public inbox for [email protected]
help / color / mirror / Atom feedFrom: Ajit Awekar <[email protected]>
To: PostgreSQL Hackers <[email protected]>
Subject: [OAuth2] Infrastructure for tracking token expiry time
Date: Mon, 16 Feb 2026 14:40:36 +0530
Message-ID: <CAER375PhG5an=p1=6QS6vWi=BHxR+ViJmYPDkkEtpgVsfCcu_w@mail.gmail.com> (raw)
Hi Hackers,
Currently, during OAuth2 authentication, the ValidatorModuleResult
structure allows a validator(extension) to return the authentication status
and the authn_id.
However, we ignore the token expiry time (exp claim).
Once a token is validated, the backend has no record of when that token
actually expires. A session can remain open indefinitely even if the
underlying access token has expired shortly after the connection was
established.
This patch adds the infrastructure to capture and store this expiration
timestamp within the backend session state. It does not implement an
enforcement policy (such as auto-termination).
Request a review.
Thanks & Best Regards,
Ajit
Attachments:
[application/octet-stream] password_expiry_oauth.diff (1.5K, 3-password_expiry_oauth.diff)
download | inline diff:
diff --git a/src/backend/libpq/auth-oauth.c b/src/backend/libpq/auth-oauth.c
index 11365048951..eef238417e7 100644
--- a/src/backend/libpq/auth-oauth.c
+++ b/src/backend/libpq/auth-oauth.c
@@ -684,6 +684,13 @@ validate(Port *port, const char *auth)
goto cleanup;
}
+ /*
+ * Store the token expiration time in the Port structure. This allows
+ * the backend to enforce session limits.
+ */
+ if (ret->expiry > 0)
+ port->expiry = ret->expiry;
+
if (port->hba->oauth_skip_usermap)
{
/*
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 921b2daa4ff..9bc9625d0ba 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -238,6 +238,14 @@ typedef struct Port
char *raw_buf;
ssize_t raw_buf_consumed,
raw_buf_remaining;
+
+ /*
+ * The expiration time of the authentication credential. If non-zero, it
+ * represents the point in time after which the current session is considered
+ * invalid.
+ */
+ TimestampTz expiry;
+
} Port;
/*
diff --git a/src/include/libpq/oauth.h b/src/include/libpq/oauth.h
index 4a822e9a1f2..e7e360d9416 100644
--- a/src/include/libpq/oauth.h
+++ b/src/include/libpq/oauth.h
@@ -49,6 +49,12 @@ typedef struct ValidatorModuleResult
* delegation. See the validator module documentation for details.
*/
char *authn_id;
+
+ /*
+ * The expiration time of the token (e.g., from the 'exp' claim).
+ * If provided, the backend can use this to limit session duration.
+ */
+ TimestampTz expiry;
} ValidatorModuleResult;
/*
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: [OAuth2] Infrastructure for tracking token expiry time
In-Reply-To: <CAER375PhG5an=p1=6QS6vWi=BHxR+ViJmYPDkkEtpgVsfCcu_w@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox