Spike - Token rotation

Topic to Evaluate

As we enforce required expiration on the tokens, unify them and eventually will tie token creation for service accounts, we have a need to programatically allow users to rotate/refresh tokens automatically. As such an expiring token still requires manual intervention and tracking by the owner to create a new token and replace an expiring one at some point in future. A much better user experience is to rotate the token automatically when exipres_in approaches. Similarly this API can be used by credential storage such Vault to automatically rotate tokens

This is also very helpful in case of a security breach where users can quickly revoke and rotate existing tokens. A somewhat similar API was added for runner tokens Automated Runner Key and Registration Rotation (#30942 - closed), the goal of this spike is to identify if we can provide API for PAT, PrAT and GrAT tokens and what constraints will need to be enforced e.g

• How would we identify and validate the API call?
• Does the user need to provide and additional API key, Oauth JWT etc?
• Do we have adequate authorization info available to generate a new token?
• How will be previous expiring tokens be correlated/renewed?

Tasks prior to evaluation

• Clearly document the topic to evaluated in this issue description
• Determine specific scope including time-bounds for investigation

This spike is weighted at 3 and the goal is to complete the spike within 15.10

Tasks to Evaluate

• Determine feasibility of the feature
• Document the approach and technical design on engineering handbook
• Any POC tasks that need to occur before the customer facing MVC is begun
• Create issues for implementation or update existing implementation issue description with implementation proposal
• Set initial weights on implementation issues
• If weight is greater than 5, break issue into smaller issues

Risks and Implementation Considerations

As this spike is evaluated, the feasibility and outcome should be reviewed with UX/PM. Consider not only the implementation design, but also how it will be rolled out, licensing considerations and backward compatibility.

Team

• Add workflowplanning breakdown typefeature and the corresponding ~devops::<stage> and ~group::<group> labels.
• Ping the PM and EM.