Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vsesv-00CLLZ-0n for pgsql-hackers@arkaria.postgresql.org; Wed, 18 Feb 2026 10:34:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vsest-00FRCH-2u for pgsql-hackers@arkaria.postgresql.org; Wed, 18 Feb 2026 10:34:20 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vsest-00FRC6-1O for pgsql-hackers@lists.postgresql.org; Wed, 18 Feb 2026 10:34:19 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1vsesp-00000001Cac-2QpP for pgsql-hackers@lists.postgresql.org; Wed, 18 Feb 2026 10:34:18 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id AD36E550B7D for ; Wed, 18 Feb 2026 11:34:12 +0100 (CET) Received: from s981.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 99B0C55249A; Wed, 18 Feb 2026 11:34:12 +0100 (CET) Received: from localhost (unknown [172.22.191.5]) by s981.loopia.se (Postfix) with ESMTP id 96FBC22B176B; Wed, 18 Feb 2026 11:34:12 +0100 (CET) X-Virus-Scanned: amavis at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.2 X-Spam-Level: X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1] autolearn=disabled Authentication-Results: s471.loopia.se (amavis); dkim=pass (2048-bit key) header.d=yesql.se Received: from s980.loopia.se ([172.22.191.6]) by localhost (s471.loopia.se [172.22.190.35]) (amavis, port 10024) with UTF8LMTP id kMLhK9393vmk; Wed, 18 Feb 2026 11:34:12 +0100 (CET) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.236 Received: from smtpclient.apple (customer-89-255-232-236.stosn.net [89.255.232.236]) (Authenticated sender: daniel@yesql.se) by s980.loopia.se (Postfix) with ESMTPSA id 0585C22016D3; Wed, 18 Feb 2026 11:34:11 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se; s=loopiadkim1707475645; t=1771410852; bh=+EIl+v1CpppfhaVXAnQcY0xQDe3/c0ab0aDYTLX9zD8=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=rEbS7ajBoKStanze47ucqovwzHgmFrNQZHq/HH9QQGaWFr0vY4qrlaxGofuPbu2oE bGHOUADhBpO34+7bcTlCeRJmDBcqzg3j6XcLsyfhR0Nk/RHEn7N1zfgA6oKfKu2yuP KuyeZ4XE6RNFVXrYrqg4eozVxB0OaZYWD9+TR9hNrWeQEVqMjZbfMvZ2gLUDe90ntz XXmebFjVd8nkeyijuMRE5XVv9HCNVKu8GRC6hmULbC79zvRKmm1zJE9I4uzZmyt6AO gU8t4fGWIRUeJNzibsWJ1Xl8akJZCQr0FjuYDTIUn6ALEPhgcnyrDeiAE6sugzepGx 0hgwGYuTTtW3g== Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.2\)) Subject: Re: [OAuth2] Infrastructure for tracking token expiry time From: Daniel Gustafsson In-Reply-To: Date: Wed, 18 Feb 2026 11:34:01 +0100 Cc: VASUKI M , Zsolt Parragi , PostgreSQL Hackers Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Ajit Awekar X-Mailer: Apple Mail (2.3776.700.51.11.2) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 18 Feb 2026, at 09:38, Ajit Awekar wrote: > I have added a unit test case to validate that sessions are properly = terminated when their OAuth tokens expire. + /* + * If the current session was authenticated via OAuth, verify = that the + * token has not expired or been revoked before executing the = query. + */ + if (MyClientConnectionInfo.auth_method =3D=3D uaOAuth) + check_oauth_expiry(MyProcPort); This seems too expensive and invasive in these codepaths and also not in = line with how other authentication methods are handled, we for example don't = check if a client certificate has been revoked in a similar manner. I don't = think it would be bad if we could detect expired credentials mid-flight but I = think it would need to be done smarter than sprinkling auth specific checks like = this. + ereport(FATAL, + = (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("session expired: OAuth token is = no longer valid"))); Token expiration is IMHO not a usecase for a FATAL error, if we want to terminate a connection we can do it in a more graceful way. + /* + * Optional callback to check if the session is still valid. + * Returns true if the token is expired/revoked, false = otherwise. + * If NULL, the backend assumes the session never expires. + * If provided, the validator can use this to limit session = duration based on + * parameter value or based on it's custom logic. + */ + bool (*expired_cb) (TimestampTz expiry); + + /* + * The expiration time of the token (e.g., from the 'exp' claim) = if + * provided. This value is passed as an argument to the = expired_cb function + * above to determine if the session should terminate. + */ + TimestampTz expiry; } ValidatorModuleResult; What's the point of having an expiry timestamp as well as an expiration = check callback? Wouldn't that open up for the caller to make its own judgment = on expiration which might conflict with expired_cb? Is token expiration = really always tied to a timestamp for all types of tokens? Also, why is this defined in ValidatorModuleResult? If I interpret = Zsolt's comment upthread correctly it was meant to be placed in = OAuthValidatorCallbacks as a new callback - which I agree with would be better. The question of = where and when to invoke it remains, but whatever we build I think it should = be auth agnostic so that any auth can be hooked into it. -- Daniel Gustafsson