Thread
-
Periodic authorization expiration checks using GoAway message
Ajit Awekar <ajitpostgres@gmail.com> — 2025-11-28T11:39:04Z
This patch introduces a mechanism to address the security issue of stale, authorized connections persisting beyond their validity period. . Currently, once a session is established, postgres does not automatically re-validate credentials. If a password expires (rolvaliduntil) the session remains active indefinitely. Same applies to centralized authentication systems (like Kerberos or OAuth). This patch depends on the "GoAway" protocol message proposal currently under review here: https://www.postgresql.org/message-id/DDPQ1RV5FE9U.I2WW34NGRD8Z%40jeltef.nl Please apply this patch on top of the GoAway patch. The Solution: To handle this authorization gap gracefully, this patch leverages the pending GoAway protocol message to notify clients. Please find below summary of the solution New GUC: auth_expiration_check_interval (integer, minutes). Controls the frequency of checking a session's authorization status. Setting it to 0 (default) disables the check. Periodic Idle Check: When a backend process is idle (waiting for the next command) and the timeout is reached, the server calls a placeholder function check_external_auth_status_expired(). Graceful Disconnect: If authorization is revoked/expired, the server sends the GoAway message. This allows the client to finish any current processing and reconnect cleanly. Thanks & Best Regards, Ajit Awekar
-
Re: Periodic authorization expiration checks using GoAway message
Jelte Fennema-Nio <postgres@jeltef.nl> — 2025-11-28T17:18:57Z
On Fri, Nov 28, 2025, 04:39 Ajit Awekar <ajitpostgres@gmail.com> wrote: > This patch depends on the "GoAway" protocol message proposal currently > under review here: > https://www.postgresql.org/message-id/DDPQ1RV5FE9U.I2WW34NGRD8Z%40jeltef.nl > Please apply this patch on top of the GoAway patch. > A review of the GoAway patch from you would definitely be appreciated (even if there's no actionable feedback like: "this looks good and I managed use it for my own patch successfully") The Solution: To handle this authorization gap gracefully, this patch > leverages the pending GoAway protocol message to notify clients. > I didn't look at the patch (I'm on my phone). But my first thought is that only relying on the proposed version of GoAway is insufficient for anything related to security. The GoAway message is both best effort, and only supported with newer protocol versions. So while I think it's a good usecase for GoAway, I think there *also* needs to be a hard timeout at which point the connection gets forcefully terminated if it's using old credentials. Regarding the configurable interval that you describe for checking auth changes, I think it might be better to register a SysCache update receiver instead (or just poll the SysCache value Finally, can you register this patch on the commitfest? https://commitfest.postgresql.org/ >
-
Re: Periodic authorization expiration checks using GoAway message
Hannu Krosing <hannuk@google.com> — 2025-11-28T17:52:20Z
Also have not looked at the patch, but we should also make sure that there is not just be GoAway, but also a way to re-authenticate or "extend lease" or whatever the terminology is for a specific authentication method. So maybe the message should be ReAuthentiocateOrElse" ? On Fri, Nov 28, 2025 at 6:19 PM Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > > On Fri, Nov 28, 2025, 04:39 Ajit Awekar <ajitpostgres@gmail.com> wrote: >> >> This patch depends on the "GoAway" protocol message proposal currently under review here: https://www.postgresql.org/message-id/DDPQ1RV5FE9U.I2WW34NGRD8Z%40jeltef.nl Please apply this patch on top of the GoAway patch. > > > A review of the GoAway patch from you would definitely be appreciated (even if there's no actionable feedback like: "this looks good and I managed use it for my own patch successfully") > >> The Solution: To handle this authorization gap gracefully, this patch leverages the pending GoAway protocol message to notify clients. > > > I didn't look at the patch (I'm on my phone). But my first thought is that only relying on the proposed version of GoAway is insufficient for anything related to security. The GoAway message is both best effort, and only supported with newer protocol versions. So while I think it's a good usecase for GoAway, I think there *also* needs to be a hard timeout at which point the connection gets forcefully terminated if it's using old credentials. > > Regarding the configurable interval that you describe for checking auth changes, I think it might be better to register a SysCache update receiver instead (or just poll the SysCache value > > Finally, can you register this patch on the commitfest? https://commitfest.postgresql.org/
-
Re: Periodic authorization expiration checks using GoAway message
Ajit Awekar <ajitpostgres@gmail.com> — 2025-12-09T13:10:22Z
Hello all, Following the discussion regarding how to enforce rolvaliduntil for users within an active session, I have implemented a solution that uses the pg_authid SysCache listener mechanism as suggested. Please find the attached patch for review. Below is use case details for same User3 started session edb@localhost:~$ psql -U user3 -d postgres psql (19devel) Type "help" for help. postgres=> \d Did not find any relations. postgres=> \d *<= prior to this command, password was expired in another session by super user as shown below and it reflected immediately in active session (prior active session was not impacted)* FATAL: Connection expired due to internal password policy enforcement DETAIL: User's password expired at 2025-11-02 16:59:37.462644+05:30. HINT: Reconnect with a renewed password or obtain new authorization. Before executing second \d command below super user session expired the password of user3 as below edb@localhost:~/Downloads/pg/postgres$ psql -d postgres psql (19devel) Type "help" for help. postgres=# ALTER USER user3 VALID UNTIL '2025-11-02 16:59:37.462644+05:30'; ALTER ROLE Thanks, Ajit Awekar On Fri, 28 Nov 2025 at 23:22, Hannu Krosing <hannuk@google.com> wrote: > Also have not looked at the patch, but we should also make sure that > there is not just be GoAway, but also a way to re-authenticate or > "extend lease" or whatever the terminology is for a specific > authentication method. > > So maybe the message should be ReAuthentiocateOrElse" ? > > On Fri, Nov 28, 2025 at 6:19 PM Jelte Fennema-Nio <postgres@jeltef.nl> > wrote: > > > > On Fri, Nov 28, 2025, 04:39 Ajit Awekar <ajitpostgres@gmail.com> wrote: > >> > >> This patch depends on the "GoAway" protocol message proposal currently > under review here: > https://www.postgresql.org/message-id/DDPQ1RV5FE9U.I2WW34NGRD8Z%40jeltef.nl > Please apply this patch on top of the GoAway patch. > > > > > > A review of the GoAway patch from you would definitely be appreciated > (even if there's no actionable feedback like: "this looks good and I > managed use it for my own patch successfully") > > > >> The Solution: To handle this authorization gap gracefully, this patch > leverages the pending GoAway protocol message to notify clients. > > > > > > I didn't look at the patch (I'm on my phone). But my first thought is > that only relying on the proposed version of GoAway is insufficient for > anything related to security. The GoAway message is both best effort, and > only supported with newer protocol versions. So while I think it's a good > usecase for GoAway, I think there *also* needs to be a hard timeout at > which point the connection gets forcefully terminated if it's using old > credentials. > > > > Regarding the configurable interval that you describe for checking auth > changes, I think it might be better to register a SysCache update receiver > instead (or just poll the SysCache value > > > > Finally, can you register this patch on the commitfest? > https://commitfest.postgresql.org/ >
-
Re: Periodic authorization expiration checks using GoAway message
Jacob Champion <jacob.champion@enterprisedb.com> — 2025-12-10T20:02:23Z
(To call it out explicitly: I work with Ajit, and I asked him to take a look at GoAway, and I'm particularly interested in the "reauthenticate or else" case. Let me know if any of that is problematic -- or if anyone's worried that it will become so -- so I can course-correct sooner rather than later.) On Fri, Nov 28, 2025 at 9:52 AM Hannu Krosing <hannuk@google.com> wrote: > Also have not looked at the patch, but we should also make sure that > there is not just be GoAway, but also a way to re-authenticate or > "extend lease" or whatever the terminology is for a specific > authentication method. I agree. I like the idea of the server coordinating (and then enforcing) connection lifetime and cross-connection handoffs with the client, but like Jelte said, the current GoAway proposal isn't really built for that. Is there enough interest in the more general problem for us to try combining the use cases? Or should they remain separate? Thanks, --Jacob
-
Re: Periodic authorization expiration checks using GoAway message
Jelte Fennema-Nio <postgres@jeltef.nl> — 2025-12-10T21:20:46Z
On Wed, 10 Dec 2025 at 21:02, Jacob Champion <jacob.champion@enterprisedb.com> wrote: > > (To call it out explicitly: I work with Ajit, and I asked him to take > a look at GoAway, and I'm particularly interested in the > "reauthenticate or else" case. Let me know if any of that is > problematic -- or if anyone's worried that it will become so -- so I > can course-correct sooner rather than later.) I think password rollover without downtime requires more thought than discussed in this thread so far. Currently the simplest way (that I know of) to rollover passwords without downtime is to have two users that you can switch between, and one has been configured with: ALTER USER b SET ROLE = a; So both effectively log in as a. Reading between the lines, I guess you're looking at this from the OAuth lens. Not "normal" passwords. > On Fri, Nov 28, 2025 at 9:52 AM Hannu Krosing <hannuk@google.com> wrote: > > Also have not looked at the patch, but we should also make sure that > > there is not just be GoAway, but also a way to re-authenticate or > > "extend lease" or whatever the terminology is for a specific > > authentication method. > > I agree. I like the idea of the server coordinating (and then > enforcing) connection lifetime and cross-connection handoffs with the > client, but like Jelte said, the current GoAway proposal isn't really > built for that. If you want to re-authenticate over the existing connection (and keeping your session etc), then I think that's a very different thing than what I intended the GoAway message to be used for. > Is there enough interest in the more general problem for us to try > combining the use cases? Or should they remain separate? I'm not sure what you mean with "combine the use cases". If you think the GoAway protocol message definition could be extended slightly to better serve this use case somehow. For instance if you think we should have the GoAway message include an (optional) number of seconds, so a client could say to the user: "Disconnect within 6 minutes". (just an example, not necessarily something I think is a good idea) If you mean combining by introducing a single shared protocol message for both the "re-authenticate on existing session" and "please reconnect asap", then I'd say: No, let's keep them separate. I think for "re-authenticate now on existing connection" it'd be much more natural for the server to simply send a new authentication request message, and expect the client to respond to that. The auth flow based on these messages is already implemented by each client, they'd only need to change it so that it could be called into at any moment (or maybe certain defined moments like in between queries).
-
Re: Periodic authorization expiration checks using GoAway message
Ajit Awekar <ajitpostgres@gmail.com> — 2025-12-11T10:52:33Z
Thanks a lot Jacob and Jelte for your valuable insights. I agree that the seamless re-authentication model (re-authentication over the active connection) is suited only for external centralized authentication methods like OAuth2 and LDAP. I have below questions - Does the client need to pause current operations, execute a simplified re-authentication sequence (triggered by the server's Authentication Request), and then transparently resume the session upon success? - How frequently should the authorization expiration check occur in the backend, Would the frequency be tied to a new session GUC (e.g., authorization_check_interval), allowing administrators to configure it? - What should the behavior be for older version clients (backward compatibility) that do not understand this new server-initiated reauthentication message? In this case is the safest approach for the server to terminate the connection? Thanks & Best Regards, Ajit On Thu, 11 Dec 2025 at 02:50, Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > On Wed, 10 Dec 2025 at 21:02, Jacob Champion > <jacob.champion@enterprisedb.com> wrote: > > > > (To call it out explicitly: I work with Ajit, and I asked him to take > > a look at GoAway, and I'm particularly interested in the > > "reauthenticate or else" case. Let me know if any of that is > > problematic -- or if anyone's worried that it will become so -- so I > > can course-correct sooner rather than later.) > > I think password rollover without downtime requires more thought than > discussed in this thread so far. Currently the simplest way (that I > know of) to rollover passwords without downtime is to have two users > that you can switch between, and one has been configured with: > ALTER USER b SET ROLE = a; > > So both effectively log in as a. > > Reading between the lines, I guess you're looking at this from the > OAuth lens. Not "normal" passwords. > > > On Fri, Nov 28, 2025 at 9:52 AM Hannu Krosing <hannuk@google.com> wrote: > > > Also have not looked at the patch, but we should also make sure that > > > there is not just be GoAway, but also a way to re-authenticate or > > > "extend lease" or whatever the terminology is for a specific > > > authentication method. > > > > I agree. I like the idea of the server coordinating (and then > > enforcing) connection lifetime and cross-connection handoffs with the > > client, but like Jelte said, the current GoAway proposal isn't really > > built for that. > > If you want to re-authenticate over the existing connection (and > keeping your session etc), then I think that's a very different thing > than what I intended the GoAway message to be used for. > > > Is there enough interest in the more general problem for us to try > > combining the use cases? Or should they remain separate? > > I'm not sure what you mean with "combine the use cases". If you think > the GoAway protocol message definition could be extended slightly to > better serve this use case somehow. For instance if you think we > should have the GoAway message include an (optional) number of > seconds, so a client could say to the user: "Disconnect within 6 > minutes". (just an example, not necessarily something I think is a > good idea) > > If you mean combining by introducing a single shared protocol message > for both the "re-authenticate on existing session" and "please > reconnect asap", then I'd say: No, let's keep them separate. > > I think for "re-authenticate now on existing connection" it'd be much > more natural for the server to simply send a new authentication > request message, and expect the client to respond to that. The auth > flow based on these messages is already implemented by each client, > they'd only need to change it so that it could be called into at any > moment (or maybe certain defined moments like in between queries). >
-
Re: Periodic authorization expiration checks using GoAway message
Jacob Champion <jacob.champion@enterprisedb.com> — 2025-12-12T00:09:51Z
On Wed, Dec 10, 2025 at 1:21 PM Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > I think password rollover without downtime requires more thought than > discussed in this thread so far. Sure. See also https://postgr.es/m/CAGB%2BVh5SQQorNDEKP%2B0G%3DsmxHRhbhs%2BVkmQWD5Vh98fmn8X4dg%40mail.gmail.com > Reading between the lines, I guess you're looking at this from the > OAuth lens. Yes. Or Kerberos. > Not "normal" passwords. I could see a case for kicking connections after a SCRAM password change, if they're not able to reauthenticate in X interval. But I wouldn't make it my top priority, necessarily. > > Is there enough interest in the more general problem for us to try > > combining the use cases? Or should they remain separate? > > I'm not sure what you mean with "combine the use cases". If you think > the GoAway protocol message definition could be extended slightly to > better serve this use case somehow. Just that the two cases of "please consider reconnecting due to a topology change" and "you didn't reauthenticate in time, so now you _have_ to reconnect, bye" seem like they might be related at the protocol level, since some types of topology changes might warrant a harsher approach, and some types of authentication might do well with a gentler one. > If you mean combining by introducing a single shared protocol message > for both the "re-authenticate on existing session" and "please > reconnect asap", then I'd say: No, let's keep them separate. Agreed; I did not mean that. > I think for "re-authenticate now on existing connection" it'd be much > more natural for the server to simply send a new authentication > request message, and expect the client to respond to that. The auth > flow based on these messages is already implemented by each client, > they'd only need to change it so that it could be called into at any > moment (or maybe certain defined moments like in between queries). I think that's probably the hard part. "in between" is not particularly well-defined, especially once you add in some async pipelining, right? Contrast with HTTP/3's GOAWAY, especially its graceful shutdown flow. --Jacob -
Re: Periodic authorization expiration checks using GoAway message
Jacob Champion <jacob.champion@enterprisedb.com> — 2025-12-12T00:13:47Z
On Thu, Dec 11, 2025 at 2:52 AM Ajit Awekar <ajitpostgres@gmail.com> wrote: > I agree that the seamless re-authentication model (re-authentication over the active connection) is suited only for external centralized authentication methods like OAuth2 and LDAP. Well, see my response to Jelte above. But I think it's certainly easier to pitch the usefulness of the feature for external methods. > Does the client need to pause current operations, execute a simplified re-authentication sequence (triggered by the server's Authentication Request), and then transparently resume the session upon success? I think it would have to. But we don't number our conversations like the other protocols with GOAWAY do, so it's not immediately clear to me how we would do it. The reauthentication sequence isn't guaranteed to be silent, either. Imagine that you were typing a SQL command and psql popped up a password prompt right in the middle; that's not a good user experience. > How frequently should the authorization expiration check occur in the backend, Would the frequency be tied to a new session GUC (e.g., authorization_check_interval), allowing administrators to configure it? I don't think there's one answer, so it'd probably have to be configurable. Offline tokens and Kerberos tickets might have a known timestamp for expiration, so you could just do a cheap timestamp comparison for every single request. Online checks (to allow revocation) would need more thought by the DBA; there's a performance-staleness tradeoff there. > What should the behavior be for older version clients (backward compatibility) that do not understand this new server-initiated reauthentication message? In this case is the safest approach for the server to terminate the connection? "Safe" is decided by the DBA, I think. Turning this on might imply that you care more about security than the cost of cleaning up after a client that got kicked off halfway through an important transaction... or it might not. --Jacob
-
Re: Periodic authorization expiration checks using GoAway message
Jelte Fennema-Nio <postgres@jeltef.nl> — 2025-12-12T00:36:08Z
On Fri, 12 Dec 2025 at 01:10, Jacob Champion <jacob.champion@enterprisedb.com> wrote: > https://postgr.es/m/CAGB%2BVh5SQQorNDEKP%2B0G%3DsmxHRhbhs%2BVkmQWD5Vh98fmn8X4dg%40mail.gmail.com Thanks, I hadn't seen that one before. > "you didn't reauthenticate in time, so now you > _have_ to reconnect, bye" I might be missing something but I feel like we currently do this in various other places using: FATAL: <message explaining reason> <connection close> > I think that's probably the hard part. "in between" is not > particularly well-defined, especially once you add in some async > pipelining, right? Yeah, pipelining is annoying for these kind of things. But looking it's not so bad. What if you define the flow as: 1. server sends 'R' message when it realizes it wants a re-authentication (allowed whenever, just like NoticeResponse) 2. client can continue to send whatever and server will respond accordingly 3a. client starts authentication flow by sending a 'p' message 3b. client did not complete auth flow within timeout of the server, so server sends FATAL + closes connection.
-
Re: Periodic authorization expiration checks using GoAway message
Zsolt Parragi <zsolt.parragi@percona.com> — 2025-12-12T11:49:23Z
Would client side revalidation allow re-authentication while a long-running query is in progress? Or would it kick out a connection because it can't reauthenticate after some grace period? A strict OIDC setup might use 5 or 10 minute access tokens, where this is a realistic issue. > Online checks (to allow revocation) would need more thought by the DBA; there's a performance-staleness tradeoff there. Are revocation checks really related to GoAway? Even with offline OIDC tokens, we can implement periodic server side checks to see if a long lived token is still alive using an introspection endpoint. I think this should be already possible with current validators, by closing the connection if we find out that a token was revoked - trying to implement this is on my TODO list. Should we really handle this through GoAway, and allow a graceful period? If a token was revoked, there's usually a good reason for that.
-
Re: Periodic authorization expiration checks using GoAway message
Jacob Champion <jacob.champion@enterprisedb.com> — 2025-12-15T17:17:04Z
On Thu, Dec 11, 2025 at 4:36 PM Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > > "you didn't reauthenticate in time, so now you > > _have_ to reconnect, bye" > > I might be missing something but I feel like we currently do this in > various other places using: > FATAL: <message explaining reason> > <connection close> Part of the appeal to me is the ability for the client to decide to transparently reconnect if possible, rather than surfacing an error to the user. But if there's no other metadata to be used by the client during that, then I suppose we could create a new 08Pxx SQLSTATE to mean that. That does cover the backwards compatibility angle pretty well. > Yeah, pipelining is annoying for these kind of things. But looking > it's not so bad. What if you define the flow as: > 1. server sends 'R' message when it realizes it wants a > re-authentication (allowed whenever, just like NoticeResponse) > 2. client can continue to send whatever and server will respond accordingly > 3a. client starts authentication flow by sending a 'p' message > 3b. client did not complete auth flow within timeout of the server, so > server sends FATAL + closes connection. I think a timeout-based flow (though simple!) might be hard to maintain for a DBA. It's basically a race condition that they would have to tune. (I'm not saying I'm opposed to a timeout here; just that the timeout should be a backstop for a misbehaved client, rather than the thing the conversation is based on. The client should know what it's allowed to finish up before reauthenticating.) --Jacob
-
Re: Periodic authorization expiration checks using GoAway message
Jelte Fennema-Nio <postgres@jeltef.nl> — 2025-12-15T17:27:47Z
On Mon, 15 Dec 2025 at 18:17, Jacob Champion <jacob.champion@enterprisedb.com> wrote: > Part of the appeal to me is the ability for the client to decide to > transparently reconnect if possible, rather than surfacing an error to > the user. But if there's no other metadata to be used by the client > during that, then I suppose we could create a new 08Pxx SQLSTATE to > mean that. That does cover the backwards compatibility angle pretty > well. Seems reasonable to use dedicated error code for that. My understanding (see below) would be that getting this error would be the exception, because in the happy path the client would re-authenticate on the existing connection. > > Yeah, pipelining is annoying for these kind of things. But looking > > it's not so bad. What if you define the flow as: > > 1. server sends 'R' message when it realizes it wants a > > re-authentication (allowed whenever, just like NoticeResponse) > > 2. client can continue to send whatever and server will respond accordingly > > 3a. client starts authentication flow by sending a 'p' message > > 3b. client did not complete auth flow within timeout of the server, so > > server sends FATAL + closes connection. > > I think a timeout-based flow (though simple!) might be hard to > maintain for a DBA. It's basically a race condition that they would > have to tune. (I'm not saying I'm opposed to a timeout here; just that > the timeout should be a backstop for a misbehaved client, rather than > the thing the conversation is based on. The client should know what > it's allowed to finish up before reauthenticating.) To clarify: I meant the timeout as a backstop in this flow. Once the client receives a 'R' message it should be re-authenticating ASAP. But if it still had some messages in flight, the server can still choose to process them during a grace period.
-
Re: Periodic authorization expiration checks using GoAway message
Jacob Champion <jacob.champion@enterprisedb.com> — 2025-12-15T17:27:59Z
On Fri, Dec 12, 2025 at 3:49 AM Zsolt Parragi <zsolt.parragi@percona.com> wrote: > Would client side revalidation allow re-authentication while a > long-running query is in progress? I think this is related to the async concern and the "what is a client allowed to do before reauthentication" question. > > Online checks (to allow revocation) would need more thought by the DBA; there's a performance-staleness tradeoff there. > > Are revocation checks really related to GoAway? Even with offline OIDC > tokens, we can implement periodic server side checks to see if a long > lived token is still alive using an introspection endpoint. I view it as related (potentially) to the continuity of the connection handoff, if the client doesn't reauthenticate. The revocation itself doesn't have much to do with GoAway. > I think this should be already possible with current validators, by > closing the connection if we find out that a token was revoked - > trying to implement this is on my TODO list. (I don't see this as a message to be used during initial authentication.) > Should we really handle > this through GoAway, and allow a graceful period? If a token was > revoked, there's usually a good reason for that. What to do with a token that's revoked while a connection/query/transaction is in progress is a big design decision, I think. But I could see a case for defaulting to graceful reauthentication even in the case of OAuth revocation. If you're worried about a single bearer token, you can revoke it (clients can still refresh them and keep going). If you're worried about a refresh token, you can revoke it (clients might ask users for another one and keep going). And if you're worried about a client, you can revoke its ability to access the required scopes, and then you've locked it out. The protocol doesn't necessarily need to care that the graceful reauthentication is doomed to failure. --Jacob
-
Re: Periodic authorization expiration checks using GoAway message
Jacob Champion <jacob.champion@enterprisedb.com> — 2025-12-15T17:31:33Z
On Mon, Dec 15, 2025 at 9:28 AM Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > To clarify: I meant the timeout as a backstop in this flow. Once the > client receives a 'R' message it should be re-authenticating ASAP. But > if it still had some messages in flight, the server can still choose > to process them during a grace period. But it seems iffy to change authentication metadata associated with the connection halfway through a transaction, no? Am I missing something that makes that architecturally safe? --Jacob
-
Re: Periodic authorization expiration checks using GoAway message
Jelte Fennema-Nio <postgres@jeltef.nl> — 2025-12-15T21:50:04Z
On Mon, 15 Dec 2025 at 18:31, Jacob Champion <jacob.champion@enterprisedb.com> wrote: > But it seems iffy to change authentication metadata associated with > the connection halfway through a transaction, no? Am I missing > something that makes that architecturally safe? It felt a bit iffy to me too initially, but then I started looking at it from the other direction: i.e. what am I missing that actually makes this architecturally unsafe? And I cannot think of anything. I see two possible things happening when re-authenticating mid-transaction: 1. User re-authenticates correctly, the transaction can continue as it would normally 2. User re-authenticates incorrectly, connection is closed and transaction is aborted Both of those situations seem totally reasonable to me. What metadata are you worried about changing mid transaction that could mess stuff up? The primary one I can imagine is the username, but in my proposed implementation of the feature that one would have to stay the same anyway: The authentication related messages ('R' and 'p') don't contain username, that's part of the StartupMessage. -
Re: Periodic authorization expiration checks using GoAway message
Zsolt Parragi <zsolt.parragi@percona.com> — 2025-12-16T08:05:17Z
> I think this is related to the async concern and the "what is a client > allowed to do before reauthentication" question. Yes, but my point was that I think the different situations (normally expired token, we most likely still have a valid refresh token vs token that was for some reason revoked before its normal expiration date) are different and require different handling, I don't think we should treat them the same way. GoAway seems to be more useful for the first one. > (I don't see this as a message to be used during initial authentication.) What I meant that we can already implement a background process that watches active (oauth) connections, and either: * Revalidates tokens periodically using introspection APIs * Implements the Back-Channel logout[1] supported by several identity providers And if the checks fail (a token is invalidated), we immediately close the connection that uses the token. This situation can happen either when: a. The user presses the "logout everywhere" button b. The users permissions change c. The user is deactivated (e.g. employee termination) d. A security check invalidates the user's session From these four, I think graceful logout/continuing the current query is only an option for (a), maybe (b), for (c) and (d) we should log out the user from everywhere as soon as possible. And even for the normal "logout" button, I can see graceful logout as a potential option, but I'm not sure how many people would want it instead of the normal "log out instantly" behavior. I think most people would expect it to work exactly like a normal logout, like closing psql. For (a) and (d) keeping the connection alive, but inactive, and letting the user log in again without losing the session could be an option, and GoAway could be useful there if I understand correctly. For (b) and (c) there's no way for the session to continue. But because of (d) I think it is important to terminate the query immediately (or at least: prevent committing, but that seems more difficult to do), I don't think anybody would want graceful termination in case of a security incident. On the other hand, if the access token expires, and we have to automatically/manually get a new one, I imagine most people would want/expect graceful behavior. [1] https://openid.net/specs/openid-connect-backchannel-1_0.html
-
Re: Periodic authorization expiration checks using GoAway message
Ajit Awekar <ajitpostgres@gmail.com> — 2025-12-16T09:15:35Z
>What I meant that we can already implement a background process that >watches active (oauth) connections, and either: >Revalidates tokens periodically using introspection APIs +1 as this will offload validation logic to a dedicated background process. Thanks & Best Regards, Ajit On Tue, 16 Dec 2025 at 13:35, Zsolt Parragi <zsolt.parragi@percona.com> wrote: > > I think this is related to the async concern and the "what is a client > > allowed to do before reauthentication" question. > > Yes, but my point was that I think the different situations (normally > expired token, we most likely still have a valid refresh token vs > token that was for some reason revoked before its normal expiration > date) are different and require different handling, I don't think we > should treat them the same way. GoAway seems to be more useful for the > first one. > > > (I don't see this as a message to be used during initial authentication.) > > What I meant that we can already implement a background process that > watches active (oauth) connections, and either: > > * Revalidates tokens periodically using introspection APIs > * Implements the Back-Channel logout[1] supported by several identity > providers > > And if the checks fail (a token is invalidated), we immediately close > the connection that uses the token. > > This situation can happen either when: > > a. The user presses the "logout everywhere" button > b. The users permissions change > c. The user is deactivated (e.g. employee termination) > d. A security check invalidates the user's session > > From these four, I think graceful logout/continuing the current query > is only an option for (a), maybe (b), for (c) and (d) we should log > out the user from everywhere as soon as possible. > > And even for the normal "logout" button, I can see graceful logout as > a potential option, but I'm not sure how many people would want it > instead of the normal "log out instantly" behavior. I think most > people would expect it to work exactly like a normal logout, like > closing psql. > > For (a) and (d) keeping the connection alive, but inactive, and > letting the user log in again without losing the session could be an > option, and GoAway could be useful there if I understand correctly. > For (b) and (c) there's no way for the session to continue. But > because of (d) I think it is important to terminate the query > immediately (or at least: prevent committing, but that seems more > difficult to do), I don't think anybody would want graceful > termination in case of a security incident. > > On the other hand, if the access token expires, and we have to > automatically/manually get a new one, I imagine most people would > want/expect graceful behavior. > > [1] https://openid.net/specs/openid-connect-backchannel-1_0.html >
-
Re: Periodic authorization expiration checks using GoAway message
Jacob Champion <jacob.champion@enterprisedb.com> — 2025-12-16T19:53:55Z
On Mon, Dec 15, 2025 at 1:50 PM Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > What metadata > are you worried about changing mid transaction that could mess stuff > up? The primary one I can imagine is the username The HBA inputs can't be allowed to change; that's not what I'm worried about. The system_user might change. Cached SCRAM keys can change. Every certificate-derived piece of metadata in sslinfo could change. MyProcPort->peer and MyProcPort->gss might be wholly reassigned. And any user-metadata functions provided by OAuth validator modules would need to carefully consider their volatility guarantees at minimum. There's probably more. --Jacob
-
Re: Periodic authorization expiration checks using GoAway message
Jacob Champion <jacob.champion@enterprisedb.com> — 2025-12-16T20:19:51Z
On Tue, Dec 16, 2025 at 12:05 AM Zsolt Parragi <zsolt.parragi@percona.com> wrote: > a. The user presses the "logout everywhere" button > b. The users permissions change > c. The user is deactivated (e.g. employee termination) > d. A security check invalidates the user's session > > From these four, I think graceful logout/continuing the current query > is only an option for (a), maybe (b), for (c) and (d) we should log > out the user from everywhere as soon as possible. To me that seems like a matter of policy and not protocol. (As long as we come to some agreement on the semantics of what a client is and is not allowed to do before reauthenticating.) Said another way: it seems very useful to let a DBA choose between graceful reauthentication and hard connection loss for different situations. But I don't think those decisions should be assumed in the protocol design or hardcoded in our server. Even for case (d), a DBA might choose to bound clients via transaction_timeout for a particular application; since we've never had this feature before, I don't want to make proclamations about how people are going to want to deploy it. --Jacob
-
Re: Periodic authorization expiration checks using GoAway message
Jacob Champion <jacob.champion@enterprisedb.com> — 2025-12-16T20:22:11Z
On Tue, Dec 16, 2025 at 1:15 AM Ajit Awekar <ajitpostgres@gmail.com> wrote: > >What I meant that we can already implement a background process that > >watches active (oauth) connections, and either: > > >Revalidates tokens periodically using introspection APIs > > +1 as this will offload validation logic to a dedicated background process. Is the hope that batching validation will make things more efficient, or is there another goal to using a background process? You still have to communicate back to each backend. --Jacob
-
Re: Periodic authorization expiration checks using GoAway message
Ajit Awekar <ajitpostgres@gmail.com> — 2025-12-17T10:06:28Z
Background process will help us to gain performance so as it will be seamless to users and user queries will not be impacted. Thanks & Best Regards, Ajit On Wed, 17 Dec 2025 at 01:52, Jacob Champion < jacob.champion@enterprisedb.com> wrote: > On Tue, Dec 16, 2025 at 1:15 AM Ajit Awekar <ajitpostgres@gmail.com> > wrote: > > >What I meant that we can already implement a background process that > > >watches active (oauth) connections, and either: > > > > >Revalidates tokens periodically using introspection APIs > > > > +1 as this will offload validation logic to a dedicated background > process. > > Is the hope that batching validation will make things more efficient, > or is there another goal to using a background process? You still have > to communicate back to each backend. > > --Jacob >
-
Re: Periodic authorization expiration checks using GoAway message
Zsolt Parragi <zsolt.parragi@percona.com> — 2025-12-17T10:44:25Z
> To me that seems like a matter of policy and not protocol. (As long as > we come to some agreement on the semantics of what a client is and is > not allowed to do before reauthenticating.) It's great if this is configurable, as long as DBAs can choose both the immediate and graceful options. > Is the hope that batching validation will make things more efficient, > or is there another goal to using a background process? You still have > to communicate back to each backend. * I think I can implement it with background threads / immediate disconnection currently for PG18 in our validator (this of course might improve with PG19 and later) * Can we implement the immediate disconnection without a background process? I would again use the long running query example. If a query is running for 5-10-... minutes, is there another way to disconnect the connection before the query completes? * Some identity providers support pushing revocation data instead of pulling, and this usually works over HTTP. Which means that it needs a background process running a mini HTTP server (as part of an oauth validator).
-
Re: Periodic authorization expiration checks using GoAway message
Bruce Momjian <bruce@momjian.us> — 2025-12-23T21:59:21Z
On Wed, Dec 10, 2025 at 10:20:46PM +0100, Jelte Fennema-Nio wrote: > On Wed, 10 Dec 2025 at 21:02, Jacob Champion > <jacob.champion@enterprisedb.com> wrote: > > > > (To call it out explicitly: I work with Ajit, and I asked him to take > > a look at GoAway, and I'm particularly interested in the > > "reauthenticate or else" case. Let me know if any of that is > > problematic -- or if anyone's worried that it will become so -- so I > > can course-correct sooner rather than later.) > > I think password rollover without downtime requires more thought than > discussed in this thread so far. Currently the simplest way (that I > know of) to rollover passwords without downtime is to have two users > that you can switch between, and one has been configured with: > ALTER USER b SET ROLE = a; > > So both effectively log in as a. I have often thought we should allow two passwords for each user for such password rotation purposes. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.