LDAP_LIBS_BE

LDAP_LIBS_FE

with_ssl

LIBCURL_LDLIBS

PTHREAD_CFLAGS

PTHREAD_LIBS

PTHREAD_CC

LIBNUMA_LIBS

LIBNUMA_CFLAGS

with_libnuma

LIBCURL_LDFLAGS

LIBCURL_CPPFLAGS

LIBCURL_LIBS

LIBCURL_CFLAGS

with_libcurl

fi

# We only care about -I, -D, and -L switches;

# note that -lcurl will be added by PGAC_CHECK_LIBCURL below.

# Curl's flags are kept separate from the standard CPPFLAGS/LDFLAGS. We use

# them only for libpq-oauth.

LIBCURL_CPPFLAGS=

LIBCURL_LDFLAGS=

# We only care about -I, -D, and -L switches. Note that -lcurl will be added

# to LIBCURL_LDLIBS by PGAC_CHECK_LIBCURL, below.

for pgac_option in $LIBCURL_CFLAGS; do

case $pgac_option in

-I*|-D*)CPPFLAGS="$CPPFLAGS $pgac_option";;

-I*|-D*)LIBCURL_CPPFLAGS="$LIBCURL_CPPFLAGS $pgac_option";;

esac

done

for pgac_option in $LIBCURL_LIBS; do

case $pgac_option in

-L*)LDFLAGS="$LDFLAGS $pgac_option";;

-L*)LIBCURL_LDFLAGS="$LIBCURL_LDFLAGS $pgac_option";;

esac

done

# OAuth requires python for testing

if test "$with_python" != yes; then

{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: *** OAuth support tests require --with-python to run" >&5

fi

# XXX libcurl must link after libgssapi_krb5 on FreeBSD to avoid segfaults

# during gss_acquire_cred(). This is possibly related to Curl's Heimdal

# dependency on that platform?

if test "$with_libcurl" = yes ; then

ac_fn_c_check_header_mongrel "$LINENO" "curl/curl.h" "ac_cv_header_curl_curl_h" "$ac_includes_default"

{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_curl_multi_init" >&5

$as_echo "$ac_cv_lib_curl_curl_multi_init" >&6; }

if test "x$ac_cv_lib_curl_curl_multi_init" = xyes; then :

cat >>confdefs.h <<_ACEOF

#define HAVE_LIBCURL 1

_ACEOF

LIBS="-lcurl $LIBS"

$as_echo "#define HAVE_LIBCURL 1" >>confdefs.h

LIBCURL_LDLIBS=-lcurl

else

as_fn_error $? "library 'curl' does not provide curl_multi_init" "$LINENO" 5

fi

pgac_save_CPPFLAGS=$CPPFLAGS

pgac_save_LDFLAGS=$LDFLAGS

pgac_save_LIBS=$LIBS

CPPFLAGS="$LIBCURL_CPPFLAGS $CPPFLAGS"

LDFLAGS="$LIBCURL_LDFLAGS $LDFLAGS"

LIBS="$LIBCURL_LDLIBS $LIBS"

# Check to see whether the current platform supports threadsafe Curl

# initialization.

{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for curl_global_init thread safety" >&5

*** to use it with libpq." "$LINENO" 5

fi

CPPFLAGS=$pgac_save_CPPFLAGS

LDFLAGS=$pgac_save_LDFLAGS

LIBS=$pgac_save_LIBS

fi

if test "$with_gssapi" = yes ; then

fi

if test "$with_libcurl" = yes ; then

# Error out early if this platform can't support libpq-oauth.

if test "$ac_cv_header_sys_event_h" != yes -a "$ac_cv_header_sys_epoll_h" != yes; then

as_fn_error $? "client OAuth is not supported on this platform" "$LINENO" 5

fi

fi

##

## Types, structures, compiler characteristics

##

PKG_CHECK_MODULES(LIBCURL,[libcurl >= 7.61.0])

LIBCURL_CPPFLAGS=

LIBCURL_LDFLAGS=

for pgac_option in $LIBCURL_CFLAGS; do

case $pgac_option in

-I*|-D*)CPPFLAGS="$CPPFLAGS $pgac_option";;

-I*|-D*)LIBCURL_CPPFLAGS="$LIBCURL_CPPFLAGS $pgac_option";;

esac

done

for pgac_option in $LIBCURL_LIBS; do

case $pgac_option in

-L*)LDFLAGS="$LDFLAGS $pgac_option";;

-L*)LIBCURL_LDFLAGS="$LIBCURL_LDFLAGS $pgac_option";;

esac

done

if test "$with_python" != yes; then

fi

if test "$with_libcurl" = yes ; then

PGAC_CHECK_LIBCURL

fi

fi

if test "$with_libcurl" = yes ; then

if test "$ac_cv_header_sys_event_h" != yes -a "$ac_cv_header_sys_epoll_h" != yes; then

fi

fi

</para>

</listitem>

<listitem>

<para>

You need <productname>Curl</productname> to build an optional module

which implements the <link linkend="libpq-oauth">OAuth Device

Authorization flow</link> for client applications.

</para>

</listitem>

<listitem>

<para>

You need <productname>LZ4</productname>, if you want to support

<title>OAuth Support</title>

<para>

libpq implements support for the OAuth v2 Device Authorization client flow,

<application>libpq</application> implements support for the OAuth v2 Device Authorization client flow,

documented in

<ulink url="https://datatracker.ietf.org/doc/html/rfc8628">RFC 8628</ulink>,

which it will attempt to use by default if the server

as an optional module. See the <link linkend="configure-option-with-libcurl">

installation documentation</link> for information on how to enable support

for Device Authorization as a builtin flow.

</para>

<para>

When support is enabled and the optional module installed, <application>libpq</application>

will use the builtin flow by default if the server

<link linkend="auth-oauth">requests a bearer token</link> during

authentication. This flow can be utilized even if the system running the

client application does not have a usable web browser, for example when

running a client via <application>SSH</application>. Client applications may implement their own flows

instead; see <xref linkend="libpq-oauth-authdata-hooks"/>.

running a client via <acronym>SSH</acronym>.

</para>

<para>

The builtin flow will, by default, print a URL to visit and a user code to

they match expectations, before continuing. Permissions should not be given

to untrusted third parties.

</para>

<para>

Client applications may implement their own flows to customize interaction

and integration with applications. See <xref linkend="libpq-oauth-authdata-hooks"/>

for more information on how add a custom flow to <application>libpq</application>.

</para>

<para>

For an OAuth client flow to be usable, the connection string must at minimum

contain <xref linkend="libpq-connect-oauth-issuer"/> and

</synopsis>

</para>

<para>

The OAuth Device Authorization flow included in <application>libpq</application>

The OAuth Device Authorization flow which

<link linkend="configure-option-with-libcurl">can be included</link>

in <application>libpq</application>

requires the end user to visit a URL with a browser, then enter a code

which permits <application>libpq</application> to connect to the server

on their behalf. The default prompt simply prints the

This callback is only invoked during the builtin device

authorization flow. If the application installs a

<link linkend="libpq-oauth-authdata-oauth-bearer-token">custom OAuth

flow</link>, this authdata type will not be used.

flow</link>, or <application>libpq</application> was not built with

support for the builtin flow, this authdata type will not be used.

</para>

<para>

If a non-NULL <structfield>verification_uri_complete</structfield> is

</term>

<listitem>

<para>

Replaces the entire OAuth flow with a custom implementation. The hook

should either directly return a Bearer token for the current

Adds a custom implementation of a flow, replacing the builtin flow if

it is <link linkend="configure-option-with-libcurl">installed</link>.

The hook should either directly return a Bearer token for the current

user/issuer/scope combination, if one is available without blocking, or

else set up an asynchronous callback to retrieve one.

</para>

backend_both_deps= []

backend_deps= []

libpq_deps= []

libpq_oauth_deps= []

pg_sysroot=''

libcurlopt=get_option('libcurl')

oauth_flow_supported=false

ifnot libcurlopt.disabled()

libcurl=dependency('libcurl',version:'>= 7.61.0',required: libcurlopt)

if libcurl.found()

cdata.set('USE_LIBCURL',1)

libcurl_threadsafe_init=false

oauth_flow_supported= (

libcurl.found()

and (cc.check_header('sys/event.h',required:false,

args: test_c_args,include_directories: postgres_inc)

or cc.check_header('sys/epoll.h',required:false,

args: test_c_args,include_directories: postgres_inc))

)

if oauth_flow_supported

cdata.set('USE_LIBCURL',1)

elif libcurlopt.enabled()

error('client-side OAuth is not supported on this platform')

libcurl= not_found_dep

gssapi,

ldap_r,

libcurl,

libintl,

ssl,

]

libpq_oauth_deps+= [

libcurl,

]

subdir('src/interfaces/libpq')

subdir('src/fe_utils')

subdir('src/interfaces/libpq-oauth')

frontend_code=declare_dependency(

AWK= @AWK@

LN_S= @LN_S@

LIBCURL_CPPFLAGS = @LIBCURL_CPPFLAGS@

LIBCURL_LDFLAGS = @LIBCURL_LDFLAGS@

LIBCURL_LDLIBS = @LIBCURL_LDLIBS@

MSGFMT = @MSGFMT@

MSGFMT_FLAGS = @MSGFMT_FLAGS@

MSGMERGE = @MSGMERGE@

SUBDIRS = libpq ecpg

ifeq ($(with_libcurl), yes)

SUBDIRS += libpq-oauth

ALWAYS_SUBDIRS += libpq-oauth

$(recurse)

$(recurse_always)

all-ecpg-recurse: all-libpq-recurse

install-ecpg-recurse: install-libpq-recurse

ifeq ($(with_libcurl), yes)

all-libpq-oauth-recurse: all-libpq-recurse

install-libpq-oauth-recurse: install-libpq-recurse