OAuth access token hard coded expiration
Problem to solve
Regarding expiration time for OAuth access tokens, unfortunately there is no standard answer for it other than making it as short as possible without affecting usability for OAuth clients. The industry best practice is to keep access token expiration time as short as possible (for example, 15 minutes) in cases where refresh tokens are also issued. We have mentioned 2 hours (7200 seconds) as an example expiration time in our docs and source so that would be a good place to start (without breaking too many of our existing OAuth clients, if 2 hours indeed works for them). Once we roll out access tokens with 2 hour expiration, we can work our way towards making it shorter, based on the feedback we get from our OAuth clients/integrations.
Coming from #334646 (closed)
After we updated the docs with a recommendation for expiration, this is a 1st iteration to set expiration. We will start with a hard coded value
refresh interval should be hard coded to: 2 hours
(GitLab admin can change this configuration - not through the UI)
Expiration should be on by default (but can be urned off).
Out of scope of this issue
Allow custimization of the expiration interval