Spike - Token rotation

Topic to Evaluate

As we enforce required expiration on the tokens, unify them and eventually will tie token creation for service accounts, we have a need to programatically allow users to rotate/refresh tokens automatically. As such an expiring token still requires manual intervention and tracking by the owner to create a new token and replace an expiring one at some point in future. A much better user experience is to rotate the token automatically when exipres_in approaches. Similarly this API can be used by credential storage such Vault to automatically rotate tokens

This is also very helpful in case of a security breach where users can quickly revoke and rotate existing tokens. A somewhat similar API was added for runner tokens Automated Runner Key and Registration Rotation (#30942 - closed), the goal of this spike is to identify if we can provide API for PAT, PrAT and GrAT tokens and what constraints will need to be enforced e.g

How would we identify and validate the API call?
Does the user need to provide and additional API key, Oauth JWT etc?
Do we have adequate authorization info available to generate a new token?
How will be previous expiring tokens be correlated/renewed?

Tasks prior to evaluation

Clearly document the topic to evaluated in this issue description
Determine specific scope including time-bounds for investigation

This spike is weighted at 3 and the goal is to complete the spike within 15.10

Tasks to Evaluate

Determine feasibility of the feature
Document the approach and technical design on engineering handbook
Any POC tasks that need to occur before the customer facing MVC is begun
Create issues for implementation or update existing implementation issue description with implementation proposal
Set initial weights on implementation issues
If weight is greater than 5, break issue into smaller issues

Risks and Implementation Considerations

As this spike is evaluated, the feasibility and outcome should be reviewed with UX/PM. Consider not only the implementation design, but also how it will be rolled out, licensing considerations and backward compatibility.

Team

Add workflowplanning breakdown typefeature and the corresponding ~devops::<stage> and ~group::<group> labels.
Ping the PM and EM.

Edited Mar 13, 2023 by Adil Farrukh

Assignee Loading

Time tracking Loading