Limit Lifetime of Access Tokens for Enterprise accounts
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem
Top Level groups on GitLab.com can have Enterprise Users if they have a verified domain(s).
Enterprise Users were intended as a solution for enterprises on GitLab.com looking for more control over user activity. One gap for these enterprises is credential rotation, where a user may generate a personal access token with a long/unlimited life. If credentials leak, they may pose an unacceptable security risk with an unlimited window of opportunity for an attacker to exploit.
Proposal
For organizations with Enterprise Users, allow an Enterprise Setting that gives a max lifetime for personal access tokens.
As of %16.0 , this is capped at 365 days due to Set default PAT expiration to 365 days from now (!120213 - merged)
References
GitHub roadmap: https://github.com/orgs/github/projects/4247/views/1?pane=issue&itemId=14541950 This feature in self-managed Ultimate: https://docs.gitlab.com/ee/user/admin_area/settings/account_and_limit_settings.html#limit-the-lifetime-of-access-tokens