Thanks Vasuki and Zsolt for your reply and comments.
>> First, is Port always zero-initialized? If not, we might want to explicitly initialize the new expiry field to a known value. Right now it looks like we’re relying on zero to mean “not provided”, but since TimestampTz value 0 is a valid timestamp (Postgres epoch), I’m wondering whether it would be clearer to use an explicit invalid/sentinel value instead.
I agree. The attached patch value is now initialised to sentinel DT_NOBEGIN to indicate no expiry value has been provided yet.
>> Also, in the case where the validator returns an expiry that is already in the past, should we reject the authentication immediately? Or is that expected to be fully handled inside the validator module?
The design assumes that the Validator module will handle the immediate rejection of tokens already in the past. The expiry field is intended for the backend to manage session life after successful authentication
>> Finally, do you have a particular enforcement model in mind for follow-up work (e.g., check at statement start, transaction boundaries, or via some timeout mechanism)? It would help to understand how you see this being used.
Ideally we should check this at statement start.
>> This API looks simple for providers that use JWT access tokens, but
what about providers that use opaque tokens and an introspection API
to check validity instead?
For providers using opaque tokens or introspection APIs where an 'exp' claim might be missing, the API remains compatible by allowing the validator to return DT_NOBEGIN.
Request a review.
Thanks & Best Regards,
Ajit
Hello
This API looks simple for providers that use JWT access tokens, but
what about providers that use opaque tokens and an introspection API
to check validity instead? Some validators might not be able to
provide anything meaningful without a periodic call to a "check
validity now" method, and even some providers that use JWT access
tokens support immediate revocation, where these periodic checks would
be useful.
