This patch introduces a mechanism to address the security issue of stale, authorized connections persisting beyond their validity period. . Currently, once a session is established, postgres does not automatically re-validate credentials. If a password expires (rolvaliduntil) the session remains active indefinitely. Same applies to centralized authentication systems (like Kerberos or OAuth).
This patch depends on the "GoAway" protocol message proposal currently under review here:
https://www.postgresql.org/message-id/DDPQ1RV5FE9U.I2WW34NGRD8Z%40jeltef.nl Please apply this patch on top of the GoAway patch.
The Solution: To handle this authorization gap gracefully, this patch leverages the pending GoAway protocol message to notify clients.
Please find below summary of the solution
New GUC: auth_expiration_check_interval (integer, minutes). Controls the frequency of checking a session's authorization status. Setting it to 0 (default) disables the check.
Periodic Idle Check: When a backend process is idle (waiting for the next command) and the timeout is reached, the server calls a placeholder function check_external_auth_status_expired().
Graceful Disconnect: If authorization is revoked/expired, the server sends the GoAway message. This allows the client to finish any current processing and reconnect cleanly.
Thanks & Best Regards,
Ajit Awekar
