public inbox for [email protected]
help / color / mirror / Atom feedFrom: VASUKI M <[email protected]>
To: Ajit Awekar <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: [OAuth2] Infrastructure for tracking token expiry time
Date: Mon, 16 Feb 2026 16:00:45 +0530
Message-ID: <CAE2r8H5QAng_rRrkVmGbLuQSgbMz94tpOOOdJKeuHj=go0nXqg@mail.gmail.com> (raw)
In-Reply-To: <CAER375PhG5an=p1=6QS6vWi=BHxR+ViJmYPDkkEtpgVsfCcu_w@mail.gmail.com>
References: <CAER375PhG5an=p1=6QS6vWi=BHxR+ViJmYPDkkEtpgVsfCcu_w@mail.gmail.com>
On Mon, Feb 16, 2026 at 3:44 PM Ajit Awekar <[email protected]> wrote:
> Hi Hackers,
>
> Currently, during OAuth2 authentication, the ValidatorModuleResult
> structure allows a validator(extension) to return the authentication status
> and the authn_id.
> However, we ignore the token expiry time (exp claim).
>
> Once a token is validated, the backend has no record of when that token
> actually expires. A session can remain open indefinitely even if the
> underlying access token has expired shortly after the connection was
> established.
>
> This patch adds the infrastructure to capture and store this expiration
> timestamp within the backend session state. It does not implement an
> enforcement policy (such as auto-termination).
>
Hi Ajit,
Thanks for working on this. Storing the token expiry in the backend session
state makes sense as groundwork for future enforcement.
I had a couple of questions while reading the patch.
First, is Port always zero-initialized? If not, we might want to explicitly
initialize the new expiry field to a known value. Right now it looks like
we’re relying on zero to mean “not provided”, but since TimestampTz value 0
is a valid timestamp (Postgres epoch), I’m wondering whether it would be
clearer to use an explicit invalid/sentinel value instead.
Also, in the case where the validator returns an expiry that is already in
the past, should we reject the authentication immediately? Or is that
expected to be fully handled inside the validator module?
Finally, do you have a particular enforcement model in mind for follow-up
work (e.g., check at statement start, transaction boundaries, or via some
timeout mechanism)? It would help to understand how you see this being used.
The change itself looks straightforward, just trying to clarify the
intended semantics.
Best regards,
Vasuki M
C-DAC,Chennai.
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: [OAuth2] Infrastructure for tracking token expiry time
In-Reply-To: <CAE2r8H5QAng_rRrkVmGbLuQSgbMz94tpOOOdJKeuHj=go0nXqg@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox