Revoke an agent access token
Questions
We can show the tokens that were generated for this agent for compliance and rotating tokens.
- From a security point of view, are we ok to show the tokens? Or just the end of them?
- What extra information we want to show together with the token?
- Shall we allow the deletion of tokens?
- Should we show the token currently being used?
- Shall we allow users to identify a token by name?
Proposal
Tokens are documented here https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/identity_and_auth.md#authentication
From a security point of view, are we ok to show the tokens? Or just the end of them?
I'd say no. I think secrets should ideally be write-only or read-once. As the tokens have a name, even showing a masked version is unnecessary.
What extra information we want to show together with the token?
See the document. Maybe something else too...
Shall we allow the deletion of tokens?
We should support token revocation and then after a token has been revoked it should be automatically deleted after, say, a week.
The automatic deletion should be a separate issue.
Should we show the token currently being used?
Yes, good idea! Zero or more tokens can be in use at a given moment, so each should have an indicator. We can also/instead show the date and time when each token was last used. This might be more useful. We can store this data in redis, doesn't need to be in the DB I think. It can be refreshed on each kas
->rails API call.
Shall we allow users to identify a token by name?
I thought about that. We could. When I was thinking about that I added a free-form comment section to tokens for random comments admins may want to leave (see the doc). Do we want that?
Workaround
Before we could ship this feature, do out users have alternative ways to "revoke" a token?
- Users can use GraphQl to delete the token
- it could be removed from the DB using the Rail CLI