Skip to content

Optional enforcement of Personal Access Token expiration

Aishwarya Subramanian requested to merge automatic_expiry_access_token into master

What does this MR do?

Mentions #214723 (closed)

This MR adds a feature for Instance admins to prevent enforcement of Personal Access Tokens expiration automatically.

The Setting is present in the Account and limit section under General Settings.

The feature is available to only Ultimate License.

Behavior

Application Setting Feature flag
enforce_personal_access_token_expiration enforce_personal_access_token_expiration
  • When the Setting is disabled, the personal access token of a user does not expire on the Expiry date. In a future MR, we will be showing an in-app message to the user prompting to reset their token.
  • When the Setting is enabled, the behavior as same as existing - i.e. the token expires immediately on the expiry date.
  • The Setting is enabled by default.
  • The Feature flag is disabled by default.

In conjunction with Allowable lifetime for Personal Access Token

  • If a max. allowable lifetime for Personal Access Token is defined and the Enforce Personal Access Token expiry Setting is disabled, we do not revoke the access tokens for users immediately as we do currently.

Screenshots

Screen_Shot_2020-06-09_at_6.58.20_PM

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Aishwarya Subramanian

Merge request reports