Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vskRi-000AM7-1x
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 18 Feb 2026 16:30:39 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vskRh-00Gq23-2g
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 18 Feb 2026 16:30:37 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <daniel@yesql.se>)
	id 1vskRh-00Gq1p-1m
	for pgsql-hackers@lists.postgresql.org;
	Wed, 18 Feb 2026 16:30:37 +0000
Received: from smtp.outgoing.loopia.se ([93.188.3.37])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <daniel@yesql.se>)
	id 1vskRf-00000001O7o-2xTE
	for pgsql-hackers@lists.postgresql.org;
	Wed, 18 Feb 2026 16:30:37 +0000
Received: from s807.loopia.se (localhost [127.0.0.1])
	by s807.loopia.se (Postfix) with ESMTP id 4CF4F554818
	for <pgsql-hackers@lists.postgresql.org>; Wed, 18 Feb 2026 17:30:35 +0100 (CET)
Received: from s979.loopia.se (unknown [172.22.191.6])
	by s807.loopia.se (Postfix) with ESMTP id 3DBFB553FD7;
	Wed, 18 Feb 2026 17:30:35 +0100 (CET)
Received: from s473.loopia.se (unknown [172.22.191.5])
	by s979.loopia.se (Postfix) with ESMTP id 3A6F410BC4C1;
	Wed, 18 Feb 2026 17:30:35 +0100 (CET)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2
 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1] autolearn=disabled
Authentication-Results: s473.loopia.se (amavisd-new); dkim=pass (2048-bit key)
 header.d=yesql.se
Received: from s934.loopia.se ([172.22.191.6])
 by s473.loopia.se (s473.loopia.se [172.22.190.13]) (amavisd-new, port 10024)
 with LMTP id pta_OmzipY8S; Wed, 18 Feb 2026 17:30:35 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-User: daniel@yesql.se
X-Loopia-Originating-IP: 89.255.232.236
Received: from smtpclient.apple (customer-89-255-232-236.stosn.net [89.255.232.236])
	(Authenticated sender: daniel@yesql.se)
	by s934.loopia.se (Postfix) with ESMTPSA id B59BD7CEA50;
	Wed, 18 Feb 2026 17:30:34 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se;
	s=loopiadkim1707475645; t=1771432234;
	bh=EVTrDNNEUCiXNMgdAnjuAR7wASfwSULu8fpUh0Gpvlc=;
	h=Subject:From:In-Reply-To:Date:Cc:References:To;
	b=bEQM/ZcKC56IdEdmnsvr13re4egR5na2+8EEHe71JJ8jK7z2rpMZfA9GO/JnktLeM
	 VjY6Y4Buk7PznarpHnr2NKmvNUZEbFs1yQJUCVk1alvN+T6527va9yV3nmLNa2PS9q
	 lLA6O2UQbCjAsDa6icPHuhAE8wQem7mm0Ez7QeC/2DwUaoj1wbcRoDoJ5lqNT9tsa5
	 oekwQfQzwritLqpdDZWPCoeK7MQ8CsuDyuuqefRAj+NQ9s9Dv1IHKhVcHSzpx7/SQB
	 3RideneCuoHfNTnpDUbACiTVa1z69W7ibUxzCy63m3La+MiDP1s7FX4vIj8hbj0DUE
	 5SvpjajIOs1pg==
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.2\))
Subject: Re: [OAuth2] Infrastructure for tracking token expiry time
From: Daniel Gustafsson <daniel@yesql.se>
In-Reply-To: <CAN4CZFPKY2m1bEm51g-1jmBfCMohfe5VFoKuCnbhiGP1FBBNrQ@mail.gmail.com>
Date: Wed, 18 Feb 2026 17:30:24 +0100
Cc: Ajit Awekar <ajitpostgres@gmail.com>,
 VASUKI M <vasukianand0119@gmail.com>,
 PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7F3C1A8B-F0FF-49BF-A53C-DC043BBB1FE7@yesql.se>
References: <CAER375PhG5an=p1=6QS6vWi=BHxR+ViJmYPDkkEtpgVsfCcu_w@mail.gmail.com>
 <CAE2r8H5QAng_rRrkVmGbLuQSgbMz94tpOOOdJKeuHj=go0nXqg@mail.gmail.com>
 <CAN4CZFOe-0jTR7_s2uciX9TNKxRvd2h8avAw9iFO6VPu0CChsQ@mail.gmail.com>
 <CAER375Oh6U_kqP0SK8OP47vy3PBd4p1C027Gaod3B2bqKgMFoQ@mail.gmail.com>
 <CAN4CZFNV69LS6H87sV-iPO9w_V-_uko4_G_0QKb1cokJvWhF6g@mail.gmail.com>
 <CAE2r8H6Tc6F2BM-JqC+gp-HQKCzfHOx02Xj5MmuS-AY4jfN5iw@mail.gmail.com>
 <CAER375Mtf-7LcR1zNks67k57r3b5yTy9sHxRQ78Y1+xmTVncMw@mail.gmail.com>
 <D3C75650-2FED-41B3-A6BF-E4D8F9E40EAE@yesql.se>
 <CAN4CZFPKY2m1bEm51g-1jmBfCMohfe5VFoKuCnbhiGP1FBBNrQ@mail.gmail.com>
To: Zsolt Parragi <zsolt.parragi@percona.com>
X-Mailer: Apple Mail (2.3776.700.51.11.2)
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/7F3C1A8B-F0FF-49BF-A53C-DC043BBB1FE7%40yesql.se>
Precedence: bulk

> On 18 Feb 2026, at 13:04, Zsolt Parragi <zsolt.parragi@percona.com> =
wrote:

>> 2. Terminating sessions with expired/revoked tokens before executing =
new
>> commands.
>=20
>> Token expiration is IMHO not a use case for a FATAL error, if we want =
to
>> terminate a connection we can do it in a more graceful way.
>=20
> There are different reasons for token expiration, one is a simple
> timeout where all we have to do is communicate to the client that we
> need a refresh (gracefully), and the other is where a token is
> immediately revoked because of a security incident, in which case
> immediate termination is a good practice.

I understand these cases and agree that there are different needs for =
messaging
to the user for these cases, but I still think that neither should =
overload
what FATAL error means.  The mechanism used is however a secondary =
discussion,
first thing to get in place is a design for how to handle mid-connection
credential expiration.

--
Daniel Gustafsson