Admin Token API: Revoke token
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you can request access to GitLab Duo.
What does this MR do and why?
This commit adds an admin API for token revocation.
Adds a REST API that allows the following:
DELETE /api/v4/admin/token
| Attribute | Type | Required | Description |
|---|---|---|---|
token |
string | Yes | Token that should be revoked. |
Issue: #499958 (closed)
MR acceptance checklist
MR Checklist ( @nwittstruck)
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides
How to set up and validate locally
- Enable both feature flags via
rails c:
Feature.enable(:admin_agnostic_token_finder)
Feature.enable(:api_admin_token_revoke)-
You'll need to create two new personal access tokens: https://gdk.test:3443/-/user_settings/personal_access_tokens
- A
personal access tokenwithadmincapabilities. - A
personal access tokenwith limited capabilities that you want to revoke. You can also revoke the admin token if you'd like, however for testing I prefer to use separate tokens.
- A
-
Now you can revoke a token:
curl -k --request DELETE \
--url 'https://gdk.test:3443/api/v4/admin/token \
--header 'Authorization: Bearer <Admin Token from Step 1.>' \
--header 'Content-Type: application/json' \
--data '{"token": "glpat-<example-token-from-step-2>"}'
Related to #499958 (closed)
Edited by Nicholas Wittstruck