Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vsF3H-00CYJd-2n
	for pgsql-hackers@arkaria.postgresql.org;
	Tue, 17 Feb 2026 06:59:19 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vsF3G-008p3U-25
	for pgsql-hackers@arkaria.postgresql.org;
	Tue, 17 Feb 2026 06:59:18 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <zsolt.parragi@percona.com>)
	id 1vsF3G-008p26-14
	for pgsql-hackers@lists.postgresql.org;
	Tue, 17 Feb 2026 06:59:18 +0000
Received: from mail-yw1-x112e.google.com ([2607:f8b0:4864:20::112e])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <zsolt.parragi@percona.com>)
	id 1vsF3C-000000011AQ-2nt3
	for pgsql-hackers@lists.postgresql.org;
	Tue, 17 Feb 2026 06:59:17 +0000
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-797afd2e872so21625847b3.0
        for <pgsql-hackers@lists.postgresql.org>; Mon, 16 Feb 2026 22:59:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1771311555; cv=none;
        d=google.com; s=arc-20240605;
        b=KnINGjvD+9EUTcqy9ER8ZlRqBlAtab7P9C49WGJ+EL7px204lwSEc07j4WMhQxB8s1
         aMJ8twOw2i7kXK57WdNtID+QmYbvYrsVHEQF7geXxz28MNMu0LneE3Yi4b5zU2UgZe+C
         lDWfOD4+YF3k/6DUUvtOe4kylBl0uiUcHeE/1ZDbQgYngDqNdOGUMigdFz8w3sY03S2A
         ws3rByP2wFOqyLQfObyAxP8dxgUklPW8ZwJZrtYxhlWuFQ69iPxPdI2rKYvWJYvUP6rL
         azmAqvNLYBuRen/Jskc+k20CRJ6WcKLfBM6CHhUW7lHLr0LE7ajAsdbdMNl0zzFOQJFN
         kpFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=2pADGkZkBm7PIGfLu87f59vgYbPEDhzktmr5oOd9DW0=;
        fh=C5HBRUAzPChsi7yp9zOfsK+eNGEGvs0zeI8GZOA04IE=;
        b=T7qBxl0DrD6SitPHTfEgsaslP6+50N3g8/m9OE0m5lUtkGrlNRw9e+dPRjdA3Q9Vvi
         o2xqpe3A9f2n7c5rhyCSJ6K5a7raAVI7/MknR3SBwqq56CfTi6d255Qej0vKd9fSydOx
         OVG/sN3omTkU+UkwN1MnEbC4LFfFjH0s2su+tZMiFppwfZ4NVc9MnSq9+apjhy4wXH5r
         b9j/953n7sBVs1254PUhOKGK2+BSgcwdnNw0eBIYF3fnyK9SuUD5Rt2gC+GsMtg/NCnh
         ZYyQDhP2i1ErKtF9sp0yuoHac8wMLTt9O6rr61Ew3MK9/syBX6JYMDmX2hxx4foa7eRd
         w3Qg==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=percona.com; s=google; t=1771311555; x=1771916355; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=2pADGkZkBm7PIGfLu87f59vgYbPEDhzktmr5oOd9DW0=;
        b=B4zMMMlobLqM3cgIKMpD0lrmmWwAGVGL6dTXHqHuLcyazFHcrt2mQuMyXS7LTl6ThJ
         Om6vLv4RmkLFbLNlXfWFtCTwxMehwJd5T1691/sq6M/ZRjnBsbwgOJZlc25Mcf1E+wuM
         b8hDq+U0GCSeqT6PJNBvSOKYOhHnh8v+zGFGc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771311555; x=1771916355;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2pADGkZkBm7PIGfLu87f59vgYbPEDhzktmr5oOd9DW0=;
        b=ehn5Ifwrkx0TrH4UF8yn9xO1sMrolb8vNru/3quI/beIIdTFszxzJOLrSN6JQFWsBk
         wXUeAKDx4FwiFphiPFoWZnvuN5EwsdXLBhXOy3cXcsP5Dxbbgccj/CJnCwY+QWbWcDzb
         uOXYGlPzHHsop6qpAhrlkUvYs6MiDwfRt09SgqbQ7jU0g0kVb0ydEHSrZaj0GtpXd0Rp
         yTtlKaTz76MqjgnNpFx9vnlkdtD/DVc5qKd/ZNPFTneGMKhbY/fbi5DChsbR3mkFvjTb
         5tkKkYegol5KS8ByhvPgHUmIiKU993XWn7gRQYawu2AwZmKMfs7Vj1mPLWctA0VYF21Z
         xCfg==
X-Forwarded-Encrypted: i=1; AJvYcCUxQPkqib2TZrjyoN7WuZ18JioQlXBe1H9HvxnteLlK4Mc0Kr4937i8dMCWeqMRKZmeCrN5Lp9KKC+29D+5@lists.postgresql.org
X-Gm-Message-State: AOJu0Yy8oFhV0h+g1L5A4rLznDwPnWuXyv+0VOQ9qyNSqtnZ/lJ/DHQ+
	wcoQbl6L5sg8vqrJAebAEtmyz7+UqzbC78etOE5DOoQqkiuOW9yunGxcu7NrlC0XykW5y86dWVs
	WuboXlVhFGFatwIPNW44FZX4xNr/nelzpdCrLK7rTnzPd8xEYBcC4nc0BwvZ5GH960SLT+Evyqj
	LOkp/gNkcBuGIzZIxidEqmO4g2Wc4fDMxZSt/JR7eeQsU6NGoXsM5FKqiOKacY8S5oVFtEOOGaQ
	T7T+lMtksGPOLx83SrMHFZzTLA1223ydhMO41LYc9wMPXTBJfcylHFJm0+qd62igUdKcO+i63ri
	B/Be
X-Gm-Gg: AZuq6aIaq3LEPY6uh3Lrvohr3kEJuIRuDViwWsxyEaZXMQfoCx98AYXhTVe+YlJV9/9
	eo7I7t4QM/PhUull1PoNkgWofNAMos+V3KzcIXfvMdSvwwekFF6T1gPY0DP9GXPCR/ZDZ146c8R
	jrQRrAS6ItfD8b9v3wEKWoMbMPh+abb6C1JL1SeLBtJ2LeQuT4nZuhIBnnxubUM9IJmvE7Ncs5m
	kpNhN7Xe7aGFFedThQCjF3tsUPNUSWcHa9tVkmpC+vY0u93Md40ufxCKc2cT4iGeDDJ7yjJUKgh
	pl9oQzJQpq3ZPK8ceZBMEm/6JDnuYRQz2unE6l+Phxp7ayrElnFWNMiVdrkVp9DEFNfvVPZdn1Z
	6+ZI=
X-Received: by 2002:a05:690c:450a:b0:794:fcd9:4aa1 with SMTP id
 00721157ae682-797ac6777dbmr78545197b3.69.1771311554524; Mon, 16 Feb 2026
 22:59:14 -0800 (PST)
MIME-Version: 1.0
References: <CAER375PhG5an=p1=6QS6vWi=BHxR+ViJmYPDkkEtpgVsfCcu_w@mail.gmail.com>
 <CAE2r8H5QAng_rRrkVmGbLuQSgbMz94tpOOOdJKeuHj=go0nXqg@mail.gmail.com>
 <CAN4CZFOe-0jTR7_s2uciX9TNKxRvd2h8avAw9iFO6VPu0CChsQ@mail.gmail.com> <CAER375Oh6U_kqP0SK8OP47vy3PBd4p1C027Gaod3B2bqKgMFoQ@mail.gmail.com>
In-Reply-To: <CAER375Oh6U_kqP0SK8OP47vy3PBd4p1C027Gaod3B2bqKgMFoQ@mail.gmail.com>
From: Zsolt Parragi <zsolt.parragi@percona.com>
Date: Tue, 17 Feb 2026 06:59:02 +0000
X-Gm-Features: AaiRm50qZBQus89Jt4AXSKBWbDZOox0vC_rV4WVeaG2vYvmnjaVaaVD1aiOAVi4
Message-ID: <CAN4CZFNV69LS6H87sV-iPO9w_V-_uko4_G_0QKb1cokJvWhF6g@mail.gmail.com>
Subject: Re: [OAuth2] Infrastructure for tracking token expiry time
To: Ajit Awekar <ajitpostgres@gmail.com>
Cc: VASUKI M <vasukianand0119@gmail.com>, 
	PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Content-Type: text/plain; charset="UTF-8"
X-CLOUD-SEC-AV-Sent: true
X-CLOUD-SEC-AV-Info: percona,google_mail,monitor
X-Gm-Spam: 0
X-Gm-Phishy: 0
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/CAN4CZFNV69LS6H87sV-iPO9w_V-_uko4_G_0QKb1cokJvWhF6g%40mail.gmail.com>
Precedence: bulk

> For providers using opaque tokens or introspection APIs where an 'exp' claim might be missing, the API remains compatible by allowing the validator to return DT_NOBEGIN.

I don't think this is a good answer: the OAuth validator API went to
the trouble of introducing a generic infrastructure with the explicit
goal to work any OAuth provider, and now this proposes a change that
limits a new API to some of them, while it wouldn't be more difficult
to propose a generic API that works for everything.

Let me rephrase the question: why is this a better approach than
introducing an additional validator callback method, expired_cb?

* it returns if the current OAuth token is expired or not
* if it's NULL, nothing happens, so there's an easy upgrade path for
validator in PG19
* for JWT validators with a clear expiry date, all they have to do is
to store the expiry date in a global variable and then check if we
passed that time in the new callback
* alternatively, this callback could return the current expected
expiry date, and the calling code could check it, but I think that's
overcomplicating

And in both cases, I think handling of the value/callback should be
part of the patch - only providing an API and then doing nothing with
it would set wrong expectations.