The pool does not allow proxy user with external authentication in thin mode

[sosoba]

I am testing a configuration in which the user authenticates via an X509 certificate by entering the role of another user with the proxy functionality

CREATE USER password_user;
GRANT CONNECT TO password_user;
CREATE USER ssl_user IDENTIFIED EXTERNALLY AS 'CN=ssl_user';
GRANT CONNECT TO ssl_user;
ALTER USER password_user GRANT CONNECT THROUGH ssl_user;

I expect that SSL_USER will connect as a proxy of PASSWORD_USER

import { deepEqual } from "node:assert";
import { readFile } from "node:fs/promises";
import oracledb from "oracledb";

const commonConnectionAttributes = {
  connectionString: "tcps://localhost:2484/FREEPDB1",
  walletContent: await readFile("wallet", "ascii"), // -----BEGIN PRIVATE KEY----- -----BEGIN CERTIFICATE-----
  externalAuth: true,
};

const proxyUserConnectionAttributes = {
  ...commonConnectionAttributes,
  user: "[PASSWORD_USER]",
};

const testConnection = async (conn) => {
  const {
    rows: [row],
  } = await conn.execute(`
    SELECT SYS_CONTEXT('USERENV', 'session_user')
         , SYS_CONTEXT('USERENV', 'proxy_user')
         , SYS_CONTEXT('USERENV', 'AUTHENTICATION_METHOD')
      FROM DUAL     
  `);
  deepEqual(row, ["PASSWORD_USER", "SSL_USER", "SSL_PROXY"]);
};

It works perfectly when we open a single connection in thin mode:

await testConnection(await oracledb.getConnection(proxyUserConnectionAttributes));

But it doesn't work with the connection pool. Even if we pass the proxy user to the pool attributes:

// throws NJS-136: user name and password cannot be set when using external authentication
await oracledb.createPool(proxyUserConnectionAttributes);

If I pass the user later it is ignored:

const pool = await oracledb.createPool(commonConnectionAttributes);
// actual, ['SSL_USER', null, 'SSL']
// expected: ["PASSWORD_USER", "SSL_USER", "SSL_PROXY"]
await testConnection(await pool.getConnection({
  user: '[PASSWORD_USER]',
}));

It seems to me, that condition (571) are to hard. When i comment it pool works perfectly with proxy of ssl user.

node-oracledb/lib/oracledb.js

Lines 570 to 576 in 2e8963a

	if (outOptions.user) {
	if (inCreatePool) {
	errors.throwErr(errors.ERR_WRONG_CRED_FOR_EXTAUTH);
	} else if (outOptions.user[0] !== '[' || outOptions.user.slice(-1) !== ']') {
	// username is not enclosed in [].
	errors.throwErr(errors.ERR_WRONG_USER_FORMAT_EXTAUTH_PROXY);
	}

oracledb: 6.8.0
mode: thin
node: 24.3.0
oracle: free:23.8.0.0-lite

Best regards.

[sudarshan12s]

Thanks @sosoba , Yes we will check the fix. It looks fine and is applicable for thin mode .

On thick mode, we support heterogeneous pool for external Auth + Proxyuser. It allows multiple users in the same pool by providing users in pool.getConnection . Hence giving username in createPool was rejected. In thin mode, we can skip this check. I will share the details.

thin mode does not support heterogeneous pool , so giving user in getConnection is ignored..

thick mode example from here

const config = { connectString: "localhost/orclpdb1", externalAuth: true };
const pool = await oracledb.createPool(config);
const connection = await pool.getConnection({ user: "[hr]" });

[sosoba]

In thin mode, we can skip this check. I will share the details.

I will be very grateful. Thanks