Follow-up from "Add PAT automatic reuse detection in AuthFinders"
Automatic reuse detection added on !125270 (merged) can cause several issues as mentioned in the discussion
Scenario 1:
A scheduled pipeline is set up to rotate access tokens that are saved in CI variables for usage in CI scripts.
This schedule runs and rotates the tokens and saves the new values into the CI variables. But there is another job running which started when there was still the old token in the variables. This job tries to use the API with the old token and that revokes the new token. Without this feature, the job would be able to be retried and then it would use the new token and everything is fine. But with this feature, it effectively kills the CI and requires manual work to create a new token since the schedule also can't rotate them anymore.
Scenario 2:
An API client which makes concurrent requests to Gitlab API may have requests which are started milli-seconds after the revocation is done, in this case, both old and new tokens will get revoked
Scenario 3:
A stale API client, Eg web application opened on another browser may send requests with the expired token, it will also invalidate the new token in the active client.
Original issues links token rotation of OAuth refresh tokens, But the scenario is totally different for PAT as re-issuing a token is much harder than simply directing to OAuth provider when the token is invalid in the case of 403 response.
Original description
The following discussion from !125270 (merged) should be addressed:
-
@Taucher2003 started a discussion: (+5 comments) This finder looks like it is used for general authentication and not just the rotation endpoint.
So, from a user perspective, I would say that this is really bad behaviour to revoke the whole token family if one of the old ones is used.
The old token is revoked anyways, it can't be used for anything. So why should it revoke other tokens? The linked issue contains no reasoning for implementing a feature like this.
Here an examples why this is bad:
A scheduled pipeline is set up to rotate access tokens that are saved in CI variables for usage in CI scripts.
This schedule runs and rotates the tokens and saves the new values into the CI variables.But there is another job running which started when there was still the old token in the variables. This job tries to use the API with the old token and that revokes the new token. Without this feature, the job would be able to be retried and then it would use the new token and everything is fine. But with this feature, it effectively kills the CI and requires manual work to create a new token since the schedule also can't rotate them anymore.