Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vsgI8-00DpE2-0t for pgsql-hackers@arkaria.postgresql.org; Wed, 18 Feb 2026 12:04:28 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vsgI7-00Fn7B-1u for pgsql-hackers@arkaria.postgresql.org; Wed, 18 Feb 2026 12:04:27 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vsgI7-00Fn6v-0r for pgsql-hackers@lists.postgresql.org; Wed, 18 Feb 2026 12:04:27 +0000 Received: from mail-yw1-x1130.google.com ([2607:f8b0:4864:20::1130]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1vsgI4-00000001DBM-1cKz for pgsql-hackers@lists.postgresql.org; Wed, 18 Feb 2026 12:04:26 +0000 Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-7927261a3acso45050437b3.0 for ; Wed, 18 Feb 2026 04:04:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1771416264; cv=none; d=google.com; s=arc-20240605; b=OVP/U3UKRhcRyvvp3OfX3GgCNxnLUA3QL2ktq+pXBrirD18JyL+YyB+rzmXeMWoGxw gPb18XsHfM31ctv0Eblab9fcXjFoUUhtEvlMp5WyG8nMZEcE++ZmkKNmgAEZVOEWzhEy SVrgbkxfFkX2O0wgt77JQWevQouGedzup+cM/vPBrqELcn87jGDfpvmValLVjHyoNRLM KmNTxu+Xu0KNnePip51J6xDHc4C1yYbdcUSUQK6WEdSYcl422meAuV9sv5kI9fzPOUJy qMhxZn0wbOo4Dd3dsef2V4kgKxVzPaMjVjpI4W9n6H/OwpMGZIlhl+1lMAU5besHM1ww GSLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=MoMQSzPpWURXV9+SQSJJgPllmBbf4onYse7tYtF7PHU=; fh=d8BRx/Mbk2J6nLFrIU47DmiTI4pRSxeyWB1JMx2HVaE=; b=SlLEGus2we8OV+MNhc4/WKIZr9bVXC5AcW5RyqK/fDGOOwrjHATeXj69gWCx4gFVaQ z8Vi91X5uUjcZzDDM91X/qPSsQo8Evx70c7IfSjAnLT6lWJMXPoe/FXKTjEZOuVopjmM XSXQAXmMAoX6Vi/3i0R7GOIZxazZthykFKQQmZbjgtSxJBhE/45P0gROAi7D4dpDpvWM gyaBaFVdxFrJuEgXNcos7TV2lUY4FeRgEADBday2c+f5wRFJI9bEpSknfjoiVAPfeLvS 9UjH+Z4Wl0vPHJR+sVN0stnZpMr3pGKR6pKb3LJ6hcOWR3McnNrIvEo+Mv8XFSJwmPgh gpJQ==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1771416264; x=1772021064; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MoMQSzPpWURXV9+SQSJJgPllmBbf4onYse7tYtF7PHU=; b=CB1WiwJQArGow1NKkcf9OsATpKCRq5gbSdbqOgi+pYv1UOmJjXkVGbG4OuVZY12Ori R6QlAL3F12vgreRh/p7E8SuocKElzltiO57NfYwXbG1fYY1lytHn9PME2lXPGCcrbbDi 4RDo1WSAJzy3/3uNAh58p7X9Y28lhANmDmFZo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771416264; x=1772021064; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MoMQSzPpWURXV9+SQSJJgPllmBbf4onYse7tYtF7PHU=; b=EGHyStk6n/Eza7ya3rJ4p6WRpODf5rvig116D58AcjRtu5iS9jseu+QgD6RYy4pw7S u0jSYKSOtng2rimIRs/Z4bNaDB+h1m4zCJWEs3Owys/z0osaTeiUZ1/OtqYFGHFW6cuF Z5naG407gBabT5deIbexORsysy1eyApbJFX0NFMFt0r3Y1SRqCd/5P8KXnQG09FfwZ48 K907vQaPhcOzkfe+mpjpefIoMxkB3iZiinD8yau20WmcWGFLPcH4W7kHmcOumHmiV543 XHdeZU6JztZcrvJaAi3FVGX1GVnuGvU59OxnK2vDL5tvd2+/cDZCkqALmDZGkMdyaHTS iEKQ== X-Forwarded-Encrypted: i=1; AJvYcCU0Wui9uZpNOKnea5Tp3kP05S3LW8xdcq4YHolZVcvwGgJ6uB6TklXbuUmFpS65vXn7xT50KiuvgRHesdzY@lists.postgresql.org X-Gm-Message-State: AOJu0YzQ2yZ1vtVwIQsUpGrdLd6lPyOIQZiDwN4RWOqT1BiMAcbV0EoU kCqIGWc7uE5B0p/VIqPrniE8pEP7TsFxZn3WJr7KWfrk1t/zG8VAVExW1yx6nDqfTduvbigWrRb 7g2PKbYt8N8n1MGJMAxHla8CPwPc3g2RawjNg++E76Ocp4olGfygVAe9JTeEYeaoUCRgTtczCif YVhw3hgA++lP6IeynYUSybnL+vA3C6FBOzJDHDEA0prgxNP3PeyVgCLj+PrYsSnUDZAyU/q6BBC Y4DHgJhzUfW8LllbuWKQGLMv0kkJNfxgjU9C4DZ9z8RlblE6SdxAPoGU7kqV9NySpY= X-Gm-Gg: AZuq6aIajtDkar7O9DdsHwwOTDzd8JfrgoG0eV8gmIaXRrhx1St0rMp8sjyqeMs9AQx vLitJpBpTKVicDD7PU0DS1mhxuUnxgZdeIoVlZlXXplUoiBzh0EZbtRreIMa17K2fTBr9gnOwjY GIdFw/qN/Hh6CiO9KCUYbVl3gmPgZx5cdT2CSe0LW8QYqWYggObi75890GwueX5PUo8dJ2IKSEX D6V7vn9p9vxkIGvRXR92YUWKK1gQhCdhcWjdaPoCdibsJ7SEoghHmvwC910qMTBj6CyQQpOkgiX jBuwI0Y9Mz3u27MxCVH7cV0OmcNBzYhP5cjpuaVu691NV+/jtJ/+LFqjgaWJx3W+2SL0 X-Received: by 2002:a05:690c:62c4:b0:794:d6cd:918d with SMTP id 00721157ae682-797ac679f81mr106822547b3.69.1771416264289; Wed, 18 Feb 2026 04:04:24 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Zsolt Parragi Date: Wed, 18 Feb 2026 12:04:13 +0000 X-Gm-Features: AaiRm53ha2YxdXKdwPu2rC-LMv4nSWTDJIWh73ciSeHAki2sCukfs4xfJkp2UNs Message-ID: Subject: Re: [OAuth2] Infrastructure for tracking token expiry time To: Daniel Gustafsson Cc: Ajit Awekar , VASUKI M , PostgreSQL Hackers Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > Also, why is this defined in ValidatorModuleResult? If I interpret Zsolt's > comment upthread correctly it was meant to be placed in OAuthValidatorCallbacks > as a new callback - which I agree with would be better. The question of where > and when to invoke it remains, but whatever we build I think it should be auth > agnostic so that any auth can be hooked into it. +1 Yes, that's what I meant. Also agree with the unnecessary expiry timestamp with the callback - if we want to store some additional data for the checks, that should be a void*, but with the single threaded model there's no real need for it, the validator can store anything it needs in global variables. > 2. Terminating sessions with expired/revoked tokens before executing new > commands. > Token expiration is IMHO not a use case for a FATAL error, if we want to > terminate a connection we can do it in a more graceful way. There are different reasons for token expiration, one is a simple timeout where all we have to do is communicate to the client that we need a refresh (gracefully), and the other is where a token is immediately revoked because of a security incident, in which case immediate termination is a good practice. There was an earlier discussion about it in the password expiration thread[1], and the possible use of the GoAway[2] for it. Jacob suggested making it user configurable, which seems like a reasonable way to do it. I also wanted to work on this patch, but I didn't start working on it so far, because I wanted to see where those threads go, as the changes introduced in them could be useful for the oauth token refresh/disconnection mechanism. [1] : https://www.postgresql.org/message-id/flat/CAER375OvH3_ONmc-SgUFpA6gv_d6eNj2KdZktzo-f_uqNwwWNw%40mail.gmail.com [2] : https://www.postgresql.org/message-id/flat/DDPQ1RV5FE9U.I2WW34NGRD8Z%40jeltef.nl