Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vrvH6-00D6B0-3B
	for pgsql-hackers@arkaria.postgresql.org;
	Mon, 16 Feb 2026 09:52:17 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vrvH5-000chm-2j
	for pgsql-hackers@arkaria.postgresql.org;
	Mon, 16 Feb 2026 09:52:15 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <ajitpostgres@gmail.com>)
	id 1vrvD4-0003qh-0f
	for pgsql-hackers@lists.postgresql.org;
	Mon, 16 Feb 2026 09:48:06 +0000
Received: from mail-lj1-x233.google.com ([2a00:1450:4864:20::233])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <ajitpostgres@gmail.com>)
	id 1vrucz-00000000rJz-0vk8
	for pgsql-hackers@lists.postgresql.org;
	Mon, 16 Feb 2026 09:10:50 +0000
Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-3870d178a9aso27168771fa.0
        for <pgsql-hackers@lists.postgresql.org>; Mon, 16 Feb 2026 01:10:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1771233048; cv=none;
        d=google.com; s=arc-20240605;
        b=lD7px7/FGxEF+J9gPytl9wBNC+3SAFxcvSha6C2ESjNhob49elhmXAShiwx3fz7YXJ
         Va5tv8h8wQNOXgiC4g8syh/oKXQuGgHWCKWCiKZql356dsFVsQJNVJdrQVWM+ALBb9+3
         FN8gT5M1EGQDA7RAFh7XwVU1BswXoW5MuNI7ZlrHb0ojvzFTauLkmdiFGsxhFh6xJR3v
         L92bRg2M/G1XTAu9ucSD5hCDisvQ9jlKQNZZUuEgzjHeanFWCFi1ayWvKXow0XdmeEMS
         ZlHZLknGQOJzgLtZe/ufXSpppdzT5SCJLqmRVz4xsv73413fKo04VAid5eDRBeHcXB1Z
         VmbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=to:subject:message-id:date:from:mime-version:dkim-signature;
        bh=3dg1GkrIfFP031lJC7B7dQa8MZ2N3qFxnxhI2V8ayJU=;
        fh=dxJXJbLzq9Nah1LUdsj4QTuQ3JoDScd0wp1YHY64NXM=;
        b=T62BJtrqsPm/96NFbphq16wgArFuWDcuvlrQgRb8K4T24clc4APqUPAIHpNGc7ST7Z
         AMs0CNql1HWt8fiP+pRmh9C9PtUzsFParDZEAN5PRhKzNgEsORCShRQ74aRLjl2Qblsu
         hOLsLhus2ST6gmsw0s5uiVsCe4V0MMm41PAhF6wLAUnjqAHK6Uk4urMLWRidsQLkNWZn
         /5IeIoEqp8tyzdAWTRcRQEWq1TtJzA8vSPoyUXW7abg3OJZnO51j7j5R2mQ9o1uqkqay
         9t/S7gAAhj6eggZ33wNCEDmCEjzrhDmmr2STJqpt9hUcuhJsAoiSx9d/crMfmytBpEx7
         XMPw==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1771233048; x=1771837848; darn=lists.postgresql.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=3dg1GkrIfFP031lJC7B7dQa8MZ2N3qFxnxhI2V8ayJU=;
        b=V2ccRyZ+M5wJ2qfURZGaw8uzDKBIDAqKT0aETNXT0gA7MLrELWoKtxQzjv9Ge3rZLX
         aQpFcOlsCME4v6A6WTYP+2nMW1kCeX75aAaWjv9rLrbR/bjhwfzcODLW8r8+ogce357k
         YtD/u9SOu+wDN/fCQRUAfYckCGLvqljuscANJ0YJRN0fft7VfjC+iMk7ZTnstbmxJiou
         L3F8Mqo3xPGRjGEJgfl1vyx90ALXDoOf7L5PV5SjpXhvUYYx3l8MDf7yBL9IamjUgTq1
         /IzVkowpSt/FcwOUC97EiwLdEs7I6uxdyyTccHBBi0KA5pJEhtXPTJh515hU22aqcerV
         KsEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771233048; x=1771837848;
        h=to:subject:message-id:date:from:mime-version:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=3dg1GkrIfFP031lJC7B7dQa8MZ2N3qFxnxhI2V8ayJU=;
        b=MjspGvcVm/yi2nyrkJnV3/jkmcBmcw/2fGWguxEx3hV3IHvG3Cv+gqeVTt8fKmeFUO
         GpZd9Iqm4pQRDKbhV1vgf3LhJqHYZ1lrK9CFKrAlTkHakUD4tPBaMF9mtuzbrfS/VzZt
         XsorQnKWEK/TdHH2IXXi0Kt4sIsQ2YMbVflGdOLwQxUmM4XxhGVZbUGQ0J7nN0o72kDc
         K4XaVv1UqysHESy/Cv3k3fk7c/HfVd/IXGOe+Fmeqf9lxIGd2FmYMVvHMDLk/plilsfE
         66F5dOISf44xeV1yx4gCzZdi0YMumY7/7nC+BpL/NNTvIIiOfEwf6bcsC7uM50MQTg8C
         rIOQ==
X-Gm-Message-State: AOJu0YyfbadEYenUS3K/balaIVLKgApBfwFOmtVtM+YxkvRkvf29/4ck
	O7dD6watl7qUBWQpPxHtxmkcT91o5MmhORDkk4Ip9+fUZ+0Btmmb1b68myswCFsAa90GwdnS8H3
	GiIrYKiXPOk6LcDoKdp44nP4Pv32QHNqYat8e
X-Gm-Gg: AZuq6aJNLmdyL4M3Es+i/y8nU7Kgvw8ZwNrJm55H/OqZH7m8cqlDiaGnfPZgLCbAMXK
	h3NLVsckr1D6W/4U/1+zWeFDJMr9CGqV5DR1EbNSSG4j9GKGrrrCBDotNyxX+5s1dIfjddiqzoS
	CQqxLmc4su6zQ9odOs5QX84ET3LTwFUcy7+avstnuqUuYOi5GMw023b//9p6KjPLfIZXpVIRWX5
	6IeDRfPjTh4jqhbYcUM0QdzPLxysvGEOG9uaXOU4kjVUY0hDGxhD8wxVAC/SLnH0hIzx3F99MB+
	SSVBCNGHTfFJjOpgEymduwx6JGoL4DDle8y4EOgRadEAxqkljHx8
X-Received: by 2002:a05:6512:415c:b0:59f:70ea:29d9 with SMTP id
 2adb3069b0e04-59f70ea2a76mr1069273e87.47.1771233047785; Mon, 16 Feb 2026
 01:10:47 -0800 (PST)
MIME-Version: 1.0
From: Ajit Awekar <ajitpostgres@gmail.com>
Date: Mon, 16 Feb 2026 14:40:36 +0530
X-Gm-Features: AaiRm509j_yvX5t3142jcvX0V6DrZSWqAewQDEIFsbVSgIfAT2cRpRtYOxVbDJo
Message-ID: <CAER375PhG5an=p1=6QS6vWi=BHxR+ViJmYPDkkEtpgVsfCcu_w@mail.gmail.com>
Subject: [OAuth2] Infrastructure for tracking token expiry time
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Content-Type: multipart/mixed; boundary="000000000000a0d028064aed5422"
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/CAER375PhG5an%3Dp1%3D6QS6vWi%3DBHxR%2BViJmYPDkkEtpgVsfCcu_w%40mail.gmail.com>
Precedence: bulk

--000000000000a0d028064aed5422
Content-Type: multipart/alternative; boundary="000000000000a0d025064aed5420"

--000000000000a0d025064aed5420
Content-Type: text/plain; charset="UTF-8"

Hi Hackers,

Currently, during OAuth2 authentication,  the ValidatorModuleResult
structure allows a validator(extension) to return the authentication status
and the authn_id.
However, we ignore the token expiry time (exp claim).

Once a token is validated, the backend has no record of when that token
actually expires. A session can remain open indefinitely even if the
underlying access token has expired shortly after the connection was
established.

This patch adds the infrastructure to capture and store this expiration
timestamp within the backend session state. It does not implement an
enforcement policy (such as auto-termination).

Request a review.

Thanks & Best Regards,
Ajit

--000000000000a0d025064aed5420
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Hackers,<br><br>Currently, during OAuth2 authentication=
, =C2=A0the ValidatorModuleResult structure allows a validator(extension) t=
o return the authentication status and the authn_id.<br>However, we ignore =
the token expiry time (exp claim).<div><br>Once a token is validated, the b=
ackend has no record of when that token actually expires. A session can rem=
ain open indefinitely even if the underlying access token has expired short=
ly after the connection was established.<br><br>This patch adds the infrast=
ructure to capture and store this expiration timestamp within the backend s=
ession state. It does not implement an enforcement policy (such as auto-ter=
mination).<br><br>Request a review.<br><br>Thanks &amp; Best Regards,<br>Aj=
it<br><br><br></div></div>

--000000000000a0d025064aed5420--
--000000000000a0d028064aed5422
Content-Type: application/octet-stream; name="password_expiry_oauth.diff"
Content-Disposition: attachment; filename="password_expiry_oauth.diff"
Content-Transfer-Encoding: base64
Content-ID: <f_mloy24x40>
X-Attachment-Id: f_mloy24x40

ZGlmZiAtLWdpdCBhL3NyYy9iYWNrZW5kL2xpYnBxL2F1dGgtb2F1dGguYyBiL3NyYy9iYWNrZW5k
L2xpYnBxL2F1dGgtb2F1dGguYwppbmRleCAxMTM2NTA0ODk1MS4uZWVmMjM4NDE3ZTcgMTAwNjQ0
Ci0tLSBhL3NyYy9iYWNrZW5kL2xpYnBxL2F1dGgtb2F1dGguYworKysgYi9zcmMvYmFja2VuZC9s
aWJwcS9hdXRoLW9hdXRoLmMKQEAgLTY4NCw2ICs2ODQsMTMgQEAgdmFsaWRhdGUoUG9ydCAqcG9y
dCwgY29uc3QgY2hhciAqYXV0aCkKIAkJZ290byBjbGVhbnVwOwogCX0KIAorCS8qCisJICogU3Rv
cmUgdGhlIHRva2VuIGV4cGlyYXRpb24gdGltZSBpbiB0aGUgUG9ydCBzdHJ1Y3R1cmUuIFRoaXMg
YWxsb3dzCisJICogdGhlIGJhY2tlbmQgdG8gZW5mb3JjZSBzZXNzaW9uIGxpbWl0cy4KKwkgKi8K
KwlpZiAocmV0LT5leHBpcnkgPiAwKQorCQlwb3J0LT5leHBpcnkgPSByZXQtPmV4cGlyeTsKKwog
CWlmIChwb3J0LT5oYmEtPm9hdXRoX3NraXBfdXNlcm1hcCkKIAl7CiAJCS8qCmRpZmYgLS1naXQg
YS9zcmMvaW5jbHVkZS9saWJwcS9saWJwcS1iZS5oIGIvc3JjL2luY2x1ZGUvbGlicHEvbGlicHEt
YmUuaAppbmRleCA5MjFiMmRhYTRmZi4uOWJjOTYyNWQwYmEgMTAwNjQ0Ci0tLSBhL3NyYy9pbmNs
dWRlL2xpYnBxL2xpYnBxLWJlLmgKKysrIGIvc3JjL2luY2x1ZGUvbGlicHEvbGlicHEtYmUuaApA
QCAtMjM4LDYgKzIzOCwxNCBAQCB0eXBlZGVmIHN0cnVjdCBQb3J0CiAJY2hhcgkgICAqcmF3X2J1
ZjsKIAlzc2l6ZV90CQlyYXdfYnVmX2NvbnN1bWVkLAogCQkJCXJhd19idWZfcmVtYWluaW5nOwor
CisJLyoKKwkgKiBUaGUgZXhwaXJhdGlvbiB0aW1lIG9mIHRoZSBhdXRoZW50aWNhdGlvbiBjcmVk
ZW50aWFsLiBJZiBub24temVybywgaXQKKwkgKiByZXByZXNlbnRzIHRoZSBwb2ludCBpbiB0aW1l
IGFmdGVyIHdoaWNoIHRoZSBjdXJyZW50IHNlc3Npb24gaXMgY29uc2lkZXJlZAorCSAqIGludmFs
aWQuCisJICovCisJVGltZXN0YW1wVHogZXhwaXJ5OworCiB9IFBvcnQ7CiAKIC8qCmRpZmYgLS1n
aXQgYS9zcmMvaW5jbHVkZS9saWJwcS9vYXV0aC5oIGIvc3JjL2luY2x1ZGUvbGlicHEvb2F1dGgu
aAppbmRleCA0YTgyMmU5YTFmMi4uZTdlMzYwZDk0MTYgMTAwNjQ0Ci0tLSBhL3NyYy9pbmNsdWRl
L2xpYnBxL29hdXRoLmgKKysrIGIvc3JjL2luY2x1ZGUvbGlicHEvb2F1dGguaApAQCAtNDksNiAr
NDksMTIgQEAgdHlwZWRlZiBzdHJ1Y3QgVmFsaWRhdG9yTW9kdWxlUmVzdWx0CiAJICogZGVsZWdh
dGlvbi4gU2VlIHRoZSB2YWxpZGF0b3IgbW9kdWxlIGRvY3VtZW50YXRpb24gZm9yIGRldGFpbHMu
CiAJICovCiAJY2hhcgkgICAqYXV0aG5faWQ7CisKKwkvKgorCSAqIFRoZSBleHBpcmF0aW9uIHRp
bWUgb2YgdGhlIHRva2VuIChlLmcuLCBmcm9tIHRoZSAnZXhwJyBjbGFpbSkuCisJICogSWYgcHJv
dmlkZWQsIHRoZSBiYWNrZW5kIGNhbiB1c2UgdGhpcyB0byBsaW1pdCBzZXNzaW9uIGR1cmF0aW9u
LgorCSAqLworCVRpbWVzdGFtcFR6IGV4cGlyeTsKIH0gVmFsaWRhdG9yTW9kdWxlUmVzdWx0Owog
CiAvKgo=
--000000000000a0d028064aed5422--