MIME-Version: 1.0
References: <CAER375PhG5an=p1=6QS6vWi=BHxR+ViJmYPDkkEtpgVsfCcu_w@mail.gmail.com>
In-Reply-To: <CAER375PhG5an=p1=6QS6vWi=BHxR+ViJmYPDkkEtpgVsfCcu_w@mail.gmail.com>
From: VASUKI M <vasukianand0119@gmail.com>
Date: Mon, 16 Feb 2026 16:00:45 +0530
Message-ID: <CAE2r8H5QAng_rRrkVmGbLuQSgbMz94tpOOOdJKeuHj=go0nXqg@mail.gmail.com>
Subject: Re: [OAuth2] Infrastructure for tracking token expiry time
To: Ajit Awekar <ajitpostgres@gmail.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000000f8b5064aee725b"
Archived-At: <https://www.postgresql.org/message-id/CAE2r8H5QAng_rRrkVmGbLuQSgbMz94tpOOOdJKeuHj%3Dgo0nXqg%40mail.gmail.com>
Precedence: bulk

--00000000000000f8b5064aee725b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 16, 2026 at 3:44=E2=80=AFPM Ajit Awekar <ajitpostgres@gmail.com=
> wrote:

> Hi Hackers,
>
> Currently, during OAuth2 authentication,  the ValidatorModuleResult
> structure allows a validator(extension) to return the authentication stat=
us
> and the authn_id.
> However, we ignore the token expiry time (exp claim).
>
> Once a token is validated, the backend has no record of when that token
> actually expires. A session can remain open indefinitely even if the
> underlying access token has expired shortly after the connection was
> established.
>
> This patch adds the infrastructure to capture and store this expiration
> timestamp within the backend session state. It does not implement an
> enforcement policy (such as auto-termination).
>

Hi Ajit,

Thanks for working on this. Storing the token expiry in the backend session
state makes sense as groundwork for future enforcement.

I had a couple of questions while reading the patch.

First, is Port always zero-initialized? If not, we might want to explicitly
initialize the new expiry field to a known value. Right now it looks like
we=E2=80=99re relying on zero to mean =E2=80=9Cnot provided=E2=80=9D, but s=
ince TimestampTz value 0
is a valid timestamp (Postgres epoch), I=E2=80=99m wondering whether it wou=
ld be
clearer to use an explicit invalid/sentinel value instead.

Also, in the case where the validator returns an expiry that is already in
the past, should we reject the authentication immediately? Or is that
expected to be fully handled inside the validator module?

Finally, do you have a particular enforcement model in mind for follow-up
work (e.g., check at statement start, transaction boundaries, or via some
timeout mechanism)? It would help to understand how you see this being used=
.

The change itself looks straightforward, just trying to clarify the
intended semantics.

Best regards,
Vasuki M
C-DAC,Chennai.

--00000000000000f8b5064aee725b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div>On Mon, Feb 16, 2026 at 3:44=E2=80=
=AFPM Ajit Awekar &lt;<a href=3D"mailto:ajitpostgres@gmail.com">ajitpostgre=
s@gmail.com</a>&gt; wrote:</div></div><div class=3D"gmail_quote gmail_quote=
_container"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"l=
tr">Hi Hackers,<br><br>Currently, during OAuth2 authentication, =C2=A0the V=
alidatorModuleResult structure allows a validator(extension) to return the =
authentication status and the authn_id.<br>However, we ignore the token exp=
iry time (exp claim).<div><br>Once a token is validated, the backend has no=
 record of when that token actually expires. A session can remain open inde=
finitely even if the underlying access token has expired shortly after the =
connection was established.<br><br>This patch adds the infrastructure to ca=
pture and store this expiration timestamp within the backend session state.=
 It does not implement an enforcement policy (such as auto-termination).<br=
></div></div></blockquote><div><br></div>Hi Ajit,<br><br>Thanks for working=
 on this. Storing the token expiry in the backend session state makes sense=
 as groundwork for future enforcement.<br><br>I had a couple of questions w=
hile reading the patch.<br><br>First, is Port always zero-initialized? If n=
ot, we might want to explicitly initialize the new expiry field to a known =
value. Right now it looks like we=E2=80=99re relying on zero to mean =E2=80=
=9Cnot provided=E2=80=9D, but since TimestampTz value 0 is a valid timestam=
p (Postgres epoch), I=E2=80=99m wondering whether it would be clearer to us=
e an explicit invalid/sentinel value instead.<br><br>Also, in the case wher=
e the validator returns an expiry that is already in the past, should we re=
ject the authentication immediately? Or is that expected to be fully handle=
d inside the validator module?<br><br>Finally, do you have a particular enf=
orcement model in mind for follow-up work (e.g., check at statement start, =
transaction boundaries, or via some timeout mechanism)? It would help to un=
derstand how you see this being used.<br><br>The change itself looks straig=
htforward, just trying to clarify the intended semantics.<br><br>Best regar=
ds,<br><div>Vasuki M<br>C-DAC,Chennai.=C2=A0</div></div></div>

--00000000000000f8b5064aee725b--