Add Expiring OAuth Access Tokens (!69514) · Merge requests · GitLab.org / GitLab

Drew Blessing requested to merge dblessing-expiring-oauth-tokens into master Sep 02, 2021

What does this MR do?

Currently our OAuth Applications generate access tokens that have no expiry. Per the issue we will begin generating tokens with a 2 hour expiry for new OAuth applications. Existing application can opt-in via a configuration option. Then in %15.0 we will remove the configuration option and enforce expiry across all applications.

Of note (and we should document this), if a token is generated once and either has an expiry or does not expire, refreshing that token will yield the same result. Refreshing the token does not re-evaluate what the refresh time should be. The token will have to be revoked and re-created to use the new configuration. We will have to decide how to handle this in %15.0 when we remove the configuration and enforce expiry. We can probably do a database migration to force-update all existing tokens to have an expiry of 7200 (2 hours). This should have the same effect as revocation, without the side-effect of actually revoking the token.

documentation will be updated in another MR.

Screenshots or Screencasts (strongly suggested)

Instance-level

Group/User-level

Database

Applications will not be queried by this column so we don't need any indices. We will remove this column in %15.0 via #340848 (closed)

Migrate

== 20210902184334 AddExpireAccessTokensToDoorkeeperApplication: migrating =====
-- add_column(:oauth_applications, :expire_access_tokens, :boolean, {:default=>false, :null=>false})
   -> 0.0093s
== 20210902184334 AddExpireAccessTokensToDoorkeeperApplication: migrated (0.0094s)

Rollback

== 20210902184334 AddExpireAccessTokensToDoorkeeperApplication: reverting =====
-- remove_column(:oauth_applications, :expire_access_tokens, :boolean, {:default=>false, :null=>false})
   -> 0.0084s
== 20210902184334 AddExpireAccessTokensToDoorkeeperApplication: reverted (0.0117s)

How to setup and validate locally (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

I have included changelog trailers, or none are needed. (Does this MR need a changelog?)
I have added/updated documentation, or it's not needed. (Is documentation required?)
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?)
I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?)
I have self-reviewed this MR per code review guidelines.
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines)
I have followed the style guides.
This change is backwards compatible across updates, or this does not apply.

Availability and Testing

I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.)
I have tested this MR in all supported browsers, or it's not needed.
I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Sep 14, 2021 by Drew Blessing

Add Expiring OAuth Access Tokens