Allow admins and owners to make PAT expiration enforcement optional
Problem to solve
In 12.6 we introduced a PAT expiration setting that automatically revokes tokens when the expiration date has been met or exceeded. This creates friction for users and doesn't provide flexibility in building smoother user experiences around credential rotation.
Currently, the programmatic enforcement of this expiration setting is unchangeable and there's no way to allow for "soft" enforcement to avoid disruption for users.
Intended users
Further details
Proposal
Provide a checkbox that allows the administrator
or owner
to specify "optional enforcement" of PAT expiration.
If enabled
, the behavior remains unchanged and PATs are automatically revoked when the date is met or exceeded.
If disabled
, GitLab will continue to notify the user via email, CLI, and/or in-app messaging about the expired credential, but will not automatically invalidate it.
If a user's token is 7-days from expiring, we should display an in-app message to the user that says:
One or more of your personal access tokens will expire soon. Update Now
If a user's token has expired, we should display:
One or more of your personal access tokens has expired. Update Now
This message should probably persist until they dismiss it or take action.
Permissions and Security
Only administrators
(for self-managed) and Group Owners
(for GitLab.com) can modify this setting.