Implement personal access token API-parameters for project and group access token API-endpoints as well
As Gitlab introduced a token limit of max 365 days and is enforcing users to rotate them, there needs to be a way to reliably check if a token has been expired and needs to be rotated. Currently, it is only possible to query personal access tokens for their expired status:
$ curl --request GET --header "PRIVATE-TOKEN: $TOKEN" "https://<gitlab>/api/v4/personal_access_tokens?revoked=true"
[
{
"id": 165,
"name": "rotate_test",
"revoked": true,
"created_at": "2023-05-31T09:45:42.183Z",
"scopes": [
"api"
],
"user_id": 50,
"last_used_at": null,
"active": false,
"expires_at": "2023-06-07"
}
]
The API endpoints /projects/:id/access_tokens
and /groups/:id/access_tokens
do not provide a ?revoked=true parameter.
For PATs this has been introduced already in #362248 (closed), so as a person you'll be able to verify your jobs/curls/whatever fail, because Gitlab shows you the token expired. Not so with group or project tokens.
Since taking care of token rotation is now something Gitlab clients need to deal with, they need to be aware if a token has been expired and was used in the past by an automation, so they can replace it with a new token. The main culprit as of now is, when a token expires, it just disappears from the UI and API, so you simply have no clue it even existed and that's why your automation might fail in this case.
It is crucial to be able to query gitlab (at least via API) and verify there was a token expiration, so implementation of the same parameters as there is already for personal access tokens is needed.