Add Expiring OAuth Access Tokens

Drew Blessing requested to merge dblessing-expiring-oauth-tokens into master

What does this MR do?

Fixes #21745 (closed)

Currently our OAuth Applications generate access tokens that have no expiry. Per the issue we will begin generating tokens with a 2 hour expiry for new OAuth applications. Existing application can opt-in via a configuration option. Then in %15.0 we will remove the configuration option and enforce expiry across all applications.

Of note (and we should document this), if a token is generated once and either has an expiry or does not expire, refreshing that token will yield the same result. Refreshing the token does not re-evaluate what the refresh time should be. The token will have to be revoked and re-created to use the new configuration. We will have to decide how to handle this in %15.0 when we remove the configuration and enforce expiry. We can probably do a database migration to force-update all existing tokens to have an expiry of 7200 (2 hours). This should have the same effect as revocation, without the side-effect of actually revoking the token.

documentation will be updated in another MR.

Screenshots or Screencasts (strongly suggested)






Applications will not be queried by this column so we don't need any indices. We will remove this column in %15.0 via #340848 (closed)


== 20210902184334 AddExpireAccessTokensToDoorkeeperApplication: migrating =====
-- add_column(:oauth_applications, :expire_access_tokens, :boolean, {:default=>false, :null=>false})
   -> 0.0093s
== 20210902184334 AddExpireAccessTokensToDoorkeeperApplication: migrated (0.0094s)


== 20210902184334 AddExpireAccessTokensToDoorkeeperApplication: reverting =====
-- remove_column(:oauth_applications, :expire_access_tokens, :boolean, {:default=>false, :null=>false})
   -> 0.0084s
== 20210902184334 AddExpireAccessTokensToDoorkeeperApplication: reverted (0.0117s)

How to setup and validate locally (strongly suggested)

Does this MR meet the acceptance criteria?


Availability and Testing


Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Drew Blessing

Merge request reports