Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vsDVp-00BMZk-3A for pgsql-hackers@arkaria.postgresql.org; Tue, 17 Feb 2026 05:20:42 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vsDVo-0085gI-2G for pgsql-hackers@arkaria.postgresql.org; Tue, 17 Feb 2026 05:20:40 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vsDVo-0085fz-0y for pgsql-hackers@lists.postgresql.org; Tue, 17 Feb 2026 05:20:40 +0000 Received: from mail-lf1-x12e.google.com ([2a00:1450:4864:20::12e]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1vsDVl-000000010QI-3ZtP for pgsql-hackers@lists.postgresql.org; Tue, 17 Feb 2026 05:20:39 +0000 Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-59b672f8ec4so3545242e87.1 for ; Mon, 16 Feb 2026 21:20:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1771305637; cv=none; d=google.com; s=arc-20240605; b=fDoVp4nyrWjIUUdb5drGht01l/GJDGC3nx0e8q+Z00yfTgF3B++DSutQSx6ieadWSX 7G/O8bpZ3XtZX7h+pfpJZrsANXZP9fNx20OHj9OO3MAuouiNUU6MiG36bQZb4LsHSRKk bMSfOeZmoMLAPENXyc9+EtN+8nZkBk9de35Ze5odtCUONSPRwZb+pxMazu44U4NiizJ1 YaokP7jVLFFCmuXORTWrbnUBslzkhDU8GjklpYtgPIDjLYhFDtJu2fofjQ7KHvQuxD8T gqNigh8aKWV6yQ+KTycmYjyUs1JwFfloOA9K6AQdqXowdWF0G9/tk/+ZHl89aLZHvYH+ 5iZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=zKmRTG5/jR0QtrcA5CEeTipgO49yBfMxjpCQirDHge8=; fh=tonR0YgXlTq7aMHYgdWQHze3tL1Dycz4bF/JFOohvVk=; b=HyHYqGRqTTW7Q2yeC+mXi7PJHxFdnajoxXjoshT4045Sk6P66o1iV2lJHTckyKwAde NP3Rs3cFYXEBtq3rN8uKLkwAEsEl7PT1BmagrwKke5458pd45sE+jQPiILx1gvsW8eof 2cb1Esm7ud87cvR/Xf9a828hancMwvQZdmmq7g/W322jDF9DgBUz7tE9jJv/f5GHdFJk 943WuGyDAPmhO7e+3hApf40381grsHDcLuczCHlvqrXlGN6HLp0sOOPnx1IuX5g3UC1m bOjIx9B+bBCjM4DRniU3UhqyX+r1iVPXi7VSD2c8XqbNbUwgSxkWe+xh7BSdr/hrZ7tu 6Jvg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771305637; x=1771910437; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zKmRTG5/jR0QtrcA5CEeTipgO49yBfMxjpCQirDHge8=; b=CBL9VsEi2I7AZxg7L/MCywZGnON5bC59Bsqnrida+qevBktTSFIouIE0KO9YfO4neb VT0WFLCzhcH1UHE7WoG2sNgd3hrg5CWw6n+g/Ua8I3U+TzX5AgDPeyWBTunvhkOkGW7L bjn0vuq4UCbU9JDiQwE3GNrIYW0t/6tClohK97dZHuxzpTuKrLt1fQIKU7iwNePV+aGl Xr5DOr8NPgch9mYDwW4HmRKUVG86TP9HPhRGT68zZY6NA+ajWRdXhFnY2zaCO8Il0Ve5 xH0dDTS+lOpAm/iMmYYlCUFrT5Y5WZ+qYJx+9YCAOnUSIvQAK6VwxjwZ2uWxOif5NKA1 AjoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771305637; x=1771910437; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=zKmRTG5/jR0QtrcA5CEeTipgO49yBfMxjpCQirDHge8=; b=pioTDn338pYGBpOD6IrdLNWKUI+yLlvi2SiI/7B9GSapjlTuoRuLOevQzwKpVDS8gs XVhRS6thIRojDuzM5uakLugOOnYP3REKeMMt84soHbpszUkoppjS0ydiv1sLMofa3VMk GQSVAmOK0xz0dy483oyBCjNiUoXh9Bh033siFfH5il/9XPdEgflQBCEltozLoTr1kQWJ YCv227hi0Rd0lVZbjoTktcPPY58bf6wA7jTuKPJMcFSG0N4n0D9a77tT1sVhdwod4sS6 Jc2RWQo6C1kNQSW7LOLBTHi86esBZi+/37g4PNn5fd7AMAs3Twq/uVf9RC3Tt41fyukd Vqow== X-Forwarded-Encrypted: i=1; AJvYcCXxFpAsgLqyK90jvufmTM02BfUHuQL8JFa4ZRMCEWAsEqnX0PdCdUSleVVgLgSrYODt1ofQA+VY+TmSeu34@lists.postgresql.org X-Gm-Message-State: AOJu0YyDQqvVn2NXef2aQt/PHQ9ridoSA1OWyJ7i4lw0Hnk7rJRBC13C +fgBh2aDFBYJy4ftkHE3XpZH4cyvhhxz2qnUBJ6LMdxGTVvVbujzoPJjGulJsJ2Utz/4eP+CcMV 0atikaTaG3478poQzeSnVXdlrh2L2sX0= X-Gm-Gg: AZuq6aLbfon0pTZH/fsu01rG5IyC3d+pFTjywRpCf2sq7c1kkMxI7870yun3a6/lcEr I822dQ7qcjsds7CIpVkKAjd3QTOe18jgmJ1KtmUbu+dOOc9IhWm1A//wQy8ufcSPYfs0cfISgQV MYbPaFDboCdjT1pdC6twzG8hg+9yEPl9iDp5PsbT7/8BA8gVzzL3LN6bni8WDLnd4yWiXu4H6NZ oof9Xv2nSz5MbUPjv+t2e2BxCQnbNyEy+g28HTq69zk7/1LGtaVV682kXI0gBxaj/rGxTBDZycd VVvV6DFoAG6SiUlpZXnh1MpRouEj4hrbwFkv X-Received: by 2002:a05:6512:3b11:b0:59e:1880:2ef7 with SMTP id 2adb3069b0e04-59f69c207f0mr3883670e87.11.1771305636777; Mon, 16 Feb 2026 21:20:36 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Ajit Awekar Date: Tue, 17 Feb 2026 10:50:24 +0530 X-Gm-Features: AaiRm51-qZCPAr93co8ysxP2qrpioWHwrExG8UxtMuxupQtUC2jrYdYEDNqHYUo Message-ID: Subject: Re: [OAuth2] Infrastructure for tracking token expiry time To: Zsolt Parragi Cc: VASUKI M , PostgreSQL Hackers Content-Type: multipart/mixed; boundary="00000000000044e828064afe3b27" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000044e828064afe3b27 Content-Type: multipart/alternative; boundary="00000000000044e826064afe3b25" --00000000000044e826064afe3b25 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks Vasuki and Zsolt for your reply and comments. >> First, is Port always zero-initialized? If not, we might want to explicitly initialize the new expiry field to a known value. Right now it looks like we=E2=80=99re relying on zero to mean =E2=80=9Cnot provided=E2= =80=9D, but since TimestampTz value 0 is a valid timestamp (Postgres epoch), I=E2=80=99m wond= ering whether it would be clearer to use an explicit invalid/sentinel value instead. I agree. The attached patch value is now initialised to sentinel DT_NOBEGIN to indicate no expiry value has been provided yet. >> Also, in the case where the validator returns an expiry that is already in the past, should we reject the authentication immediately? Or is that expected to be fully handled inside the validator module? The design assumes that the Validator module will handle the immediate rejection of tokens already in the past. The expiry field is intended for the backend to manage session life after successful authentication >> Finally, do you have a particular enforcement model in mind for follow-up work (e.g., check at statement start, transaction boundaries, or via some timeout mechanism)? It would help to understand how you see this being used. Ideally we should check this at statement start. >> This API looks simple for providers that use JWT access tokens, but what about providers that use opaque tokens and an introspection API to check validity instead? For providers using opaque tokens or introspection APIs where an 'exp' claim might be missing, the API remains compatible by allowing the validator to return DT_NOBEGIN. Request a review. Thanks & Best Regards, Ajit On Tue, 17 Feb 2026 at 01:10, Zsolt Parragi wrote: > Hello > > This API looks simple for providers that use JWT access tokens, but > what about providers that use opaque tokens and an introspection API > to check validity instead? Some validators might not be able to > provide anything meaningful without a periodic call to a "check > validity now" method, and even some providers that use JWT access > tokens support immediate revocation, where these periodic checks would > be useful. > --00000000000044e826064afe3b25 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks Vasuki and Zsolt for your reply and comments.<= /div>

>>=C2=A0First, is Port always zero-initializ= ed? If not, we might want to=20 explicitly initialize the new expiry field to a known value. Right now=20 it looks like we=E2=80=99re relying on zero to mean =E2=80=9Cnot provided= =E2=80=9D, but since=20 TimestampTz value 0 is a valid timestamp (Postgres epoch), I=E2=80=99m wond= ering whether it would be clearer to use an explicit invalid/sentinel value=20 instead.
I agree. The attached patch value is now initialised to = sentinel=C2=A0DT_NOBEGIN=C2=A0to indicate no expiry value has been provided= yet.

>>=C2=A0Also, in the case where the va= lidator returns an expiry that is already=20 in the past, should we reject the authentication immediately? Or is that expected to be fully handled inside the validator module?
The de= sign assumes that the Validator module will handle the immediate rejection = of tokens already in the past. The expiry field is intended for the backend= to manage session life after successful authentication

>>=C2=A0Finally, do you have a particular enforcemen= t model in mind for=20 follow-up work (e.g., check at statement start, transaction boundaries,=20 or via some timeout mechanism)? It would help to understand how you see=20 this being used.
Ideally we should check this at statement start.=

>>=C2=A0This API looks simple fo= r providers that use JWT access tokens, but
what about providers that use opaque tokens and an introspection API
to = check validity instead?
For providers using opaque tokens or intr= ospection APIs where an 'exp' claim might be missing, the API remai= ns compatible by allowing the validator to return DT_NOBEGIN.
Request a review.

Thanks & Best Re= gards,
Ajit

On Tue, 17 Feb 2026 at 01:= 10, Zsolt Parragi <zsolt.pa= rragi@percona.com> wrote:
Hello

This API looks simple for providers that use JWT access tokens, but
what about providers that use opaque tokens and an introspection API
to check validity instead? Some validators might not be able to
provide anything meaningful without a periodic call to a "check
validity now" method, and even some providers that use JWT access
tokens support immediate revocation, where these periodic checks would
be useful.
--00000000000044e826064afe3b25-- --00000000000044e828064afe3b27 Content-Type: text/x-patch; charset="US-ASCII"; name="password_expiry_oauth_V1.diff" Content-Disposition: attachment; filename="password_expiry_oauth_V1.diff" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_mlq5jmq00 ZGlmZiAtLWdpdCBhL3NyYy9iYWNrZW5kL2xpYnBxL2F1dGgtb2F1dGguYyBiL3NyYy9iYWNrZW5k L2xpYnBxL2F1dGgtb2F1dGguYwppbmRleCAxMTM2NTA0ODk1MS4uM2Y0NmFiNmI3YmMgMTAwNjQ0 Ci0tLSBhL3NyYy9iYWNrZW5kL2xpYnBxL2F1dGgtb2F1dGguYworKysgYi9zcmMvYmFja2VuZC9s aWJwcS9hdXRoLW9hdXRoLmMKQEAgLTY4NCw2ICs2ODQsMTMgQEAgdmFsaWRhdGUoUG9ydCAqcG9y dCwgY29uc3QgY2hhciAqYXV0aCkKIAkJZ290byBjbGVhbnVwOwogCX0KIAorCS8qCisJICogU3Rv cmUgdGhlIHRva2VuIGV4cGlyYXRpb24gdGltZSBpbiB0aGUgUG9ydCBzdHJ1Y3R1cmUuIFRoaXMg YWxsb3dzCisJICogdGhlIGJhY2tlbmQgdG8gZW5mb3JjZSBzZXNzaW9uIGxpbWl0cy5WYWxpZGF0 b3JzIHNob3VsZCBzZXQgdGhpcyB0bworCSAqIERUX05PQkVHSU4gaWYgbm8gZXhwaXJ5IGlzIGF2 YWlsYWJsZS4KKwkgKi8KKwlwb3J0LT5leHBpcnkgPSByZXQtPmV4cGlyeTsKKwogCWlmIChwb3J0 LT5oYmEtPm9hdXRoX3NraXBfdXNlcm1hcCkKIAl7CiAJCS8qCmRpZmYgLS1naXQgYS9zcmMvYmFj a2VuZC9saWJwcS9wcWNvbW0uYyBiL3NyYy9iYWNrZW5kL2xpYnBxL3BxY29tbS5jCmluZGV4IDY1 NzBmMjcyOTdiLi5hZGQzODAwZmJkNCAxMDA2NDQKLS0tIGEvc3JjL2JhY2tlbmQvbGlicHEvcHFj b21tLmMKKysrIGIvc3JjL2JhY2tlbmQvbGlicHEvcHFjb21tLmMKQEAgLTMxOSw2ICszMTksMTIg QEAgcHFfaW5pdChDbGllbnRTb2NrZXQgKmNsaWVudF9zb2NrKQogCUFzc2VydChzb2NrZXRfcG9z ID09IEZlQmVXYWl0U2V0U29ja2V0UG9zKTsKIAlBc3NlcnQobGF0Y2hfcG9zID09IEZlQmVXYWl0 U2V0TGF0Y2hQb3MpOwogCisJLyoKKwkgKiBTZXQgdGhlIGluaXRpYWwgc2Vzc2lvbiBleHBpcnkg dG8gRFRfTk9CRUdJTiB0byBpbmRpY2F0ZSBubyB2YWx1ZSBoYXMgYmVlbgorCSAqIHByb3ZpZGVk IHlldC4KKwkgKi8KKwlwb3J0LT5leHBpcnkgPSBEVF9OT0JFR0lOOworCiAJcmV0dXJuIHBvcnQ7 CiB9CiAKZGlmZiAtLWdpdCBhL3NyYy9pbmNsdWRlL2xpYnBxL2xpYnBxLWJlLmggYi9zcmMvaW5j bHVkZS9saWJwcS9saWJwcS1iZS5oCmluZGV4IDkyMWIyZGFhNGZmLi45YmM5NjI1ZDBiYSAxMDA2 NDQKLS0tIGEvc3JjL2luY2x1ZGUvbGlicHEvbGlicHEtYmUuaAorKysgYi9zcmMvaW5jbHVkZS9s aWJwcS9saWJwcS1iZS5oCkBAIC0yMzgsNiArMjM4LDE0IEBAIHR5cGVkZWYgc3RydWN0IFBvcnQK IAljaGFyCSAgICpyYXdfYnVmOwogCXNzaXplX3QJCXJhd19idWZfY29uc3VtZWQsCiAJCQkJcmF3 X2J1Zl9yZW1haW5pbmc7CisKKwkvKgorCSAqIFRoZSBleHBpcmF0aW9uIHRpbWUgb2YgdGhlIGF1 dGhlbnRpY2F0aW9uIGNyZWRlbnRpYWwuIElmIG5vbi16ZXJvLCBpdAorCSAqIHJlcHJlc2VudHMg dGhlIHBvaW50IGluIHRpbWUgYWZ0ZXIgd2hpY2ggdGhlIGN1cnJlbnQgc2Vzc2lvbiBpcyBjb25z aWRlcmVkCisJICogaW52YWxpZC4KKwkgKi8KKwlUaW1lc3RhbXBUeiBleHBpcnk7CisKIH0gUG9y dDsKIAogLyoKZGlmZiAtLWdpdCBhL3NyYy9pbmNsdWRlL2xpYnBxL29hdXRoLmggYi9zcmMvaW5j bHVkZS9saWJwcS9vYXV0aC5oCmluZGV4IDRhODIyZTlhMWYyLi5mMTVmNzU5NzE4ZiAxMDA2NDQK LS0tIGEvc3JjL2luY2x1ZGUvbGlicHEvb2F1dGguaAorKysgYi9zcmMvaW5jbHVkZS9saWJwcS9v YXV0aC5oCkBAIC00OSw2ICs0OSwxMyBAQCB0eXBlZGVmIHN0cnVjdCBWYWxpZGF0b3JNb2R1bGVS ZXN1bHQKIAkgKiBkZWxlZ2F0aW9uLiBTZWUgdGhlIHZhbGlkYXRvciBtb2R1bGUgZG9jdW1lbnRh dGlvbiBmb3IgZGV0YWlscy4KIAkgKi8KIAljaGFyCSAgICphdXRobl9pZDsKKworCS8qCisJICog VGhlIGV4cGlyYXRpb24gdGltZSBvZiB0aGUgdG9rZW4gKGUuZy4sIGZyb20gdGhlICdleHAnIGNs YWltKS4KKwkgKiBJZiBwcm92aWRlZCwgdGhlIGJhY2tlbmQgY2FuIHVzZSB0aGlzIHRvIGxpbWl0 IHNlc3Npb24gZHVyYXRpb24uCisJICogVmFsaWRhdG9ycyBzaG91bGQgc2V0IHRoaXMgdG8gRFRf Tk9CRUdJTiBpZiBubyBleHBpcnkgaXMgYXZhaWxhYmxlLgorCSAqLworCVRpbWVzdGFtcFR6IGV4 cGlyeTsKIH0gVmFsaWRhdG9yTW9kdWxlUmVzdWx0OwogCiAvKgo= --00000000000044e828064afe3b27--