Would client side revalidation allow re-authentication while a long-running query is in progress? Or would it kick out a connection because it can't reauthenticate after some grace period? A strict OIDC setup might use 5 or 10 minute access tokens, where this is a realistic issue.
> Online checks (to allow revocation) would need more thought by the DBA; > there's a performance-staleness tradeoff there. Are revocation checks really related to GoAway? Even with offline OIDC tokens, we can implement periodic server side checks to see if a long lived token is still alive using an introspection endpoint. I think this should be already possible with current validators, by closing the connection if we find out that a token was revoked - trying to implement this is on my TODO list. Should we really handle this through GoAway, and allow a graceful period? If a token was revoked, there's usually a good reason for that.
