| From: | Ajit Awekar <ajitpostgres(at)gmail(dot)com> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | [OAuth2] Infrastructure for tracking token expiry time |
| Date: | 2026-02-16 09:10:36 |
| Message-ID: | CAER375PhG5an=p1=6QS6vWi=BHxR+ViJmYPDkkEtpgVsfCcu_w@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi Hackers,
Currently, during OAuth2 authentication, the ValidatorModuleResult
structure allows a validator(extension) to return the authentication status
and the authn_id.
However, we ignore the token expiry time (exp claim).
Once a token is validated, the backend has no record of when that token
actually expires. A session can remain open indefinitely even if the
underlying access token has expired shortly after the connection was
established.
This patch adds the infrastructure to capture and store this expiration
timestamp within the backend session state. It does not implement an
enforcement policy (such as auto-termination).
Request a review.
Thanks & Best Regards,
Ajit
| Attachment | Content-Type | Size |
|---|---|---|
| password_expiry_oauth.diff | application/octet-stream | 1.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | vignesh C | 2026-02-16 09:14:41 | Re: [Proposal] Adding Log File Capability to pg_createsubscriber |
| Previous Message | Bertrand Drouvot | 2026-02-16 09:01:49 | Re: rename and move AssertVariableIsOfType |