Re: Periodic authorization expiration checks using GoAway message

Zsolt Parragi <zsolt.parragi@percona.com>

From: Zsolt Parragi <zsolt.parragi@percona.com>
To: Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>, Hannu Krosing <hannuk@google.com>, Ajit Awekar <ajitpostgres@gmail.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>, Dave Cramer <davecramer@gmail.com>, Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2025-12-12T11:49:23Z
Lists: pgsql-hackers
Would client side revalidation allow re-authentication while a
long-running query is in progress? Or would it kick out a connection
because it can't reauthenticate after some grace period? A strict OIDC
setup might use 5 or 10 minute access tokens, where this is a
realistic issue.

> Online checks (to allow revocation) would need more thought by the DBA; there's a performance-staleness tradeoff there.

Are revocation checks really related to GoAway? Even with offline OIDC
tokens, we can implement periodic server side checks to see if a long
lived token is still alive using an introspection endpoint.

I think this should be already possible with current validators, by
closing the connection if we find out that a token was revoked -
trying to implement this is on my TODO list. Should we really handle
this through GoAway, and allow a graceful period? If a token was
revoked, there's usually a good reason for that.