Skip to content

Fix JWT authentication for SELECT queries on foreign tables#107

Merged
temuenz merged 2 commits intopg-fdw:masterfrom
rpx99:claude/fix-jwt-segfault-01T25fRQE5vyFYiQPpFLTD5t
Jan 28, 2026
Merged

Fix JWT authentication for SELECT queries on foreign tables#107
temuenz merged 2 commits intopg-fdw:masterfrom
rpx99:claude/fix-jwt-segfault-01T25fRQE5vyFYiQPpFLTD5t

Conversation

@rpx99
Copy link
Contributor

@rpx99 rpx99 commented Jan 15, 2026

Summary

Fixes JWT authentication issues that caused SELECT queries on foreign tables to fail while IMPORT FOREIGN SCHEMA worked correctly.

Changes

  1. Add jwt_token to plan serialization/deserialization (db2PlanForeignModify.c, db2BeginForeignModify.c)

    • The jwt_token was missing from serializePlanData() and deserializePlanData()
    • IMPORT FOREIGN SCHEMA reads options directly (worked)
    • SELECT uses serialized plan data where jwt_token was lost (failed)

  2. Fix connection cache lookup (db2AllocConnHdl.c)

    • insertconnEntry() stores empty string as NULL
    • db2GetSession() converts NULL to empty string
    • findconnEntry() now treats NULL and empty string as equivalent

Symptoms fixed

  • cannot authenticate error (line 99) when using JWT auth for SELECT
  • db2EndTransaction internal error: handle not found in cache
  • PANIC: ERRORDATA_STACK_SIZE exceeded

Testing

CREATE USER MAPPING FOR postgres SERVER db2_server OPTIONS (jwt_token 'eyJ...');
SELECT * FROM foreign_table;  -- Now works!

claude added 2 commits January 15, 2026 18:26
@claude
Add jwt_token to plan serialization/deserialization
197c797 
The jwt_token was missing from serializePlanData() and deserializePlanData(),
causing SELECT queries on foreign tables to fail with JWT authentication.

IMPORT FOREIGN SCHEMA worked because it reads options directly, but SELECT
uses the serialized plan data where jwt_token was not included.

This fixes the "cannot authenticate" error (line 99) when using JWT auth
for queries on foreign tables.
@claude
Fix connection cache lookup to treat NULL and empty string as equivalent
e30c6fc 
When JWT auth is used, user is NULL. But db2GetSession converts NULL to "".
Meanwhile insertconnEntry stores "" as NULL.

This caused findconnEntry to fail matching:
- Stored: step->uid = NULL
- Searching: user = ""
- Old code: NULL == "" -> false (no match!)

Now both NULL and "" are treated as "empty" and match each other.
@rpx99
Copy link
Contributor Author

rpx99 commented Jan 28, 2026

@temuenz Hi Thomas, is it possible you have a look ? Thank you.

@temuenz temuenz merged commit d810097 into pg-fdw:master Jan 28, 2026
0 of 2 checks passed
@temuenz
Copy link
Collaborator

temuenz commented Jan 28, 2026

I merged your code. Last time I ran the pipeline it all worked.
Let me see if it is safer to actually disable the rpm signature step, again.

temuenz added a commit that referenced this pull request Jan 28, 2026
@temuenz
follow up #107 change in this branch
ef9add1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rpx99 @temuenz @claude