�	��'-f
��%*��y�bc{���������O��z]�����B�����>��
�[VN���S_F��z�����?xE��-�\jX����$��e���
~��3��,%������v���������V6�������X���^��G�8\�:S��Z���@dnIe�B�F�\�3W��%���� IJ������o~v�����
:D,'�w�X8'k��Gm�E*��q�b�f�+y:�s�ts-���������c�~��O����j�b+����F�8���u��Q����D�1�:F��Pw��������������Rp~��H��<s��8g)���]
&�b_���
?��J�|�q+��������5*o�q�(��jvt�b#������QPYo�
y����-o��
�&��#X�I��"RL����%����h�Yu��E)�Q��O'Q��������T�2�7���St��V����A��ip~;�R�:P}�^[
���������z*q����,V�w�dYv�Q��z���Ha;O����A����-���X�n�I#��)�8��C�JIrp�9s�(�F�4$t.q���8s
��*67�v���5/J;����e�K�rr��n~��}(-qP��W��xM�B[�L�"��--��)�K�2BYv-�O�o�P�H%��JO��� 	�bN���%%N.�K���L�Z�E��zc����'tj��\Tx�t�x�b�#������`(����l
H���!}�)��������/�hHq0���3�4�"��p��""W�v����f���
��>�}cx��h�����T,�A�%�IJ�0��p9t��H"�Z�jNX���i6{�I��u��n��z'�z6_F��b)��`�{����/���&������j`�u/36A� ���T��������v�����s��\�|�����n��V��oVz��;c)�G���g4W���^���h�F��wF_gyKaY��[G������`k��|���sZ�)�^��41���j��a�W��`�,|O��c�����.���E��,�������At#�Ur!�y�.lN�[��!R8�b+�f�{�5������o����VM&���+,�f��hu���g�����Fc��Ly�{}�@��x�b���I�Z���d�{V��%�H'4�K@����X3��<���J�0%*�*<V����0�"

\""�ruX
l`2���)3�O�}U�-aL0��q�S?�����CC�����!C���;r<J������A��0#Q-r�s����Llb�u��6��InH8�>6�b'T�WN|~�_`a��3������Y��C�w�;�6����|�M}�������������F�����[�<�b-�Fc8X�Z����5��7���
����:��h����������)E�J��d|:R*�!���5�����@fn{s�
1C���"S������r!%��e�
:�pu*�l����G
`�CeM�uc%�Y�'l�LmX�����N[�={��]O��@
xH{'8��M�+�X�h��f�<�y L]#��V���`+��PF��j�85����*���?/*�;y�<c����k��Ck1o�|(����E�Z��VX�	�>�he=*�[L
�@����!"Y�j����_����f���2���O6�>Q�C@���j����y��L�����,�S�h�����J��jn�J	Q0���x�jU�J�{YiL���/���4��N��� ���(,
�W-Qz0��5qD`�QO�oY�ky�3u������\�&���6��jB!�����?�7o��p��4�N����n�-��L����&�~�^����/b�<��4���g��Lg��-0���`k;���!����
��w���6��\�m1���%h���,���.i�:�.e����`�����D`�%��u�\�O�\�Z����pm����i��o�	�M���Y��'�x�*-��������f��[UX�L��+��<X�Q��e��'�\�����}���!�C4�d[�W�������=1d&��<*Ck�a���2/���92[�
���3�
��ND���ZL��Qv���5]�=��a���U��4�%�2�nv�v�.�����;�)�S/6v���8����<�����wEeK���y����=j��,s�)nu}j�}�>����T�{Y,w�tT�z�����)�T4A�]z�e�����z"������!�x���mi����� ������
�D
�s�{���8���E}�����^W�d�_�i��m�����R��f�������cM+�4Rx\y�/�����x�
�;A%MQ~�>��
��l'��`��9r�I��Im��z�<�d���6��(�R1B��@Lm���f^K����D%N%��\���v��������W-/	8���L[��(�N}4�u�
�u���7�T��������jY��G���M(��7�f��p"a�'�=�
��2	��U��	w�!�����7k������Vj�n�T���h������c�(����.��M�cs�
ln�U<���M�������;1���6�6�J0L��(��tqG�ece����87Ne0cs�:����MY�\��`���9��Ph�U7�����n�))������kG#!��"�
�!Z���yK'��D�dY����C��9��0��i���1�K
z�����R���DL��C�f��bl���t�F�q?[c�|
X�5����������7r���<Wm����[��R��];���m�+���s:�8���ru��9f)�&�y5�?ogQ��X�A�Y���G� �y�H=\�H��S��q�O"��S�4�KR������N�1Y]'���2���w�
B��/s
�%��!��1�1!�����1�UF����c�;xd?FWk��+�por���^u�1&��_g�|K�$W���D-{����x�.:�i����r�Y�A?��	����7
W���C���p�:�f��	����d�X
�{��j��"���� \��T
(W}�$�SgRD��"�PBI�m����CP��=LN�����������]?����Qw
�I���P�2'l����2��OF�?XX�����+��������+~�?���A��T���2�Q���}��z�}Ds�Z�M��[Z�o�f����w��b�!�&^�F.X��������@(�Q��{�Of0�1
UH�D��~;XE�C�3�����D��?[�`��?�%/����7���45��������X�e�\T�x����SZF�k�m�3�h
A�/S��|��Cj_Y��}A=
'OX�0�P�l��"��_��|z~��
����kv5�|��&�z��gE�>�?�2Ov�"�������e��y<C�����V\$��Srk��_��Q��Q�b�R=V9K.�����;�-�qW�������ZV�����k�'mjr��F�T<0�(�J��E^�w{�e�^��������P\���x7J�c�G�	���IV��i��F���VS�6	2�1Vl��R����JF��X�Ya�*Y\�d��[bj���E3�Px���q��������QY���>|L���z�P�C2���a$�3�,�D_�$��xAW]�h����^,�^m�3U@�``�s��ca������1\���$#��22\���#��2:����z_UL�R�vRIe?W/���d��$���l����{���
W���4���	b@��FFM
}�
<&���[�@@�2��K6�:�n�j���uB����p�	���XR��</�����������k�k��0����D�j�!�J��o�~��|~�kK�P�C�,N��z;:�IH�@$`+T�u<P��������I�2*UJ"u��_���/�l���`�h�*��jg�������y5t�����`���)p��z�v�?��
�k����Z�6�
������8���*^����������2��?������n�>yvomm-X�F���B}���Gs���w��F}#x�Y������������dtE���-�&���lR=8v��������;l�Z^6wO����~M�{7}U�v9����O��U �
��/�!RG�����)�4��{�c��q9�%�9��|u��i\7��cZ%,�B�b�r�)�-�����=��x;|����;OAW�|�nn�~�O�t����y�cl���/���G'
�����1�(
��?9z�Eu������s���*�*��+{�p*1Wd��'�E��PVERc�>�3�*F
��3t��B��%�Q:.�~b*?�AD��_r,�p�M����b��Z(��0^���q����#�Sr�U��z�Y�DS��t2��1Z�~���sx����7~��?��A��:����Me�2�
�0�6
���?�!e�������k��^��h��2�<=��$
�r�8u^�
�������&���M`���A��W
d�N��X#���y��_f�9�l0nw���ES�� ��5r�n#x7�R�y�M�TS�Q���(U�L#I����R��x<���������������T�d����3�����/����)`�b,��/WKn�� DN	�0}�4���� ��}Y>�<V�K�fec&���]���&}f�x�
�.o.����Q\&�(} 
S8D��:���
C����2����{�k��ZX�&�|{G;0����(U93���M�!
HU*3���i�a��4�u����n����#�u=H��|�H@=F�&�J���w
�F�:44�h���x7�}����wy��]X�
�K�{�"��4��I��������?�k�����ccY��?��gCD�Z�U,���s6�S����LY���$���q�B��,���(+����e��:DiKd������?��P��)v�J�^�)���)��b�V%����Jq��0/�iT�tu���k�i�-�=6J	��t�L>@"�I��1�]ld�.�.������\��;�$�8t�
��WF�A�@�x�j��j�o	��U�}�{3��h�k��UV�b�4�����qB�e+��	|"5��
L���y����1C+J~�nff��x��rR�<-7����kf����^�t���Va��������b����T;�QD��c������6K�d1���
��.����uj��2����LUY!��/V��v)kV�Z��"��Q����pt�#3��r���N7"E���d]�����N����F��<��kj�S���1���><��dd��K����[��3��1�2�V���VoL���%��8/��s��:����a�CL��+n�t��'����K�����`��s���2%8��\��\�`�������m���c�e�f}������2���e4�$A���l�5j��u����%�rV��	����TS����|I�a)�C)��R���k���?�04���3������v?a������KH�KuZ�0AWE�Z���`Jh���M��R��'�^�����G�*�5��Ruf t��]AUq�`�����R�oj�C���!���g~�Vh3�Z�E;O?�u6��g�yL��������	����Vr`�ER���d��l�oZ�C{��%�#N�#�tx/ ��z�g�����a2�
�zr~qy�/��%T�:Sm��[(h����J����)1c�3b?.hIg�Jy������*6��^����gu
\%����3�a�3�,+'���8��v����`w'�}���O������`7v��n'���Q���l|�'d�q7q�'������v�d'x�8���qL�dV�@~�<y<y<y<	��v�dh{���:���(R���o�`5�bS�z��+G�S�s����R���|Y 
�,��t���@������\�+�P���llg#�l��Y�������N��o�lX��-���5��uR�%���A
K]R�+AJ�Mn��������2�j�GX����/���QC4�s����B�L>3��k
�	������m��[��f%��Q��hX2'�u&-���������3 ��r���]�W
����K�������{��O�_��	Ok�]���O������@��g�����7����w����&�WMs�R�n��47��-��gK�H���+�F��h���������`������1����z��t���s/%
�����J2~.5��ez���S���~����O�|�f�		/������i����5��m��w�g��v�����*ws��:�q����A|�!l���/d�m��b���54���K�Z���x�.j�b�NY��k&�����P�/������7"�d�:
R�r
�#�*������>;�g����Z!Q�������`��/�C�r��O
}vc`/��
�J�\�_=!�&8��u����y�?���3
��fQ����u�L�3��`��m
U��;��uY].��<~��oq�*�cY���P}M��ib)��%@9Ib�NS��A�J�X<��[�Qv��"rX�r��	B���:mnm�<�}�t&��@O�>^n��}������i��Q���1������x�_&=5��.
�S�i���l�7"v^@���C�����S�y��)�9����J�=o5)�	�"�9&j���2e�\��L�����O�]
b;����
���)r����������
b�6��w���9���o=q�����<,������������o:�*Mj�#�gp�;���B��������m)��f�p_�K}�*���CF�7����<��w(;7gB]�w��w��3�.��/����&��h����T�9W�~Q�$y
������V�����Ez�������:���j�32��}�*Qs�y;�/����rr�����[���E�s=�&����,y���R�`%h���v������^b'U���v�a\�>��oe?����|���ni3i��vr�b�e��Zn��'����9e����C0��8,�'?�0�Y,�������v��0"�l��f���
����j�X7���-�w�^==>8Y��x����%���OmxJq�'K^8��6��A��7���
�����~3�5�@x��'u{}yE�^<U�}�-�����"�<9��^
�)i����.��-+dO�	��^�����)�������5}��Y�����[��KA�����LG�B�3.d�Y����f�u,���7��7��gM�I�h���,�|�������������-�z������[�w
cA�@�d��v�p~�yZ�|A���\%$�0�j�����i4�������y"�B~������h+�
NB�1���o��fjy���;afa6@���0�����Q4Ce*L
vU����.4t��*��-Y)�
�d����)���UY"���Iy(��*5gI�������~\v}7��-(~m
hh��-���*L����O�������=��4�7u�ak���
�o�OoxbK��Vf��^-��[`�n���*;���j9������kU��%�S���Jw���,�w�NEm�&k��x��,��+G=�{�7�=�����J�B�����*]���F^i��������r����ELj��kpS}�o}��g=Nq����\��*z|��T0e
�C��
J����rS��}�W�#J7����U!E��B����h�G��������>s�f�tpg��|m�+��S��1S���%t�W���(:S��ta]
{��<��u����f�YN2_�����1Tys)[@P�.7����R�\���D�0�z0]���s�{n|�/��^��Y�V�kp�7��`�� �}��H&�/_N��t�Q�X�j��7�����.��<�J����;���%
���&f%k;������H�6T�����������a��k���-�v�b�M�s�Wl.�H�:_�T\�0(��qh��&e�K��>���tG���u�k�R�g� T�"�[(j9_�E������3e[��t�s_a^c�'���n�� Y������@h���H�^�/	\����(��t���]%�D�#)u?�hu�=J�8��j>�]i|Y���u�A7-��>��mqo�G���X��/����g%pUe�#���n�����}��/���E���U�{x���CJ�$��/ck�2(U&�/-#e��asg�5k�K��1�]��*/��J���X-��Bg5���_6�-�U)=�*Z~����'��H;/��	o�~����H����fU)�h��S�t?x~��l"i�1?�i�J�`�R�W��]R��&{V!W�^vh&M��S�s0r��9~(0�j�FHE���0�cf�iOV����WG�'
������~�	���u2������5������r�a�!�C��*3&���(n��'����~*�
�#�J���?�I�U�d��@����o������*�WU�H��i�e��������x���/�1�}\D������#�!��g~S��G���>y�,��'���z�i�Q������N�Y�{�~z3�8a���#��lVv����\�1
�4m�0MV53#��Ec�;-{��s��f�\(���������f'�/3J1����������!~��q_�
�
�
tWy�IQ�#x39})u�*
�������������
��G���8��i���0����pBIZ���-z
e��Z^��%����Q�j�CE�����4��n�#�~��t �L����#D���D�#�������M���K�on1��/��O��`���5L�@����d��)]���;,oU��wa���>�F����jq����}������R�)F����wN�+zHx9��j�B9����j��0
4�fR����4�5Z4w��"���+r��*s�4:O>G�����K�,�'��y��r2�<L.���]�2�������a���'$j����QRGx��1N����.L�r{��s�c� ��T��A�����U}�����D}�N�`9X���E�I���O6����Wf}���,e�
L�6�'�F��P�\k�6<G�?���	�r�\>&��^�>��J���F��Y�T�Z�q���	�
��NH?m����xsw��)8�5ew��g^�ziHesZ\C_T6����T(�/�4M&�,�pY|:��N+��&��g�,�����=�P���������<��L����W�>l� v�)�[���?�`��r�#�jm7��[Sh�i��U�H@K*���������U��,}������$��(����3H�9C����1�_X�C�m�����I��"��� ����������c���o+BD���Z������B�&"6[8Z/4#�"4�/�B\y���S3��s:�WX��?���I	Z�����`|�������Z��
�`�	��U���!��	X?J[-�
���g�W�n\~�6>�ml�r
��|���tFTT��r����k]��TJ��G��"(��f
$�3�HX74(�0��m��������=z'��g]����R��
���:�*�G��q�v�s4���W�0N�C6O����=�)`
�R�0\u{�L���ka1��_^���!���b�4�K�9S����gI7�����}=�s�+��V�A2�o���W��V�9K��W�g���M��
�n�c�M�?�����C�1����[���>�7z�1f�i*2�i\�^�x-�o�12��Lm������?~�7}�!@���~l{�0�����2��dD�w���W����5������U��Av�)�����"��_��l�h���7��u)
m�8�:_C�o��_lm��0Ol�|:��z�G�g^-��}�_�h���G����^�_DB>����x����z�2��{�����?�G3�P�����ft(����mtq���'3��/�^�ct��j��6~�[�%�cT�V	=��D��<�I�$�%�R�xH�`4�.���� ��8D�!gU5��K�&�M�gk[A����K�������y��bCD�(Y��s_k����{[�����{����1"�]

1:  0278c7ba90 = 1:  36409a76ce common/jsonapi: support FRONTEND clients
2:  bb3ce4b6a9 = 2:  1356b729db libpq: add OAUTHBEARER SASL mechanism
3:  20b7522228 ! 3:  863a49f863 backend: add OAUTHBEARER SASL mechanism
    @@ src/backend/utils/misc/guc_tables.c
      #include "nodes/queryjumble.h"
      #include "optimizer/cost.h"
     @@ src/backend/utils/misc/guc_tables.c: struct config_string ConfigureNamesString[] =
    - 		check_io_direct, assign_io_direct, NULL
    + 		check_debug_io_direct, assign_debug_io_direct, NULL
      	},
      
     +	{
4:  f3cec068f9 = 4:  348554e5f4 Add pytest suite for OAuth
5:  da1933ac1d ! 5:  16d3984a45 squash! Add pytest suite for OAuth
    @@ Commit message
         - The with_oauth test skip logic should probably be integrated into the
           Makefile side as well...
     
    - ## .cirrus.yml ##
    -@@ .cirrus.yml: env:
    + ## .cirrus.tasks.yml ##
    +@@ .cirrus.tasks.yml: env:
        MTEST_ARGS: --print-errorlogs --no-rebuild -C build
        PGCTLTIMEOUT: 120 # avoids spurious failures during parallel tests
        TEMP_CONFIG: ${CIRRUS_WORKING_DIR}/src/tools/ci/pg_ci_base.conf
    @@ .cirrus.yml: env:
      
      
      # What files to preserve in case tests fail
    -@@ .cirrus.yml: task:
    +@@ .cirrus.tasks.yml: task:
          chown root:postgres /tmp/cores
          sysctl kern.corefile='/tmp/cores/%N.%P.core'
        setup_additional_packages_script: |
    @@ .cirrus.yml: task:
      
        # NB: Intentionally build without -Dllvm. The freebsd image size is already
        # large enough to make VM startup slow, and even without llvm freebsd
    -@@ .cirrus.yml: task:
    +@@ .cirrus.tasks.yml: task:
              --buildtype=debug \
              -Dcassert=true -Duuid=bsd -Dtcl_version=tcl86 -Ddtrace=auto \
              -DPG_TEST_EXTRA="$PG_TEST_EXTRA" \
    @@ .cirrus.yml: task:
              -Dextra_lib_dirs=/usr/local/lib -Dextra_include_dirs=/usr/local/include/ \
              build
          EOF
    -@@ .cirrus.yml: LINUX_CONFIGURE_FEATURES: &LINUX_CONFIGURE_FEATURES >-
    +@@ .cirrus.tasks.yml: LINUX_CONFIGURE_FEATURES: &LINUX_CONFIGURE_FEATURES >-
        --with-libxslt
        --with-llvm
        --with-lz4
    @@ .cirrus.yml: LINUX_CONFIGURE_FEATURES: &LINUX_CONFIGURE_FEATURES >-
        --with-pam
        --with-perl
        --with-python
    -@@ .cirrus.yml: LINUX_CONFIGURE_FEATURES: &LINUX_CONFIGURE_FEATURES >-
    +@@ .cirrus.tasks.yml: LINUX_CONFIGURE_FEATURES: &LINUX_CONFIGURE_FEATURES >-
      
      LINUX_MESON_FEATURES: &LINUX_MESON_FEATURES >-
        -Dllvm=enabled
    @@ .cirrus.yml: LINUX_CONFIGURE_FEATURES: &LINUX_CONFIGURE_FEATURES >-
        -Duuid=e2fs
      
      
    -@@ .cirrus.yml: task:
    +@@ .cirrus.tasks.yml: task:
          EOF
      
        setup_additional_packages_script: |
    @@ .cirrus.yml: task:
      
        matrix:
          - name: Linux - Debian Bullseye - Autoconf
    -@@ .cirrus.yml: task:
    +@@ .cirrus.tasks.yml: task:
          folder: $CCACHE_DIR
      
        setup_additional_packages_script: |
    @@ src/test/python/requirements.txt
      construct~=2.10.61
      isort~=5.6
      # TODO: update to psycopg[c] 3.1
    +-psycopg2~=2.9.6
    ++psycopg2~=2.9.7
    + pytest~=7.3
    + pytest-asyncio~=0.21.0
     
      ## src/test/python/server/conftest.py ##
     @@
6:  8f36b5c124 < -:  ---------- XXX work around psycopg2 build failures

1:  36409a76ce = 1:  0ff053cf31 common/jsonapi: support FRONTEND clients
2:  1356b729db ! 2:  26a341e1de libpq: add OAUTHBEARER SASL mechanism
    @@ Commit message
             Visit https://oauth.example.org/login and enter the code: FPQ2-M4BG
     
         The OAuth issuer must support device authorization. No other OAuth flows
    -    are currently implemented.
    +    are currently implemented (but clients may provide their own flows; see
    +    below).
     
         The client implementation requires either libcurl or libiddawc and their
         development headers. Pass `curl` or `iddawc` to --with-oauth/-Doauth
    @@ Commit message
     
         Thomas Munro wrote the kqueue() implementation for oauth-curl; thanks!
     
    +    = PQauthDataHook =
    +
    +    Clients may override two pieces of OAuth handling using the new
    +    PQsetAuthDataHook():
    +
    +    - PQAUTHDATA_PROMPT_OAUTH_DEVICE: replaces the default user prompt to
    +      standard error when using the builtin device authorization flow
    +
    +    - PQAUTHDATA_OAUTH_BEARER_TOKEN: replaces the entire OAuth flow with a
    +      custom asynchronous implementation
    +
    +    In general, a hook implementation should examine the incoming `type` to
    +    decide whether or not to handle a specific piece of authdata; if not, it
    +    should delegate to the previous hook in the chain (retrievable via
    +    PQgetAuthDataHook()). Otherwise, it should return an integer > 0 and
    +    follow the authdata-specific instructions. Returning an integer < 0
    +    signals an error condition and abandons the connection attempt.
    +
    +    == PQAUTHDATA_PROMPT_OAUTH_DEVICE ==
    +
    +    The hook should display the device prompt (URL + code) using whatever
    +    method it prefers.
    +
    +    == PQAUTHDATA_OAUTH_BEARER_TOKEN ==
    +
    +    The hook should either directly return a Bearer token for the current
    +    user/issuer/scope combination, if one is available without blocking, or
    +    else set up an asynchronous callback to retrieve one. See the
    +    documentation for PQoauthBearerRequest.
    +
         Several TODOs:
         - don't retry forever if the server won't accept our token
         - perform several sanity checks on the OAuth issuer's responses
         - handle cases where the client has been set up with an issuer and
           scope, but the Postgres server wants to use something different
         - improve error debuggability during the OAuth handshake
    -    - migrate JSON parsing to the new JSON_SEM_ACTION_FAILED API convention
         - fix libcurl initialization thread-safety
         - harden the libcurl flow implementation
    -    - figure out how to report the user code and URL without the notice
    -      processor
    +    - figure out pgsocket/int difference on Windows
         - ...and more.
     
      ## configure ##
    @@ src/interfaces/libpq/Makefile: endif
      SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lgssapi32 -lssl -lsocket -lnsl -lresolv -lintl -lm $(PTHREAD_LIBS), $(LIBS)) $(LDAP_LIBS_FE)
      endif
     
    + ## src/interfaces/libpq/exports.txt ##
    +@@ src/interfaces/libpq/exports.txt: PQclosePrepared           188
    + PQclosePortal             189
    + PQsendClosePrepared       190
    + PQsendClosePortal         191
    ++PQsetAuthDataHook         192
    ++PQgetAuthDataHook         193
    ++PQdefaultAuthDataHook     194
    +
      ## src/interfaces/libpq/fe-auth-oauth-curl.c (new) ##
     @@
     +/*-------------------------------------------------------------------------
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +#include <unistd.h>
     +
     +#include "common/jsonapi.h"
    ++#include "fe-auth.h"
     +#include "fe-auth-oauth.h"
     +#include "libpq-int.h"
     +#include "mb/pg_wchar.h"
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +	 */
     +	struct provider		provider;
     +	struct device_authz	authz;
    ++
    ++	bool		user_prompted;	/* have we already sent the authz prompt? */
     +};
     +
     +/*
    -+ * Exported function to free the async_ctx, which is stored directly on the
    -+ * PGconn. This is called during pqDropConnection() so that we don't leak
    -+ * resources even if PQconnectPoll() never calls us back.
    ++ * Frees the async_ctx, which is stored directly on the PGconn. This is called
    ++ * during pqDropConnection() so that we don't leak resources even if
    ++ * PQconnectPoll() never calls us back.
     + *
     + * TODO: we should probably call this at the end of a successful authentication,
     + * too, to proactively free up resources.
     + */
    -+void
    -+pg_fe_free_oauth_async_ctx(PGconn *conn, void *ctx)
    ++static void
    ++free_curl_async_ctx(PGconn *conn, void *ctx)
     +{
     +	struct async_ctx *actx = ctx;
     +
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +#endif
     +
     +		state->async_ctx = actx;
    ++		state->free_async_ctx = free_curl_async_ctx;
     +
     +		initPQExpBuffer(&actx->work_data);
     +		initPQExpBuffer(&actx->errbuf);
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +			if (!finish_token_request(actx, &tok))
     +				goto error_return;
     +
    -+			/*
    -+			 * Now that we know the token endpoint isn't broken, give the user
    -+			 * the login instructions.
    -+			 *
    -+			 * TODO: allow client applications to override this handling.
    -+			 */
    -+			fprintf(stderr, "Visit %s and enter the code: %s",
    -+					actx->authz.verification_uri, actx->authz.user_code);
    ++			if (!actx->user_prompted)
    ++			{
    ++				int			res;
    ++				PQpromptOAuthDevice prompt = {
    ++					.verification_uri = actx->authz.verification_uri,
    ++					.user_code = actx->authz.user_code,
    ++					/* TODO: optional fields */
    ++				};
    ++
    ++				/*
    ++				 * Now that we know the token endpoint isn't broken, give the
    ++				 * user the login instructions.
    ++				 */
    ++				res = PQauthDataHook(PQAUTHDATA_PROMPT_OAUTH_DEVICE, conn,
    ++									 &prompt);
    ++
    ++				if (!res)
    ++				{
    ++					fprintf(stderr, "Visit %s and enter the code: %s",
    ++							prompt.verification_uri, prompt.user_code);
    ++				}
    ++				else if (res < 0)
    ++				{
    ++					actx_error(actx, "device prompt failed");
    ++					goto error_return;
    ++				}
    ++
    ++				actx->user_prompted = true;
    ++			}
     +
     +			if (tok.access_token)
     +			{
    @@ src/interfaces/libpq/fe-auth-oauth-iddawc.c (new)
     +
     +		if (!user_prompted)
     +		{
    ++			int			res;
    ++			PQpromptOAuthDevice prompt = {
    ++				.verification_uri = verification_uri,
    ++				.user_code = user_code,
    ++				/* TODO: optional fields */
    ++			};
    ++
     +			/*
     +			 * Now that we know the token endpoint isn't broken, give the user
     +			 * the login instructions.
     +			 */
    -+			pqInternalNotice(&conn->noticeHooks,
    -+							 "Visit %s and enter the code: %s",
    -+							 verification_uri, user_code);
    ++			res = PQauthDataHook(PQAUTHDATA_PROMPT_OAUTH_DEVICE, conn,
    ++								 &prompt);
    ++
    ++			if (!res)
    ++			{
    ++				fprintf(stderr, "Visit %s and enter the code: %s",
    ++						prompt.verification_uri, prompt.user_code);
    ++			}
    ++			else if (res < 0)
    ++			{
    ++				appendPQExpBufferStr(&conn->errorMessage,
    ++									 libpq_gettext("device prompt failed\n"));
    ++				goto cleanup;
    ++			}
     +
     +			user_prompted = true;
     +		}
    @@ src/interfaces/libpq/fe-auth-oauth-iddawc.c (new)
     +	/* TODO: actually make this asynchronous */
     +	state->token = run_iddawc_auth_flow(conn, conn->oauth_discovery_uri);
     +	return state->token ? PGRES_POLLING_OK : PGRES_POLLING_FAILED;
    -+}
    -+
    -+void
    -+pg_fe_free_oauth_async_ctx(PGconn *conn, void *ctx)
    -+{
    -+	/* We currently have no async_ctx, so this should not be called. */
    -+	Assert(false);
     +}
     
      ## src/interfaces/libpq/fe-auth-oauth.c (new) ##
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +	Assert(sasl_mechanism != NULL);
     +	Assert(!strcmp(sasl_mechanism, OAUTHBEARER_NAME));
     +
    -+	state = malloc(sizeof(*state));
    ++	state = calloc(1, sizeof(*state));
     +	if (!state)
     +		return NULL;
     +
     +	state->state = FE_OAUTH_INIT;
     +	state->conn = conn;
    -+	state->token = NULL;
    -+	state->async_ctx = NULL;
     +
     +	return state;
     +}
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +{
     +	struct json_ctx	   *ctx = state;
     +
    -+	if (oauth_json_has_error(ctx))
    -+		return JSON_SUCCESS; /* short-circuit */
    -+
     +	if (ctx->target_field)
     +	{
     +		Assert(ctx->nested == 1);
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +	}
     +
     +	++ctx->nested;
    -+	return JSON_SUCCESS; /* TODO: switch all of these to JSON_SEM_ACTION_FAILED */
    ++	return oauth_json_has_error(ctx) ? JSON_SEM_ACTION_FAILED : JSON_SUCCESS;
     +}
     +
     +static JsonParseErrorType
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +{
     +	struct json_ctx	   *ctx = state;
     +
    -+	if (oauth_json_has_error(ctx))
    -+		return JSON_SUCCESS; /* short-circuit */
    -+
     +	--ctx->nested;
     +	return JSON_SUCCESS;
     +}
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +{
     +	struct json_ctx	   *ctx = state;
     +
    -+	if (oauth_json_has_error(ctx))
    -+	{
    -+		/* short-circuit */
    -+		free(name);
    -+		return JSON_SUCCESS;
    -+	}
    -+
     +	if (ctx->nested == 1)
     +	{
     +		if (!strcmp(name, ERROR_STATUS_FIELD))
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +{
     +	struct json_ctx	   *ctx = state;
     +
    -+	if (oauth_json_has_error(ctx))
    -+		return JSON_SUCCESS; /* short-circuit */
    -+
     +	if (!ctx->nested)
     +	{
     +		ctx->errmsg = libpq_gettext("top-level element must be an object");
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +							 ctx->target_field_name);
     +	}
     +
    -+	return JSON_SUCCESS;
    ++	return oauth_json_has_error(ctx) ? JSON_SEM_ACTION_FAILED : JSON_SUCCESS;
     +}
     +
     +static JsonParseErrorType
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +{
     +	struct json_ctx	   *ctx = state;
     +
    -+	if (oauth_json_has_error(ctx))
    -+	{
    -+		/* short-circuit */
    -+		free(token);
    -+		return JSON_SUCCESS;
    -+	}
    -+
     +	if (!ctx->nested)
     +	{
     +		ctx->errmsg = libpq_gettext("top-level element must be an object");
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +	}
     +
     +	free(token);
    -+	return JSON_SUCCESS;
    ++	return oauth_json_has_error(ctx) ? JSON_SEM_ACTION_FAILED : JSON_SUCCESS;
     +}
     +
     +static bool
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +
     +	err = pg_parse_json(&lex, &sem);
     +
    -+	if (err != JSON_SUCCESS)
    -+	{
    -+		errmsg = json_errdetail(err, &lex);
    -+	}
    -+	else if (PQExpBufferDataBroken(ctx.errbuf))
    -+	{
    -+		errmsg = libpq_gettext("out of memory");
    -+	}
    -+	else if (ctx.errmsg)
    ++	if (err == JSON_SEM_ACTION_FAILED)
     +	{
    -+		errmsg = ctx.errmsg;
    ++		if (PQExpBufferDataBroken(ctx.errbuf))
    ++			errmsg = libpq_gettext("out of memory");
    ++		else if (ctx.errmsg)
    ++			errmsg = ctx.errmsg;
    ++		else
    ++		{
    ++			/*
    ++			 * Developer error: one of the action callbacks didn't call
    ++			 * oauth_json_set_error() before erroring out.
    ++			 */
    ++			Assert(oauth_json_has_error(&ctx));
    ++			errmsg = "<unexpected empty error>";
    ++		}
     +	}
    ++	else if (err != JSON_SUCCESS)
    ++		errmsg = json_errdetail(err, &lex);
     +
     +	if (errmsg)
     +		appendPQExpBuffer(&conn->errorMessage,
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +	return true;
     +}
     +
    ++static void
    ++free_request(PGconn *conn, void *vreq)
    ++{
    ++	PQoauthBearerRequest *request = vreq;
    ++
    ++	if (request->cleanup)
    ++		request->cleanup(conn, request);
    ++
    ++	free(request);
    ++}
    ++
    ++static PostgresPollingStatusType
    ++run_user_oauth_flow(PGconn *conn, pgsocket *altsock)
    ++{
    ++	fe_oauth_state *state = conn->sasl_state;
    ++	PQoauthBearerRequest *request = state->async_ctx;
    ++	PostgresPollingStatusType status;
    ++
    ++	if (!request->async)
    ++	{
    ++		libpq_append_conn_error(conn, "user-defined OAuth flow provided neither a token nor an async callback");
    ++		return PGRES_POLLING_FAILED;
    ++	}
    ++
    ++	status = request->async(conn, request, altsock);
    ++	if (status == PGRES_POLLING_FAILED)
    ++	{
    ++		libpq_append_conn_error(conn, "user-defined OAuth flow failed");
    ++		return status;
    ++	}
    ++	else if (status == PGRES_POLLING_OK)
    ++	{
    ++		/*
    ++		 * We already have a token, so copy it into the state. (We can't
    ++		 * hold onto the original string, since it may not be safe for us to
    ++		 * free() it.)
    ++		 */
    ++		PQExpBufferData	token;
    ++
    ++		if (!request->token)
    ++		{
    ++			libpq_append_conn_error(conn, "user-defined OAuth flow did not provide a token");
    ++			return PGRES_POLLING_FAILED;
    ++		}
    ++
    ++		initPQExpBuffer(&token);
    ++		appendPQExpBuffer(&token, "Bearer %s", request->token);
    ++
    ++		if (PQExpBufferDataBroken(token))
    ++		{
    ++			libpq_append_conn_error(conn, "out of memory");
    ++			return PGRES_POLLING_FAILED;
    ++		}
    ++
    ++		state->token = token.data;
    ++		return PGRES_POLLING_OK;
    ++	}
    ++
    ++	/* TODO: what if no altsock was set? */
    ++	return status;
    ++}
    ++
    ++static bool
    ++setup_token_request(PGconn *conn, fe_oauth_state *state)
    ++{
    ++	int			res;
    ++	PQoauthBearerRequest request = {
    ++		.openid_configuration = conn->oauth_discovery_uri,
    ++		.scope = conn->oauth_scope,
    ++	};
    ++
    ++	Assert(request.openid_configuration);
    ++
    ++	/* The client may have overridden the OAuth flow. */
    ++	res = PQauthDataHook(PQAUTHDATA_OAUTH_BEARER_TOKEN, conn, &request);
    ++	if (res > 0)
    ++	{
    ++		PQoauthBearerRequest *request_copy;
    ++
    ++		if (request.token)
    ++		{
    ++			/*
    ++			 * We already have a token, so copy it into the state. (We can't
    ++			 * hold onto the original string, since it may not be safe for us to
    ++			 * free() it.)
    ++			 */
    ++			PQExpBufferData	token;
    ++
    ++			initPQExpBuffer(&token);
    ++			appendPQExpBuffer(&token, "Bearer %s", request.token);
    ++
    ++			if (PQExpBufferDataBroken(token))
    ++			{
    ++				libpq_append_conn_error(conn, "out of memory");
    ++				goto fail;
    ++			}
    ++
    ++			state->token = token.data;
    ++
    ++			/* short-circuit */
    ++			if (request.cleanup)
    ++				request.cleanup(conn, &request);
    ++			return true;
    ++		}
    ++
    ++		request_copy = malloc(sizeof(*request_copy));
    ++		if (!request_copy)
    ++		{
    ++			libpq_append_conn_error(conn, "out of memory");
    ++			goto fail;
    ++		}
    ++
    ++		memcpy(request_copy, &request, sizeof(request));
    ++
    ++		conn->async_auth = run_user_oauth_flow;
    ++		state->async_ctx = request_copy;
    ++		state->free_async_ctx = free_request;
    ++	}
    ++	else if (res < 0)
    ++	{
    ++		libpq_append_conn_error(conn, "user-defined OAuth flow failed");
    ++		goto fail;
    ++	}
    ++	else
    ++	{
    ++		/* Use our built-in OAuth flow. */
    ++		conn->async_auth = pg_fe_run_oauth_flow;
    ++	}
    ++
    ++	return true;
    ++
    ++fail:
    ++	if (request.cleanup)
    ++		request.cleanup(conn, &request);
    ++	return false;
    ++}
    ++
     +static bool
     +derive_discovery_uri(PGconn *conn)
     +{
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +				}
     +
     +				/*
    -+				 * At this point we have to hand the connection over to our
    -+				 * OAuth implementation. This involves a number of HTTP
    -+				 * connections and timed waits, so we escape the synchronous
    -+				 * auth processing and tell PQconnectPoll to transfer control to
    -+				 * our async implementation.
    ++				 * Decide whether we're using a user-provided OAuth flow, or the
    ++				 * one we have built in.
     +				 */
    -+				conn->async_auth = pg_fe_run_oauth_flow;
    -+				state->state = FE_OAUTH_REQUESTING_TOKEN;
    -+				return SASL_ASYNC;
    -+			}
    ++				if (!setup_token_request(conn, state))
    ++					return SASL_FAILED;
     +
    -+			/*
    -+			 * If we don't have a discovery URI to be able to request a token,
    -+			 * we ask the server for one explicitly with an empty token. This
    -+			 * doesn't require any asynchronous work.
    -+			 */
    -+			state->token = strdup("");
    -+			if (!state->token)
    ++				if (state->token)
    ++				{
    ++					/*
    ++					 * A really smart user implementation may have already given
    ++					 * us the token (e.g. if there was an unexpired copy already
    ++					 * cached). In that case, we can just fall through.
    ++					 */
    ++				}
    ++				else
    ++				{
    ++					/*
    ++					 * Otherwise, we have to hand the connection over to our
    ++					 * OAuth implementation. This involves a number of HTTP
    ++					 * connections and timed waits, so we escape the synchronous
    ++					 * auth processing and tell PQconnectPoll to transfer
    ++					 * control to our async implementation.
    ++					 */
    ++					Assert(conn->async_auth); /* should have been set already */
    ++					state->state = FE_OAUTH_REQUESTING_TOKEN;
    ++					return SASL_ASYNC;
    ++				}
    ++			}
    ++			else
     +			{
    -+				libpq_append_conn_error(conn, "out of memory");
    -+				return SASL_FAILED;
    ++				/*
    ++				 * If we don't have a discovery URI to be able to request a
    ++				 * token, we ask the server for one explicitly with an empty
    ++				 * token. This doesn't require any asynchronous work.
    ++				 */
    ++				state->token = strdup("");
    ++				if (!state->token)
    ++				{
    ++					libpq_append_conn_error(conn, "out of memory");
    ++					return SASL_FAILED;
    ++				}
     +			}
     +
     +			/* fall through */
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +
     +	free(state->token);
     +	if (state->async_ctx)
    -+		pg_fe_free_oauth_async_ctx(state->conn, state->async_ctx);
    ++		state->free_async_ctx(state->conn, state->async_ctx);
     +
     +	free(state);
     +}
    @@ src/interfaces/libpq/fe-auth-oauth.h (new)
     +
     +	PGconn	   *conn;
     +	char	   *token;
    ++
     +	void	   *async_ctx;
    ++	void	  (*free_async_ctx) (PGconn *conn, void *ctx);
     +} fe_oauth_state;
     +
     +extern PostgresPollingStatusType pg_fe_run_oauth_flow(PGconn *conn, pgsocket *altsock);
    -+extern void pg_fe_free_oauth_async_ctx(PGconn *conn, void *ctx);
     +
     +#endif							/* FE_AUTH_OAUTH_H */
     
    @@ src/interfaces/libpq/fe-auth.c: pg_fe_sendauth(AuthRequest areq, int payloadlen,
      			{
      				/* Use this message if pg_SASL_continue didn't supply one */
      				if (conn->errorMessage.len == oldmsglen)
    +@@ src/interfaces/libpq/fe-auth.c: PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user,
    + 
    + 	return crypt_pwd;
    + }
    ++
    ++PQauthDataHook_type PQauthDataHook = PQdefaultAuthDataHook;
    ++
    ++PQauthDataHook_type
    ++PQgetAuthDataHook(void)
    ++{
    ++	return PQauthDataHook;
    ++}
    ++
    ++void
    ++PQsetAuthDataHook(PQauthDataHook_type hook)
    ++{
    ++	PQauthDataHook = hook ? hook : PQdefaultAuthDataHook;
    ++}
    ++
    ++int
    ++PQdefaultAuthDataHook(PGAuthData type, PGconn *conn, void *data)
    ++{
    ++	return 0; /* handle nothing */
    ++}
     
      ## src/interfaces/libpq/fe-auth.h ##
     @@
    + #include "libpq-int.h"
      
      
    ++extern PQauthDataHook_type PQauthDataHook;
    ++
    ++
      /* Prototypes for functions in fe-auth.c */
     -extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn);
     +extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn,
    @@ src/interfaces/libpq/fe-connect.c: keep_going:						/* We will come back to here
     +		case CONNECTION_AUTHENTICATING:
     +			{
     +				PostgresPollingStatusType status;
    -+				pgsocket	altsock;
    ++				pgsocket	altsock = PGINVALID_SOCKET;
     +
     +				if (!conn->async_auth)
     +				{
    @@ src/interfaces/libpq/fe-misc.c: pqSocketCheck(PGconn *conn, int forRead, int for
      	if (result < 0)
     
      ## src/interfaces/libpq/libpq-fe.h ##
    +@@ src/interfaces/libpq/libpq-fe.h: extern "C"
    + #define LIBPQ_HAS_TRACE_FLAGS 1
    + /* Indicates that PQsslAttribute(NULL, "library") is useful */
    + #define LIBPQ_HAS_SSL_LIBRARY_DETECTION 1
    ++/* Indicates presence of the PQAUTHDATA_PROMPT_OAUTH_DEVICE authdata hook */
    ++#define LIBPQ_HAS_PROMPT_OAUTH_DEVICE 1
    + 
    + /*
    +  * Option flags for PQcopyResult
     @@ src/interfaces/libpq/libpq-fe.h: typedef enum
      	CONNECTION_CONSUME,			/* Consuming any extra messages. */
      	CONNECTION_GSS_STARTUP,		/* Negotiating GSSAPI. */
    @@ src/interfaces/libpq/libpq-fe.h: typedef enum
      } ConnStatusType;
      
      typedef enum
    +@@ src/interfaces/libpq/libpq-fe.h: typedef enum
    + 	PQ_PIPELINE_ABORTED
    + } PGpipelineStatus;
    + 
    ++typedef enum
    ++{
    ++	PQAUTHDATA_PROMPT_OAUTH_DEVICE,	/* user must visit a device-authorization URL */
    ++	PQAUTHDATA_OAUTH_BEARER_TOKEN,	/* server requests an OAuth Bearer token */
    ++} PGAuthData;
    ++
    + /* PGconn encapsulates a connection to the backend.
    +  * The contents of this struct are not supposed to be known to applications.
    +  */
    +@@ src/interfaces/libpq/libpq-fe.h: extern int	PQenv2encoding(void);
    + 
    + /* === in fe-auth.c === */
    + 
    ++typedef struct _PQpromptOAuthDevice
    ++{
    ++	const char *verification_uri;			/* verification URI to visit */
    ++	const char *user_code;					/* user code to enter */
    ++} PQpromptOAuthDevice;
    ++
    ++typedef struct _PQoauthBearerRequest
    ++{
    ++	/* Hook inputs (constant across all calls) */
    ++	const char * const openid_configuration;	/* OIDC discovery URI */
    ++	const char * const scope;					/* required scope(s), or NULL */
    ++
    ++	/* Hook outputs */
    ++
    ++	/*
    ++	 * Callback implementing a custom asynchronous OAuth flow.
    ++	 *
    ++	 * The callback may return
    ++	 * - PGRES_POLLING_READING/WRITING, to indicate that a file descriptor has
    ++	 *   been stored in *altsock and libpq should wait until it is readable or
    ++	 *   writable before calling back;
    ++	 * - PGRES_POLLING_OK, to indicate that the flow is complete and
    ++	 *   request->token has been set; or
    ++	 * - PGRES_POLLING_FAILED, to indicate that token retrieval has failed.
    ++	 *
    ++	 * This callback is optional. If the token can be obtained without blocking
    ++	 * during the original call to the PQAUTHDATA_OAUTH_BEARER_TOKEN hook, it
    ++	 * may be returned directly, but one of request->async or request->token
    ++	 * must be set by the hook.
    ++	 */
    ++	PostgresPollingStatusType (*async) (PGconn *conn,
    ++										struct _PQoauthBearerRequest *request,
    ++										int *altsock);
    ++
    ++	/*
    ++	 * Callback to clean up custom allocations. A hook implementation may use
    ++	 * this to free request->token and any resources in request->user.
    ++	 *
    ++	 * This is technically optional, but highly recommended, because there is no
    ++	 * other indication as to when it is safe to free the token.
    ++	 */
    ++	void	  (*cleanup) (PGconn *conn, struct _PQoauthBearerRequest *request);
    ++
    ++	/*
    ++	 * The hook should set this to the Bearer token contents for the connection,
    ++	 * once the flow is completed.  The token contents must remain available to
    ++	 * libpq until the hook's cleanup callback is called.
    ++	 */
    ++	char	   *token;
    ++
    ++	/*
    ++	 * Hook-defined data. libpq will not modify this pointer across calls to the
    ++	 * async callback, so it can be used to keep track of application-specific
    ++	 * state. Resources allocated here should be freed by the cleanup callback.
    ++	 */
    ++	void	   *user;
    ++} PQoauthBearerRequest;
    ++
    + extern char *PQencryptPassword(const char *passwd, const char *user);
    + extern char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user, const char *algorithm);
    + 
    ++typedef int (*PQauthDataHook_type) (PGAuthData type, PGconn *conn, void *data);
    ++extern void	PQsetAuthDataHook(PQauthDataHook_type hook);
    ++extern PQauthDataHook_type PQgetAuthDataHook(void);
    ++extern int	PQdefaultAuthDataHook(PGAuthData type, PGconn *conn, void *data);
    ++
    + /* === in encnames.c === */
    + 
    + extern int	pg_char_to_encoding(const char *name);
     
      ## src/interfaces/libpq/libpq-int.h ##
     @@ src/interfaces/libpq/libpq-int.h: typedef struct pg_conn_host
3:  863a49f863 = 3:  d02bc9a466 backend: add OAUTHBEARER SASL mechanism
4:  348554e5f4 ! 4:  fded01d22b Add pytest suite for OAuth
    @@ src/test/python/client/test_oauth.py (new)
     +#
     +
     +import base64
    ++import collections
    ++import ctypes
     +import http.server
     +import json
    ++import logging
    ++import os
    ++import platform
     +import secrets
     +import sys
     +import threading
     +import time
    ++import traceback
    ++import types
     +import urllib.parse
     +from numbers import Number
     +
    @@ src/test/python/client/test_oauth.py (new)
     +
     +from .conftest import BLOCKING_TIMEOUT
     +
    ++if platform.system() == "Darwin":
    ++    libpq = ctypes.cdll.LoadLibrary("libpq.5.dylib")
    ++else:
    ++    libpq = ctypes.cdll.LoadLibrary("libpq.so.5")
    ++
     +
     +def finish_handshake(conn):
     +    """
    @@ src/test/python/client/test_oauth.py (new)
     +        thread.stop()
     +
     +
    ++#
    ++# PQAuthDataHook implementation, matching libpq.h
    ++#
    ++
    ++
    ++PQAUTHDATA_PROMPT_OAUTH_DEVICE = 0
    ++PQAUTHDATA_OAUTH_BEARER_TOKEN = 1
    ++
    ++PGRES_POLLING_FAILED = 0
    ++PGRES_POLLING_READING = 1
    ++PGRES_POLLING_WRITING = 2
    ++PGRES_POLLING_OK = 3
    ++
    ++
    ++class PQPromptOAuthDevice(ctypes.Structure):
    ++    _fields_ = [
    ++        ("verification_uri", ctypes.c_char_p),
    ++        ("user_code", ctypes.c_char_p),
    ++    ]
    ++
    ++
    ++class PQOAuthBearerRequest(ctypes.Structure):
    ++    pass
    ++
    ++
    ++PQOAuthBearerRequest._fields_ = [
    ++    ("openid_configuration", ctypes.c_char_p),
    ++    ("scope", ctypes.c_char_p),
    ++    (
    ++        "async_",
    ++        ctypes.CFUNCTYPE(
    ++            ctypes.c_int,
    ++            ctypes.c_void_p,
    ++            ctypes.POINTER(PQOAuthBearerRequest),
    ++            ctypes.POINTER(ctypes.c_int),
    ++        ),
    ++    ),
    ++    (
    ++        "cleanup",
    ++        ctypes.CFUNCTYPE(None, ctypes.c_void_p, ctypes.POINTER(PQOAuthBearerRequest)),
    ++    ),
    ++    ("token", ctypes.c_char_p),
    ++    ("user", ctypes.c_void_p),
    ++]
    ++
    ++
    ++@pytest.fixture
    ++def auth_data_cb():
    ++    """
    ++    Tracks calls to the libpq authdata hook. The yielded object contains a calls
    ++    member that records the data sent to the hook. If a test needs to perform
    ++    custom actions during a call, it can set the yielded object's impl callback;
    ++    beware that the callback takes place on a different thread.
    ++
    ++    This is done differently from the other callback implementations on purpose.
    ++    For the others, we can declare test-specific callbacks and have them perform
    ++    direct assertions on the data they receive. But that won't work for a C
    ++    callback, because there's no way for us to bubble up the assertion through
    ++    libpq. Instead, this mock-style approach is taken, where we just record the
    ++    calls and let the test examine them later.
    ++    """
    ++
    ++    class _Call:
    ++        pass
    ++
    ++    class _cb(object):
    ++        def __init__(self):
    ++            self.calls = []
    ++
    ++    cb = _cb()
    ++    cb.impl = None
    ++
    ++    # The callback will occur on a different thread, so protect the cb object.
    ++    cb_lock = threading.Lock()
    ++
    ++    @ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_byte, ctypes.c_void_p, ctypes.c_void_p)
    ++    def auth_data_cb(typ, pgconn, data):
    ++        handle_by_default = 0  # does an implementation have to be provided?
    ++
    ++        if typ == PQAUTHDATA_PROMPT_OAUTH_DEVICE:
    ++            cls = PQPromptOAuthDevice
    ++            handle_by_default = 1
    ++        elif typ == PQAUTHDATA_OAUTH_BEARER_TOKEN:
    ++            cls = PQOAuthBearerRequest
    ++        else:
    ++            return 0
    ++
    ++        call = _Call()
    ++        call.type = typ
    ++
    ++        # The lifetime of the underlying data being pointed to doesn't
    ++        # necessarily match the lifetime of the Python object, so we can't
    ++        # reference a Structure's fields after returning. Explicitly copy the
    ++        # contents over, field by field.
    ++        data = ctypes.cast(data, ctypes.POINTER(cls))
    ++        for name, _ in cls._fields_:
    ++            setattr(call, name, getattr(data.contents, name))
    ++
    ++        with cb_lock:
    ++            cb.calls.append(call)
    ++
    ++        if cb.impl:
    ++            # Pass control back to the test.
    ++            try:
    ++                return cb.impl(typ, pgconn, data.contents)
    ++            except Exception:
    ++                # This can't escape into the C stack, but we can fail the flow
    ++                # and hope the traceback gives us enough detail.
    ++                logging.error(
    ++                    "Exception during authdata hook callback:\n"
    ++                    + traceback.format_exc()
    ++                )
    ++                return -1
    ++
    ++        return handle_by_default
    ++
    ++    libpq.PQsetAuthDataHook(auth_data_cb)
    ++    try:
    ++        yield cb
    ++    finally:
    ++        # The callback is about to go out of scope, so make sure libpq is
    ++        # disconnected from it. (We wouldn't want to accidentally influence
    ++        # later tests anyway.)
    ++        libpq.PQsetAuthDataHook(None)
    ++
    ++
     +@pytest.mark.parametrize("secret", [None, "", "hunter2"])
     +@pytest.mark.parametrize("scope", [None, "", "openid email"])
     +@pytest.mark.parametrize("retries", [0, 1])
    @@ src/test/python/client/test_oauth.py (new)
     +    ],
     +)
     +def test_oauth_with_explicit_issuer(
    -+    capfd, accept, openid_provider, asynchronous, retries, scope, secret
    ++    accept, openid_provider, asynchronous, retries, scope, secret, auth_data_cb
     +):
     +    client_id = secrets.token_hex()
     +
    @@ src/test/python/client/test_oauth.py (new)
     +            finish_handshake(conn)
     +
     +    if retries:
    -+        # Finally, make sure that the client prompted the user with the expected
    -+        # authorization URL and user code.
    -+        expected = f"Visit {verification_url} and enter the code: {user_code}"
    -+        _, stderr = capfd.readouterr()
    -+        assert expected in stderr
    ++        # Finally, make sure that the client prompted the user once with the
    ++        # expected authorization URL and user code.
    ++        assert len(auth_data_cb.calls) == 2
    ++
    ++        # First call should have been for a custom flow, which we ignored.
    ++        assert auth_data_cb.calls[0].type == PQAUTHDATA_OAUTH_BEARER_TOKEN
    ++
    ++        # Second call is for our user prompt.
    ++        call = auth_data_cb.calls[1]
    ++        assert call.type == PQAUTHDATA_PROMPT_OAUTH_DEVICE
    ++        assert call.verification_uri.decode() == verification_url
    ++        assert call.user_code.decode() == user_code
     +
     +
     +def expect_disconnected_handshake(sock):
    @@ src/test/python/client/test_oauth.py (new)
     +            finish_handshake(conn)
     +
     +
    ++@pytest.fixture
    ++def self_pipe():
    ++    """
    ++    Yields a pipe fd pair.
    ++    """
    ++
    ++    class _Pipe:
    ++        pass
    ++
    ++    p = _Pipe()
    ++    p.readfd, p.writefd = os.pipe()
    ++
    ++    try:
    ++        yield p
    ++    finally:
    ++        os.close(p.readfd)
    ++        os.close(p.writefd)
    ++
    ++
    ++@pytest.mark.parametrize("scope", [None, "", "openid email"])
    ++@pytest.mark.parametrize(
    ++    "retries",
    ++    [
    ++        -1,  # no async callback
    ++        0,  # async callback immediately returns token
    ++        1,  # async callback waits on altsock once
    ++        2,  # async callback waits on altsock twice
    ++    ],
    ++)
    ++@pytest.mark.parametrize(
    ++    "asynchronous",
    ++    [
    ++        pytest.param(False, id="synchronous"),
    ++        pytest.param(True, id="asynchronous"),
    ++    ],
    ++)
    ++def test_user_defined_flow(
    ++    accept, auth_data_cb, self_pipe, scope, retries, asynchronous
    ++):
    ++    issuer = "http://localhost"
    ++    discovery_uri = issuer + "/.well-known/openid-configuration"
    ++    access_token = secrets.token_urlsafe()
    ++
    ++    sock, _ = accept(
    ++        oauth_issuer=issuer,
    ++        oauth_client_id="some-id",
    ++        oauth_scope=scope,
    ++        async_=asynchronous,
    ++    )
    ++
    ++    # Track callbacks.
    ++    attempts = 0
    ++    wakeup_called = False
    ++    cleanup_calls = 0
    ++    lock = threading.Lock()
    ++
    ++    def wakeup():
    ++        """Writes a byte to the wakeup pipe."""
    ++        nonlocal wakeup_called
    ++        with lock:
    ++            wakeup_called = True
    ++            os.write(self_pipe.writefd, b"\0")
    ++
    ++    def get_token(pgconn, request, p_altsock):
    ++        """
    ++        Async token callback. While attempts < retries, libpq will be instructed
    ++        to wait on the self_pipe. When attempts == retries, the token will be
    ++        set.
    ++
    ++        Note that assertions and exceptions raised here are allowed but not very
    ++        helpful, since they can't bubble through the libpq stack to be collected
    ++        by the test suite. Try not to rely too heavily on them.
    ++        """
    ++        # Make sure libpq passed our user data through.
    ++        assert request.user == 42
    ++
    ++        with lock:
    ++            nonlocal attempts, wakeup_called
    ++
    ++            if attempts:
    ++                # If we've already started the timer, we shouldn't get a
    ++                # call back before it trips.
    ++                assert wakeup_called, "authdata hook was called before the timer"
    ++
    ++                # Drain the wakeup byte.
    ++                os.read(self_pipe.readfd, 1)
    ++
    ++            if attempts < retries:
    ++                attempts += 1
    ++
    ++                # Wake up the client in a little bit of time.
    ++                wakeup_called = False
    ++                threading.Timer(0.1, wakeup).start()
    ++
    ++                # Tell libpq to wait on the other end of the wakeup pipe.
    ++                p_altsock[0] = self_pipe.readfd
    ++                return PGRES_POLLING_READING
    ++
    ++        # Done!
    ++        request.token = access_token.encode()
    ++        return PGRES_POLLING_OK
    ++
    ++    @ctypes.CFUNCTYPE(
    ++        ctypes.c_int,
    ++        ctypes.c_void_p,
    ++        ctypes.POINTER(PQOAuthBearerRequest),
    ++        ctypes.POINTER(ctypes.c_int),
    ++    )
    ++    def get_token_wrapper(pgconn, p_request, p_altsock):
    ++        """
    ++        Translation layer between C and Python for the async callback.
    ++        Assertions and exceptions will be swallowed at the boundary, so make
    ++        sure they don't escape here.
    ++        """
    ++        try:
    ++            return get_token(pgconn, p_request.contents, p_altsock)
    ++        except Exception:
    ++            logging.error("Exception during async callback:\n" + traceback.format_exc())
    ++            return PGRES_POLLING_FAILED
    ++
    ++    @ctypes.CFUNCTYPE(None, ctypes.c_void_p, ctypes.POINTER(PQOAuthBearerRequest))
    ++    def cleanup(pgconn, p_request):
    ++        """
    ++        Should be called exactly once per connection.
    ++        """
    ++        nonlocal cleanup_calls
    ++        with lock:
    ++            cleanup_calls += 1
    ++
    ++    def bearer_hook(typ, pgconn, request):
    ++        """
    ++        Implementation of the PQAuthDataHook, which either sets up an async
    ++        callback or returns the token directly, depending on the value of
    ++        retries.
    ++
    ++        As above, try not to rely too much on assertions/exceptions here.
    ++        """
    ++        assert typ == PQAUTHDATA_OAUTH_BEARER_TOKEN
    ++        request.cleanup = cleanup
    ++
    ++        if retries < 0:
    ++            # Special case: return a token immediately without a callback.
    ++            request.token = access_token.encode()
    ++            return 1
    ++
    ++        # Tell libpq to call us back.
    ++        request.async_ = get_token_wrapper
    ++        request.user = ctypes.c_void_p(42)  # will be checked in the callback
    ++        return 1
    ++
    ++    auth_data_cb.impl = bearer_hook
    ++
    ++    # Now drive the server side.
    ++    with sock:
    ++        with pq3.wrap(sock, debug_stream=sys.stdout) as conn:
    ++            # Initiate a handshake, which should result in our custom callback
    ++            # being invoked to fetch the token.
    ++            initial = start_oauth_handshake(conn)
    ++
    ++            # Validate and accept the token.
    ++            auth = get_auth_value(initial)
    ++            assert auth == f"Bearer {access_token}".encode("ascii")
    ++
    ++            pq3.send(conn, pq3.types.AuthnRequest, type=pq3.authn.SASLFinal)
    ++            finish_handshake(conn)
    ++
    ++    # Check the data provided to the hook.
    ++    assert len(auth_data_cb.calls) == 1
    ++
    ++    call = auth_data_cb.calls[0]
    ++    assert call.type == PQAUTHDATA_OAUTH_BEARER_TOKEN
    ++    assert call.openid_configuration.decode() == discovery_uri
    ++    assert call.scope == (None if scope is None else scope.encode())
    ++
    ++    # Make sure we cleaned up after ourselves.
    ++    assert cleanup_calls == 1
    ++
    ++
     +def alt_patterns(*patterns):
     +    """
     +    Just combines multiple alternative regexes into one. It's not very efficient
5:  16d3984a45 ! 5:  38a9691801 squash! Add pytest suite for OAuth
    @@ src/test/python/README: To make quick smoke tests possible, slow tests have been
     +    $ py.test --temp-instance=./tmp_check
     
      ## src/test/python/client/test_oauth.py ##
    -@@
    - import base64
    - import http.server
    - import json
    -+import os
    - import secrets
    - import sys
    - import threading
     @@ src/test/python/client/test_oauth.py: import pq3
      
      from .conftest import BLOCKING_TIMEOUT
    @@ src/test/python/client/test_oauth.py: import pq3
     +    reason="OAuth client tests require --with-oauth support",
     +)
     +
    - 
    - def finish_handshake(conn):
    -     """
    + if platform.system() == "Darwin":
    +     libpq = ctypes.cdll.LoadLibrary("libpq.5.dylib")
    + else:
     
      ## src/test/python/conftest.py ##
     @@ src/test/python/conftest.py: import os

1:  e80c124c3d ! 1:  1e17a1059f common/jsonapi: support FRONTEND clients
    @@ Commit message
         memory owned by the JsonLexContext, so clients don't need to worry about
         freeing it.
     
    -    For convenience, the backend now has destroyJsonLexContext() to mirror
    -    other create/destroy APIs. The frontend has init/term versions of the
    -    API to handle stack-allocated JsonLexContexts.
    -
         We can now partially revert b44669b2ca, now that json_errdetail() works
         correctly.
     
    - ## src/backend/utils/adt/jsonfuncs.c ##
    -@@ src/backend/utils/adt/jsonfuncs.c: json_object_keys(PG_FUNCTION_ARGS)
    - 		pg_parse_json_or_ereport(lex, sem);
    - 		/* keys are now in state->result */
    - 
    --		pfree(lex->strval->data);
    --		pfree(lex->strval);
    --		pfree(lex);
    -+		destroyJsonLexContext(lex);
    - 		pfree(sem);
    - 
    - 		MemoryContextSwitchTo(oldcontext);
    -
      ## src/bin/pg_verifybackup/parse_manifest.c ##
    -@@ src/bin/pg_verifybackup/parse_manifest.c: void
    - json_parse_manifest(JsonManifestParseContext *context, char *buffer,
    - 					size_t size)
    - {
    --	JsonLexContext *lex;
    -+	JsonLexContext lex = {0};
    - 	JsonParseErrorType json_error;
    - 	JsonSemAction sem;
    - 	JsonManifestParseState parse;
    -@@ src/bin/pg_verifybackup/parse_manifest.c: json_parse_manifest(JsonManifestParseContext *context, char *buffer,
    - 	parse.state = JM_EXPECT_TOPLEVEL_START;
    - 	parse.saw_version_field = false;
    - 
    --	/* Create a JSON lexing context. */
    --	lex = makeJsonLexContextCstringLen(buffer, size, PG_UTF8, true);
    -+	/* Initialize a JSON lexing context. */
    -+	initJsonLexContextCstringLen(&lex, buffer, size, PG_UTF8, true);
    - 
    - 	/* Set up semantic actions. */
    - 	sem.semstate = &parse;
     @@ src/bin/pg_verifybackup/parse_manifest.c: json_parse_manifest(JsonManifestParseContext *context, char *buffer,
    - 	sem.scalar = json_manifest_scalar;
    - 
      	/* Run the actual JSON parser. */
    --	json_error = pg_parse_json(lex, &sem);
    -+	json_error = pg_parse_json(&lex, &sem);
    + 	json_error = pg_parse_json(lex, &sem);
      	if (json_error != JSON_SUCCESS)
     -		json_manifest_parse_failure(context, "parsing failed");
    -+		json_manifest_parse_failure(context, json_errdetail(json_error, &lex));
    ++		json_manifest_parse_failure(context, json_errdetail(json_error, lex));
      	if (parse.state != JM_EXPECT_EOF)
      		json_manifest_parse_failure(context, "manifest ended unexpectedly");
      
    - 	/* Verify the manifest checksum. */
    - 	verify_manifest_checksum(&parse, buffer, size);
    -+
    -+	/* Clean up. */
    -+	termJsonLexContext(&lex);
    - }
    - 
    - /*
     
      ## src/bin/pg_verifybackup/t/005_bad_manifest.pl ##
     @@ src/bin/pg_verifybackup/t/005_bad_manifest.pl: use Test::More;
    @@ src/common/jsonapi.c
      /*
       * The context of the parser is maintained by the recursive descent
       * mechanism, but is passed explicitly to the error reporting routine
    -@@ src/common/jsonapi.c: IsValidJsonNumber(const char *str, int len)
    - 	return (!numeric_error) && (total_len == dummy_lex.input_length);
    - }
    - 
    -+#ifndef FRONTEND
    -+
    - /*
    -  * makeJsonLexContextCstringLen
    -  *
    -- * lex constructor, with or without StringInfo object for de-escaped lexemes.
    -+ * lex constructor, with or without a string object for de-escaped lexemes.
    -  *
    -  * Without is better as it makes the processing faster, so only make one
    -  * if really required.
    -@@ src/common/jsonapi.c: makeJsonLexContextCstringLen(char *json, int len, int encoding, bool need_escape
    - {
    - 	JsonLexContext *lex = palloc0(sizeof(JsonLexContext));
    - 
    -+	initJsonLexContextCstringLen(lex, json, len, encoding, need_escapes);
    -+
    -+	return lex;
    -+}
    -+
    -+void
    -+destroyJsonLexContext(JsonLexContext *lex)
    -+{
    -+	termJsonLexContext(lex);
    -+	pfree(lex);
    -+}
    -+
    -+#endif /* !FRONTEND */
    -+
    -+void
    -+initJsonLexContextCstringLen(JsonLexContext *lex, char *json, int len, int encoding, bool need_escapes)
    -+{
    - 	lex->input = lex->token_terminator = lex->line_start = json;
    - 	lex->line_number = 1;
    - 	lex->input_length = len;
    +@@ src/common/jsonapi.c: makeJsonLexContextCstringLen(JsonLexContext *lex, char *json,
      	lex->input_encoding = encoding;
    --	if (need_escapes)
    + 	if (need_escapes)
    + 	{
     -		lex->strval = makeStringInfo();
    --	return lex;
    -+	lex->parse_strval = need_escapes;
    -+	if (lex->parse_strval)
    -+	{
     +		/*
     +		 * This call can fail in FRONTEND code. We defer error handling to time
    -+		 * of use (json_lex_string()) since there's no way to signal failure
    -+		 * here, and we might not need to parse any strings anyway.
    ++		 * of use (json_lex_string()) since we might not need to parse any
    ++		 * strings anyway.
     +		 */
     +		lex->strval = createStrVal();
    -+	}
    + 		lex->flags |= JSONLEX_FREE_STRVAL;
    ++		lex->parse_strval = true;
    + 	}
     +	lex->errormsg = NULL;
    -+}
    -+
    -+void
    -+termJsonLexContext(JsonLexContext *lex)
    -+{
    + 
    + 	return lex;
    + }
    +@@ src/common/jsonapi.c: makeJsonLexContextCstringLen(JsonLexContext *lex, char *json,
    + void
    + freeJsonLexContext(JsonLexContext *lex)
    + {
     +	static const JsonLexContext empty = {0};
     +
    -+	if (lex->strval)
    -+	{
    + 	if (lex->flags & JSONLEX_FREE_STRVAL)
    + 	{
     +#ifdef FRONTEND
     +		destroyPQExpBuffer(lex->strval);
     +#else
    -+		pfree(lex->strval->data);
    -+		pfree(lex->strval);
    + 		pfree(lex->strval->data);
    + 		pfree(lex->strval);
     +#endif
     +	}
    -+
     +	if (lex->errormsg)
     +	{
     +#ifdef FRONTEND
    @@ src/common/jsonapi.c: makeJsonLexContextCstringLen(char *json, int len, int enco
     +		pfree(lex->errormsg->data);
     +		pfree(lex->errormsg);
     +#endif
    -+	}
    -+
    -+	*lex = empty;
    + 	}
    + 	if (lex->flags & JSONLEX_FREE_STRUCT)
    + 		pfree(lex);
    ++	else
    ++		*lex = empty;
      }
      
      /*
    @@ src/common/jsonapi.c: json_errdetail(JsonParseErrorType error, JsonLexContext *l
     +	return lex->errormsg->data;
     +}
     
    + ## src/common/meson.build ##
    +@@ src/common/meson.build: common_sources_frontend_static += files(
    + # least cryptohash_openssl.c, hmac_openssl.c depend on it.
    + # controldata_utils.c depends on wait_event_types_h. That's arguably a
    + # layering violation, but ...
    ++#
    ++# XXX Frontend builds need libpq's pqexpbuffer.h, so adjust the include paths
    ++# appropriately. This seems completely broken.
    + pgcommon = {}
    + pgcommon_variants = {
    +   '_srv': internal_lib_args + {
    ++    'include_directories': include_directories('.'),
    +     'sources': common_sources + [lwlocknames_h] + [wait_event_types_h],
    +     'dependencies': [backend_common_code],
    +   },
    +   '': default_lib_args + {
    ++    'include_directories': include_directories('../interfaces/libpq', '.'),
    +     'sources': common_sources_frontend_static,
    +     'dependencies': [frontend_common_code],
    +     # Files in libpgcommon.a should use/export the "xxx_private" versions
    +@@ src/common/meson.build: pgcommon_variants = {
    +   },
    +   '_shlib': default_lib_args + {
    +     'pic': true,
    ++    'include_directories': include_directories('../interfaces/libpq', '.'),
    +     'sources': common_sources_frontend_shlib,
    +     'dependencies': [frontend_common_code],
    +   },
    +@@ src/common/meson.build: foreach name, opts : pgcommon_variants
    +     c_args = opts.get('c_args', []) + common_cflags[cflagname]
    +     cflag_libs += static_library('libpgcommon@0@_@1@'.format(name, cflagname),
    +       c_pch: pch_c_h,
    +-      include_directories: include_directories('.'),
    +       kwargs: opts + {
    +         'sources': sources,
    +         'c_args': c_args,
    +@@ src/common/meson.build: foreach name, opts : pgcommon_variants
    +   lib = static_library('libpgcommon@0@'.format(name),
    +       link_with: cflag_libs,
    +       c_pch: pch_c_h,
    +-      include_directories: include_directories('.'),
    +       kwargs: opts + {
    +         'dependencies': opts['dependencies'] + [ssl],
    +       }
    +
      ## src/include/common/jsonapi.h ##
     @@
      #ifndef JSONAPI_H
    @@ src/include/common/jsonapi.h: typedef enum JsonParseErrorType
      	JSON_UNICODE_ESCAPE_FORMAT,
      	JSON_UNICODE_HIGH_ESCAPE,
     @@ src/include/common/jsonapi.h: typedef enum JsonParseErrorType
    - 	JSON_SEM_ACTION_FAILED		/* error should already be reported */
    + 	JSON_SEM_ACTION_FAILED,		/* error should already be reported */
      } JsonParseErrorType;
      
     +/*
    @@ src/include/common/jsonapi.h: typedef enum JsonParseErrorType
      /*
       * All the fields in this structure should be treated as read-only.
     @@ src/include/common/jsonapi.h: typedef struct JsonLexContext
    - 	int			lex_level;
    + 	bits32		flags;
      	int			line_number;	/* line number, starting from 1 */
      	char	   *line_start;		/* where that line starts within input */
     -	StringInfo	strval;
    @@ src/include/common/jsonapi.h: typedef struct JsonLexContext
      } JsonLexContext;
      
      typedef JsonParseErrorType (*json_struct_action) (void *state);
    -@@ src/include/common/jsonapi.h: extern PGDLLIMPORT JsonSemAction nullSemAction;
    -  */
    - extern JsonParseErrorType json_count_array_elements(JsonLexContext *lex,
    - 													int *elements);
    -+#ifndef FRONTEND
    - 
    - /*
    -- * constructor for JsonLexContext, with or without strval element.
    -+ * allocating constructor for JsonLexContext, with or without strval element.
    -  * If supplied, the strval element will contain a de-escaped version of
    -  * the lexeme. However, doing this imposes a performance penalty, so
    -  * it should be avoided if the de-escaped lexeme is not required.
    -@@ src/include/common/jsonapi.h: extern JsonLexContext *makeJsonLexContextCstringLen(char *json,
    - 													int encoding,
    - 													bool need_escapes);
    - 
    -+/*
    -+ * Counterpart to makeJsonLexContextCstringLen(): clears and deallocates lex.
    -+ * The context pointer should not be used after this call.
    -+ */
    -+extern void destroyJsonLexContext(JsonLexContext *lex);
    -+
    -+#endif /* !FRONTEND */
    -+
    -+/*
    -+ * stack constructor for JsonLexContext, with or without strval element.
    -+ * If supplied, the strval element will contain a de-escaped version of
    -+ * the lexeme. However, doing this imposes a performance penalty, so
    -+ * it should be avoided if the de-escaped lexeme is not required.
    -+ */
    -+extern void initJsonLexContextCstringLen(JsonLexContext *lex,
    -+										 char *json,
    -+										 int len,
    -+										 int encoding,
    -+										 bool need_escapes);
    -+
    -+/*
    -+ * Counterpart to initJsonLexContextCstringLen(): clears the contents of lex,
    -+ * but does not deallocate lex itself.
    -+ */
    -+extern void termJsonLexContext(JsonLexContext *lex);
    -+
    - /* lex one token */
    - extern JsonParseErrorType json_lex(JsonLexContext *lex);
    - 
2:  02eea9ffe0 ! 2:  e941ba5807 libpq: add OAUTHBEARER SASL mechanism
    @@ src/Makefile.global.in: with_ldap	= @with_ldap@
      with_uuid	= @with_uuid@
      with_zlib	= @with_zlib@
     
    - ## src/common/meson.build ##
    -@@ src/common/meson.build: common_sources_frontend_static += files(
    - # least cryptohash_openssl.c, hmac_openssl.c depend on it.
    - # controldata_utils.c depends on wait_event_types_h. That's arguably a
    - # layering violation, but ...
    -+#
    -+# XXX Frontend builds need libpq's pqexpbuffer.h, so adjust the include paths
    -+# appropriately. This seems completely broken.
    - pgcommon = {}
    - pgcommon_variants = {
    -   '_srv': internal_lib_args + {
    -+    'include_directories': include_directories('.'),
    -     'sources': common_sources + [lwlocknames_h] + [wait_event_types_h],
    -     'dependencies': [backend_common_code],
    -   },
    -   '': default_lib_args + {
    -+    'include_directories': include_directories('../interfaces/libpq', '.'),
    -     'sources': common_sources_frontend_static,
    -     'dependencies': [frontend_common_code],
    -   },
    -   '_shlib': default_lib_args + {
    -     'pic': true,
    -+    'include_directories': include_directories('../interfaces/libpq', '.'),
    -     'sources': common_sources_frontend_shlib,
    -     'dependencies': [frontend_common_code],
    -   },
    -@@ src/common/meson.build: foreach name, opts : pgcommon_variants
    -     c_args = opts.get('c_args', []) + common_cflags[cflagname]
    -     cflag_libs += static_library('libpgcommon@0@_@1@'.format(name, cflagname),
    -       c_pch: pch_c_h,
    --      include_directories: include_directories('.'),
    -       kwargs: opts + {
    -         'sources': sources,
    -         'c_args': c_args,
    -@@ src/common/meson.build: foreach name, opts : pgcommon_variants
    -   lib = static_library('libpgcommon@0@'.format(name),
    -       link_with: cflag_libs,
    -       c_pch: pch_c_h,
    --      include_directories: include_directories('.'),
    -       kwargs: opts + {
    -         'dependencies': opts['dependencies'] + [ssl],
    -       }
    -
      ## src/include/common/oauth-common.h (new) ##
     @@
     +/*-------------------------------------------------------------------------
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +		goto cleanup;
     +	}
     +
    -+	initJsonLexContextCstringLen(&lex, resp->data, resp->len, PG_UTF8, true);
    ++	makeJsonLexContextCstringLen(&lex, resp->data, resp->len, PG_UTF8, true);
     +
     +	ctx.errbuf = &actx->errbuf;
     +	ctx.fields = fields;
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +	success = true;
     +
     +cleanup:
    -+	termJsonLexContext(&lex);
    ++	freeJsonLexContext(&lex);
     +	return success;
     +}
     +
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +		return false;
     +	}
     +
    -+	initJsonLexContextCstringLen(&lex, msg, msglen, PG_UTF8, true);
    ++	makeJsonLexContextCstringLen(&lex, msg, msglen, PG_UTF8, true);
     +
     +	initPQExpBuffer(&ctx.errbuf);
     +	sem.semstate = &ctx;
    @@ src/interfaces/libpq/fe-auth-oauth.c (new)
     +
     +	/* Don't need the error buffer or the JSON lexer anymore. */
     +	termPQExpBuffer(&ctx.errbuf);
    -+	termJsonLexContext(&lex);
    ++	freeJsonLexContext(&lex);
     +
     +	if (errmsg)
     +		return false;
3:  b3a731b695 ! 3:  37eaa5ceb6 backend: add OAUTHBEARER SASL mechanism
    @@ src/include/libpq/auth.h: extern PGDLLIMPORT bool pg_gss_accept_delegation;
     
      ## src/include/libpq/hba.h ##
     @@ src/include/libpq/hba.h: typedef enum UserAuth
    - 	uaLDAP,
      	uaCert,
      	uaRADIUS,
    --	uaPeer
    + 	uaPeer,
     -#define USER_AUTH_LAST uaPeer	/* Must be last value of this enum */
    -+	uaPeer,
    -+	uaOAuth
    ++	uaOAuth,
     +#define USER_AUTH_LAST uaOAuth	/* Must be last value of this enum */
      } UserAuth;
      
4:  b2a570114e = 4:  7177943f0c Add pytest suite for OAuth
5:  48cd916bfe = 5:  bea695c317 squash! Add pytest suite for OAuth

���Kev13-0001-common-jsonapi-support-FRONTEND-clients.patch�\}[�����|
�}!!�����t�SJC�^����[��Ql�xql��@s���wf$;v��d��������F������B�q���o7[{]��o�����������G�v����3�c�"`z�5���Z��^:2�7�;�I�@��S���a��CQ7����W<$��6;�3�����7h��.�5{�f�z:�]�����<�9z��6�{���^����x�X4
?���������3]GxqT*������������f���)	�]�?������2;��Xx�����`��?/��-B�xQ,8���u:���g�uv3v"
 ��4�X��8��=����<F��q���E�p�c�(��=OC��r}qn\��1.�������J<b�����4DZ"2�
����8�t���S`"���	��c��DL�p��GR�c�~
Z���J�1�p>JS��������~c����%;�N������Ldr<�����v�G-�k��D]�>���J&0���z�V��X����5�;h9�l:�
`	c�=�Q\7}�	�[������l�#n��.�k�����{a;�`���������x\��g��W�������|�>�:���~���Lwj��y���r\���������V���v������:��+dC�R*Y�m�Z���o�m���]K�g��l��3��~�nu�M}�b��f����{l��*�d/^����i=V�?��\6���+�L}��Gj
�]3YL�����(\h%���eWS��7�)wi�3"��n�$���
��J��Zv�G���I�9ttlV�t~v ��������u�T����	+J*���Inc;�f|"�m ^]s��J��Fc0�J:M^�bO4�3c��rxtc/�+�g��&�dJSO| b�����z�YV;Ha���~���=�?��P�4���[�O��>���c�c���m����[�
<��P�j&3�},&���[]�Q|��_O��m���`���.Y����*�8^0�YD�]�v4p�?B�BS\�K�fr�,�3`y�kh����g�x������T�J��O%�9�b��&����������|�mB,]2����I���:M4}��>�;���]^���f�V{����q��`�l�n_���no��z}�z}���'/�� �Mv/��p@
�j'u��}9���d��/'�*������\g��<�Qg8k����������+����;����2n
�#\��
�E"�X���F�I�`6��L����d�3�Q���Y�SO��uk4������t�x���������i���kz�U�GG�9:�:�����R}��}�X��6L���j�96L�N!t�
-�
)�?`����W�n$��F
�\��y�'2�5q<����a
��n��v��GA�5����R��6��`/B���sp'@�0<Q��H�
�g �F
+18&
k�]�P���z�&hp<��o�^��,G�U�4���OO/����_QQ3��x��A�����%?e�������p&��\��dwH��e�:�o�6�d6�S!a�mD����O�~�C@�g�RG]�.����
t7���U�z����]�R�v�"�Z�vC�����@q%��{�BH��"��p�A:���,��A�5���A��LH���D`�D��`W��
�0K�5�:�Ie�@@��P`���7�
$���}!�}M��n�b��#N�W�?`��n%b���x�j?�No�pdx��_t��
��@D�&?!�����
ly���.K���ek�t��C��"(
x��@�_g�F�a�/5��\����E
L��IBa��!�-W`�C��&��8&|����po���A�<r�2���y��NU&�-;�.�����t��8�
XO��?O�H����)"���������U~����@��
��
>�f��4rh��v�+���w�����[4��������c�J��`�`�xB|j~~�+��&����$i9�om���C?N���k���AS�i�g��\Zj��*�7Y!�gb	nN*�N����<O'V�835t�5T�������h'3@��JF��1
h_�:����L�
)�<����`}��� ��������M*lY>-X\�8�K0#o�di*��i��������#�"��
w�^���nmKu��k��
FZ�07@�$(_��TH�)w2za]�D��DXJc�+�[���K*r�����������k-��L��8��b�b����T���B�,j@���1m���Xl%��Qc4i���G0����$#�����J�������N�_�q=u<��gR�T���
K�B���f(d��+�VJD��4�uL�c��J�H�>�����'\`�-����bp�
64�cPZ�e�!��1�:j��� �*����	�r
����q�j�8mi.���������y���#�������W������d�e��p�
��g����D6	XTe��Z��_^]UY��u���>��8��O��Y@�p���*G�=��%O�������&|�vV��z�ku�S�2SCFfT��WO���Y�cn:zG������.��&�[��:D#������~)e�(A����Az�A�+�A'��
��lA����*�=���x\g��Q8��\g��,>�Q���0�
jX"�����l����p)������-�!N�S����-.-�8��U�Y�h�T`\H$A���X6��g�hb!��3���`+��&S)��8��]0EB[��hi���#<�(g��Cw�������x�b����oR����V���|%(��ON�������
j����������1�>:��Wg�72X�v�[�j�UsO��!�s��p�#2�DL�wXo�Fu)+�a��v�-m"��s����7���/�c���^��a�)!|��# ��	��A�p�4&#�X~jdM�,������A��U�G�@�����?g��������c���HL�K3������8�F�w"���0�L2�GN�|� ?�2��ZZm�J�z��D������o���#�V*q�n���c�z[�������=��1�h R�<-����ag���x}x�"�*��k����.��l������3�}��]hh�����-v^U*��,7����y��h�;���u����9��q�7�l?������
g�i��f��
8�Os�7�o�9^�0�5P8f��O���fw�}����
v��{'H
�6lS1�`�S*���aQ Li��R�GAX��=���m��m��h�����edSP+`?�Y#�d���W?�#L�zb�=K�Q�e�EB���
.��HR���B�My��~PJ�.��O'�k����1����K�Z����#y�3����^P��"B�I5����L �91Z��iK����U���/������^Y�-T&j���e�@3W+�~���������l�J���Y�^����������X*�����y2�`@���Y�zgO��n��Z=m��:.����,Q���@�Y��Q��"XdX#��i�X"�K}
�����JX+8���S�����*�	h
<��tx�7���c=*�Pb���yF)
6K���LK5U���-v���d9zI��nA�j�x��cWN9��(b���'��VT��DS�{�0/���c��-=O:�
z85B�,s�k�����eU�����-D%ry��tYG2d�s?�����d���D�������I�SS�s$������a�)�2H�-9��h2N�;$���*�'2�x���%+�{��
����I�KG�����0&��m�`� �=q����^4N��cdh������-��*�s��U�A�����UUPS��
�SZr�ez=�����S'��C��
�f�`��C�^RuD��zc�������rA��
v��&O��UV_-�8�X�d�(������2���� @�]I*�4�ll���.H�z7��J��c�IT��9����|����qr�����+���>�(���eP�������1��x�}{�Ct���t<�R��]�(��R���W]}y�i	.d���w8&���-!��I�����=���)�:��:E����f�#�L#ZI��!��|]��v���*g��$C7�M����������E]}K ���q�����;_�a��I����&������������/k���:�H}���v�[�d-���v����PL���V��\��2�.N/�����[�����J���,4�5u,�m$_����Pe(��9�X��p}������_����!Gq �����i�_W�J!G�o��'�~]m���u����?!�����}��7��J	�)����
��1���[#����A��T��}~�?��t�o�<�D�P�I���]^����;��X]���&|a��RG����:ym����Ux�8�����O74�������=��J�%�A>��=z���t���$�����Is���3F����MsL�Z���\����T'�k6{��q,<U0S�F�"��7���*{{~sux~}zxs��t(�{]���K*�r
y����TZ�V�H|�����'-_D��f���������jB!!oO=�[
�&�%��m�|����"S13[�����|9!��N47�-Xu���Z��x�G����r�'�\��`LN��n��ZN�)�4���rK;����)�#[���o�.tX�O��r��:���5�ig���Lc�<��(Z�,�K��8K�p�����c���J�,�?rP�|���L�$�	o:Q�����i,}���A
�
p��2���~���?����.�)#���/���(�N��x\��]y����������imcP���`�V_����J��)�/�>�}�La2_&RuA���|
���RM
���r-������L�L���
�����A$�5,2�����/�J��O[V�������bEQ]�2��6e4|"t����ZXz��r_�+����7���m�V<Po�GB���M{T���v�o���o�Xz�+�P���O?i���������d�0T�z �/�Kq����p���Gc��G�[756�ps�4y_������wQQ�_)M;�>~���x�>p����K�1�<����7c���gB�v|�J��������?���;v�lz$���G���i����������EH�:�ak�p��|#$b�Jt6�����������
x��_9el��������
��
�3@R<`������������#"��Z����FI��%�g��@������=^���e�HI��n,��W��Pd1�������Qa��
So�Zl�nH�il�w�(i�%Y��1����Z���
�
���/�?~4�=�?����"�z��Og��������hW�QJ8&t�r��'��7�+�H*����!]]����#�e�����`YO��)uq@��w".��&����
()�Jo���H����Q�F5� �1������������b�����,'��K��3
�1���1�V6�������G�e ��|�*�7-�P�`��������{�M�z`_�NN3s	0�0�d���7W��Ob���F
|�M}H����W���4D�s�+r����i����=��CR#j�(����{���F���n��G�o&3o4oJ�g��������M��I�"DY7�������M$	�A9W���
5O�����+�Pb�{=
��F�@dT7�0!����������U�5���\l?���xP�>[�#�_��s�FeP�cE���U[�lq��g����zq��6?�O]-c�v�	c�m����G?��</���E^�H|��3�~�H�UP>@�%
��fc�/G�wR�����n��q1�������
c���{�������]r�aS�I�-mLn�^�)�{�g�>BY�X]a��p�`$�����@��#G� oW�:#��y�`��x���>B���o��c�
O&�d��e�X�
�v�
�#��#���L0��5�����J�;��XN�+e��7�v�_9���<����=vA���P�����
�Eb�|��>}S�����[�T�}��Gr��^�8&t��2�uCf�*����2@?��4��I��r3��N