public inbox for [email protected]
help / color / mirror / Atom feedRe: [OAuth2] Infrastructure for tracking token expiry time
3+ messages / 3 participants
[nested] [flat]
* Re: [OAuth2] Infrastructure for tracking token expiry time
@ 2026-02-16 10:30 VASUKI M <[email protected]>
0 siblings, 1 reply; 3+ messages in thread
From: VASUKI M @ 2026-02-16 10:30 UTC (permalink / raw)
To: Ajit Awekar <[email protected]>; +Cc: PostgreSQL Hackers <[email protected]>
On Mon, Feb 16, 2026 at 3:44 PM Ajit Awekar <[email protected]> wrote:
> Hi Hackers,
>
> Currently, during OAuth2 authentication, the ValidatorModuleResult
> structure allows a validator(extension) to return the authentication status
> and the authn_id.
> However, we ignore the token expiry time (exp claim).
>
> Once a token is validated, the backend has no record of when that token
> actually expires. A session can remain open indefinitely even if the
> underlying access token has expired shortly after the connection was
> established.
>
> This patch adds the infrastructure to capture and store this expiration
> timestamp within the backend session state. It does not implement an
> enforcement policy (such as auto-termination).
>
Hi Ajit,
Thanks for working on this. Storing the token expiry in the backend session
state makes sense as groundwork for future enforcement.
I had a couple of questions while reading the patch.
First, is Port always zero-initialized? If not, we might want to explicitly
initialize the new expiry field to a known value. Right now it looks like
we’re relying on zero to mean “not provided”, but since TimestampTz value 0
is a valid timestamp (Postgres epoch), I’m wondering whether it would be
clearer to use an explicit invalid/sentinel value instead.
Also, in the case where the validator returns an expiry that is already in
the past, should we reject the authentication immediately? Or is that
expected to be fully handled inside the validator module?
Finally, do you have a particular enforcement model in mind for follow-up
work (e.g., check at statement start, transaction boundaries, or via some
timeout mechanism)? It would help to understand how you see this being used.
The change itself looks straightforward, just trying to clarify the
intended semantics.
Best regards,
Vasuki M
C-DAC,Chennai.
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: [OAuth2] Infrastructure for tracking token expiry time
@ 2026-02-16 19:40 Zsolt Parragi <[email protected]>
parent: VASUKI M <[email protected]>
0 siblings, 1 reply; 3+ messages in thread
From: Zsolt Parragi @ 2026-02-16 19:40 UTC (permalink / raw)
To: VASUKI M <[email protected]>; +Cc: Ajit Awekar <[email protected]>; PostgreSQL Hackers <[email protected]>
Hello
This API looks simple for providers that use JWT access tokens, but
what about providers that use opaque tokens and an introspection API
to check validity instead? Some validators might not be able to
provide anything meaningful without a periodic call to a "check
validity now" method, and even some providers that use JWT access
tokens support immediate revocation, where these periodic checks would
be useful.
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: [OAuth2] Infrastructure for tracking token expiry time
@ 2026-02-17 05:20 Ajit Awekar <[email protected]>
parent: Zsolt Parragi <[email protected]>
0 siblings, 0 replies; 3+ messages in thread
From: Ajit Awekar @ 2026-02-17 05:20 UTC (permalink / raw)
To: Zsolt Parragi <[email protected]>; +Cc: VASUKI M <[email protected]>; PostgreSQL Hackers <[email protected]>
Thanks Vasuki and Zsolt for your reply and comments.
>> First, is Port always zero-initialized? If not, we might want to
explicitly initialize the new expiry field to a known value. Right now it
looks like we’re relying on zero to mean “not provided”, but since
TimestampTz value 0 is a valid timestamp (Postgres epoch), I’m wondering
whether it would be clearer to use an explicit invalid/sentinel value
instead.
I agree. The attached patch value is now initialised to
sentinel DT_NOBEGIN to indicate no expiry value has been provided yet.
>> Also, in the case where the validator returns an expiry that is already
in the past, should we reject the authentication immediately? Or is that
expected to be fully handled inside the validator module?
The design assumes that the Validator module will handle the immediate
rejection of tokens already in the past. The expiry field is intended for
the backend to manage session life after successful authentication
>> Finally, do you have a particular enforcement model in mind for
follow-up work (e.g., check at statement start, transaction boundaries, or
via some timeout mechanism)? It would help to understand how you see this
being used.
Ideally we should check this at statement start.
>> This API looks simple for providers that use JWT access tokens, but
what about providers that use opaque tokens and an introspection API
to check validity instead?
For providers using opaque tokens or introspection APIs where an 'exp'
claim might be missing, the API remains compatible by allowing the
validator to return DT_NOBEGIN.
Request a review.
Thanks & Best Regards,
Ajit
On Tue, 17 Feb 2026 at 01:10, Zsolt Parragi <[email protected]>
wrote:
> Hello
>
> This API looks simple for providers that use JWT access tokens, but
> what about providers that use opaque tokens and an introspection API
> to check validity instead? Some validators might not be able to
> provide anything meaningful without a periodic call to a "check
> validity now" method, and even some providers that use JWT access
> tokens support immediate revocation, where these periodic checks would
> be useful.
>
Attachments:
[text/x-patch] password_expiry_oauth_V1.diff (2.1K, 3-password_expiry_oauth_V1.diff)
download | inline diff:
diff --git a/src/backend/libpq/auth-oauth.c b/src/backend/libpq/auth-oauth.c
index 11365048951..3f46ab6b7bc 100644
--- a/src/backend/libpq/auth-oauth.c
+++ b/src/backend/libpq/auth-oauth.c
@@ -684,6 +684,13 @@ validate(Port *port, const char *auth)
goto cleanup;
}
+ /*
+ * Store the token expiration time in the Port structure. This allows
+ * the backend to enforce session limits.Validators should set this to
+ * DT_NOBEGIN if no expiry is available.
+ */
+ port->expiry = ret->expiry;
+
if (port->hba->oauth_skip_usermap)
{
/*
diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
index 6570f27297b..add3800fbd4 100644
--- a/src/backend/libpq/pqcomm.c
+++ b/src/backend/libpq/pqcomm.c
@@ -319,6 +319,12 @@ pq_init(ClientSocket *client_sock)
Assert(socket_pos == FeBeWaitSetSocketPos);
Assert(latch_pos == FeBeWaitSetLatchPos);
+ /*
+ * Set the initial session expiry to DT_NOBEGIN to indicate no value has been
+ * provided yet.
+ */
+ port->expiry = DT_NOBEGIN;
+
return port;
}
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 921b2daa4ff..9bc9625d0ba 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -238,6 +238,14 @@ typedef struct Port
char *raw_buf;
ssize_t raw_buf_consumed,
raw_buf_remaining;
+
+ /*
+ * The expiration time of the authentication credential. If non-zero, it
+ * represents the point in time after which the current session is considered
+ * invalid.
+ */
+ TimestampTz expiry;
+
} Port;
/*
diff --git a/src/include/libpq/oauth.h b/src/include/libpq/oauth.h
index 4a822e9a1f2..f15f759718f 100644
--- a/src/include/libpq/oauth.h
+++ b/src/include/libpq/oauth.h
@@ -49,6 +49,13 @@ typedef struct ValidatorModuleResult
* delegation. See the validator module documentation for details.
*/
char *authn_id;
+
+ /*
+ * The expiration time of the token (e.g., from the 'exp' claim).
+ * If provided, the backend can use this to limit session duration.
+ * Validators should set this to DT_NOBEGIN if no expiry is available.
+ */
+ TimestampTz expiry;
} ValidatorModuleResult;
/*
^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2026-02-17 05:20 UTC | newest]
Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-02-16 10:30 Re: [OAuth2] Infrastructure for tracking token expiry time VASUKI M <[email protected]>
2026-02-16 19:40 ` Zsolt Parragi <[email protected]>
2026-02-17 05:20 ` Ajit Awekar <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox