Feature Request - Admin API Endpoint: Token Info
Proposal
Create an admin API endpoint, which returns information about an arbitrary token you provide.
We have many different tokens for different purposes. It would be fantastic to be able to pass a given token into an info endpoint to receive information about it.
Simply observing the token prefix would advise what type of token it could be, but having this endpoint would then go into detail about where, what, when and who about the token. This would quickly track down not only an owner of said token but it's impact if a token were to be leaked.
PoC
Where $adminToken is an admin level Personal Access Token & $anyTokenHere is any GitLab created token listed in the above doc link. i.e:
- Job token
- Project/Group/Personal access token
- Runner auth token
- Pipeline Trigger token
- etc
Request example:
curl -s -H "PRIVATE-TOKEN: $adminToken" "https://gitlab.com/api/v4/admin/tokens/self?token=$anyTokenHere" | jqResponse example: (There's likely more fields to add here, if not applicable would be null type)
{
"id": 0123456,
"name": "anyTokenHere",
"type": "personal_access_token", # The type of token (job, deploy, pipeline trigger, PAT, GAT etc)
"created_by": "gitLabUserName", # The username str creator of token (was it made by a user?)
"project_id": 123456, # The projectId associated with this token (is this a project-level token? A deploy token?)
"group_id": 123456, # The groupId associated with this token (is this a group-level token?)
"job_id": 123456, # The jobId (if this is a job-token?)
"runner_id": 123456, # The runnerId (is this a runner auth token?)
"revoked": false,
"created_at": "2023-10-09T22:15:41.919Z",
"scopes": [
"api",
"read_api"
],
"user_id": 6543210,
"last_used_at": "2024-02-27T23:28:27.908Z",
"active": true,
"expires_at": "2024-10-08"
}Active similar examples
You can get information around a personal access token by hitting: /api/v4/user or /api/v4/personal_access_token/self
However the token must have api or read_api scopes set. Otherwise a 403 will be returned. So this feature request would allow those tokens to still be passed to the admin endpoint to reveal information about them.
Implementation Status
| Token Type | Status | Issue | MR |
|---|---|---|---|
| Personal access token | #443597 (closed) | !165157 (merged) | |
| OAuth Application Secret | #443597 (closed) | !172985 (merged) | |
| Impersonation token | #506501 (closed) | !173975 (merged) | |
| Project access token | #443597 (closed) | !165157 (merged) | |
| Group access token | #443597 (closed) | !165157 (merged) | |
| Deploy token | #443597 (closed) | !165157 (merged) | |
| Runner authentication token | #506513 (closed) | !173987 (merged) | |
| CI/CD Job token | #508619 | !175234 | |
| Trigger token | #506554 (closed) | !174030 (merged) | |
| Feed token | #443597 (closed) | !170690 (merged) | |
| Incoming mail token | |||
| GitLab agent for Kubernetes token | #443597 (closed) | !172932 (merged) | |
| GitLab session cookies | |||
| SCIM Tokens | |||
| Feature Flags Client token |