►
Description
See related epic for context. https://gitlab.com/groups/gitlab-org/-/epics/6777
A
B
B
B
A
Okay,
so
that's
really
important.
I
wanted
to
get
some
feedback
on
that,
because
right
now,
currently
that
field's
optional
and
you
say
it
would
make
sense
to
have
an
enforcement
date.
Do
you
would
there
be
a
reason
or
need
to
have
an
indefinite
expiration,
or
is
that
kind
of
just
like
a
luxury
that
we
shouldn't
be
doing.
B
B
So
so,
if
say,
deploy
tokens
since
we
are
assuming
you
use
these
to
deploy
stuff,
if
it's
not
good,
if
they
expire
too
often
so,
it'll
be
an
inconvenience
so
for
tokens
like
these
it'll
be
nice
to
automatically
rotate
them
say
once
in
a
year
once
every
six
months
but
access
token.
I
think
it
should
be
as
short
as
possible,
like
like
one
hour.
Usually
is
the
industry
standard
scim
token?
I
am
not
sure
what
it's
used
for
so
yeah.
B
I
guess,
depending
on
the
context
you
can,
you
should
either
enforce
like
a
shorter
as
short
as
possible,
expiration
time.
If
it's
something
like
deploy
token
expiration
makes
sense,
but
rotation,
I
guess
rotating
it
periodically,
makes
sense
automatically.
So
I
guess
I'm
not
relying
on
the
advance
to
do
it
again.
That'll
be
at
least
if
we
can
enforce
the
rotation
automatically
that'll
be
ideal.
A
A
If
you
were
to
create
some
sort
of
rotation
so
say,
for
example,
you
select
deploy
token,
it
says,
deploy
token
will
be
rotated
automatically
in
six
months
or
a
year
or
whatever
would
there
be?
You
said:
we'd
have
to
have
a
notification
system
if
there
was
an
automatic
method
of
doing
it
that
automatically
generated
the
token.
A
I
would
wonder
if
there'd
be
a
security
problem
where
the
notification
came
into
place.
Saying
you've
now
created
this
new
token.
Please
view
it
here,
someplace
versus
having
just
a
notice
by
saying
hey,
it's
time
to
replace
a
token.
It's
been
six
months
or
whatever
and
then
have
the
admin
be
notified
and
go
manually,
create
the
process.
B
Yeah
I
mean
with
the
automatic
rotation.
I
think,
if
the,
if
the
deep,
I
think
the
good
thing
at
the
automatic
rotation
is
it's
transparent
and
seamless,
I
guess
it's
seamless,
not
transparent,
seamless
with
respect
to
an
admin,
but
if
the
admin
actually
needs
to
know
what
the
deploy
token
is,
I
don't
think
we
so
say,
I'm
creating
a
token.
Now
I
get
to
see
the
token
only
when
I
create
it
and
once
that
is
done,
I'm
not
able
to.
I
won't
be
able
to
see
the
deploy
token
right,
yeah
so
yeah.
B
So
if
I
guess
yeah
depends
on
the
requirement
like
if
the
admin
does
need
to
know
what
the
deploy
token
is,
then
I
guess
the
automatic
rotation
yeah
might
not
make
sense,
because
they
won't
know
what
the
new
token
is
right.
So
in
that
case,
I
guess
we
have
to
alert
the
admin
and
there
could
be
the
potential
of
like
down.
B
A
Yeah,
if
you
were
to
click
on
the
deploy
token
and
then
just
pick
any
of
the
scope
and
then
generate
token,
this
is
kind
of
what
I
had
in
mind
where
it
would
say
you
have
to
copy
it.
We
currently
have
this
process,
and
this
is
something
that
I
don't
know
if
it's
the
best
solution
or
not,
but
it's
since
it's
what
we
currently
use.
A
I
thought
okay,
we'll
just
use
that
for
now
and
see
if
there's
a
better
way
of
doing
that,
so
this
kind
of
brings
into
the
discussion
which
you're
just
speaking
of
how
you
would
repopulate
or
regenerate
that
code.
This
would
be
the
one
my
first
thought
on
how
to
do
it.
I'd
be
curious
to
see
if
there
was
I'd
wanted
to
learn
more,
if
there's
a
possibility
to
automatically
regenerate
it
by
having
it.
B
Automatically
I
mean
like
say
once:
I've
generated
the
deploy
token
and
once
I've
configured
it
in
my
groups
of
projects.
Is
there
really
a
need
for
me
to
know
what
the
deploy
token
is
at
that
point
like
if
it
my
projects
are
working
as
intended,
and
if
the
rotation
is
happening
seamlessly
you
know.
B
If
I
really
need
a
deploy
token,
I
can
always
create
a
new
one
right.
But
to
me,
I
think,
from
the
developer's
point
of
view
and
from
the
implementation
point
of
view,
if
you
can
go
the
automatic
rotation
route,
it'll
be
much
more
cleaner.
That
way,
instead
of
pinging
the
admin
and
asking
them
to
rotate.
A
B
Yeah,
I
guess,
if
you're
just
relying
on
one
token,
so
I
guess
all
the
permissions
get
populated
in
that.
Just
one
token
like
say
once
I
select
the
deploy
token
the
scopes
change
accordingly
right
right
once
I
select
the
sci
and
token,
let's
say
access
token,
the
scopes
are
different,
so
yeah,
I
guess
there
is
that
there
is
a
risk
of
you
know,
making
that
one
token
to
rule
them
all
kind
of.
B
A
A
B
A
And
one
thing
that
cynthia
had
mentioned
is
that
it
would
be
interesting
to
see
bots
from
where
they
what
objects
they
filter
down
to
and
where
they
inherited
from
so
in
this
iteration.
I
only
have
it
where
it
filters
down
to
or
where
it
came
from.
That
is,
it
exists
here,
but
the
ideas
she
presented
was
that,
as
an
admitted
want
to
see
both
vertically
and
laterally,
because
that
way,
if
there's
an
instance
where
I
don't
know
where
the
bot
exists,
I
don't
want
to
go
backtrack
and
dig
around.
A
B
Yeah
for
sure,
I
think
we
have
a
whole
issue
discussing
the
groups,
sharing
complexity
right
so
yeah.
So
I
think
we
don't
want
to
add
that
complexity.
On
top
of
this
feature
so
yeah
any
any
any
approach
we
make,
we
take
to
make
it
easier
for
an
admin
to
see,
I
guess
all
the
complex,
all
the
access
or
alien
inherited
permissions
and
all
that
that
a
bot
or
service
account
would
inherit
or
would
give
to
some
subsequent.
You
know,
projects
or
groups
in
like
in
this
location.
I
think
I'll
be
that'll,
be
great.
B
This
and
yeah,
I
think,
enforcing
at
list
privilege
wherever
we
can.
So
if
we
go
back
to
we
go
back
to
this
I
mean
we
could
have
this
in
the
documentation
somewhere
like.
If
someone
is
choosing
all
the
scopes,
maybe
we
should
have
on
android
saying
that
hey
you
know,
do
you
really
need
all
those
scopes
or
try
to
use
privilege
wherever
you
can
so.
A
B
Yeah,
I
think
this
is
more
visibility.
I
think
into
permissions
that
token
created
by
a
service
account-
and
I
guess,
ability
to
add
fine,
grained
access
through
scopes.
So
I
think
we
already
have
scopes
here.
So
there
is
a
way
to
give
more
fine
grain
access
and
also,
once
the
token
is
generated
you
can
show,
like
all
the
permissions
like
say
this
spot
user
or
the
service
account
like
all
the
tokens
that
they
created
and
the
access
that
they
have.
In
this
main
view,.
B
The
token
size
looks
a
little
smaller,
maybe
like
again,
I
don't
know
the
entropy
of
this
string,
but
yeah.
If
you
can
make
it
a
little
larger.
I
don't
know
what
the
industry
standard
is,
but
it's
definitely
looks
the
industry
standard
tokens
like
say
odd,
zero
whenever
they
issue
a
token
like
this,
I
don't
remember
the
length,
but
it
seems
larger
than
this
one.
So
maybe
you
want
to
be
in
line
with
the
industry
standard.
On
the
token
size.
B
B
A
B
Yeah
so
say
this
is
group,
one
and
say
security
bought
service
account
created
a
service,
a
token
associated
with
group,
one
and
group
one
would
usually
have
like
an
id
in
the
back
end.
Right
so
say,
group
one
has
an
id
one
in
the
back
end,
the
vulnerability
that
we
see
is
using
the
access
token
that's
tied
to
group
one
which
has
a
id
one
in
the
back
end.
B
What
I
can
do
is,
I
can
use
that
token
to
then
change
settings
in
group
2
which
might
have
an
id2,
but
this
service
account
may
not
have
direct
access
to
that
group.
But
what
we
are
checking
is
like
in
the
backend
code.
Usually
is:
is
the
access
token
valid?
If
it's
valid,
we
are
not
checking
if
the
access
token
is
valid
on
the
group
that
it
is
trying
to
access
so
more
like
dynamic.
B
You
know,
runtime
checks,
making
sure
that
yeah
check
to
see
if
the
access
token
is
valid
but
check
to
also
see
if
the
access
token
is
valid
on
the
group
that
the
token
is
trying
to
access.
So
it's
a
common
issue.
I
think
we
are
saying
so
something
to
keep
in
mind
so
that
this
cro
cross,
a
group
cross
project
access
is
not
present.
A
B
B
B
So
that
say,
this
token
might
have
say
you
know
this
access
token
might
have
api
access
to
group.
One
like
it
can
access.
It
can
read,
write,
delete
everything
in
group
one,
but
that
doesn't
mean
that
it
should
be
able
to
read
right,
delete
everything
on
group
2,
because
the
token
was
issued
on
group
1.
so
that
runtime
check
and
the
back
end
is
very
inconsistent.
B
A
B
Creating
you
know,
new
accounts
or
new
tokens
back
end
also
keep
needs
to
keep
that
in
mind,
saying
that
if
I'm
getting
a
token
from
somewhere,
I
have
to
check
the
validity,
of
course
check
the
expiration
and
also,
if
the
token
is
valid,
to
do
what
it
is
trying
to
do.
So.
That's
also
the
important
part.
A
B
B
And
insecure
storage
of
service
account
token,
so
I
guess
on
the
back
end,
because
we're
just
showing
this
token
once
and
we're
not
showing
this
token
at
all
in
the
front
end
right.
So
in
the
back
end,
we
have
to
make
sure
this
is
using
secure.
You
know
encryption,
algorithms
and
such
and
yeah
encrypting.
The
token
address
no
lack
of
visibility.
B
A
B
They
have
written
this
nice
threat
model
and
all
the
I
guess,
the
best
practices
that
you
have
to
follow
when
generating
service
accounts.
So
I
think
they
talk
about.
You
know
privilege
escalation,
not
following
this
police
privilege
and
spoofing
yeah.
I
think
stuff
we
discussed,
but
maybe,
if
you
can
go
into
specifics
on
something
that
maybe
like
while
you're
implementing,
if
you
can
use
this
as
a
reference
to
you
know
not
do
stuff
like
this,
I
think
I'll
be
yeah.
A
A
So
I
don't
know
if
that's
going
to
present
any
new
problem
apart
from
the
scope,
confusion,
but
I'm
wondering
if
there's
a
way
to
fix
that,
with
changing
the
priority
or
changing
the
generation
process,
so
you
define
like
the
the
scope
type
and
then
it
says
you've
created
this
kind
of
token.
Instead
of
picking
the
token
first.
B
B
Front-Facing
web
applications
that
want
to
like,
say
you
log
into
I
don't
know
you
want
to
try
to
log
into
ops
hops.gitlab.net
and
you
can
log
in
through
username
or
password,
or
you
can
log
into
your
gmail
account.
So
when
you
log
in
through
gmail
it
under
under
the
hood,
it
uses
auth
to
get
a
token
from
on,
on
behalf
of
gmail
and
login
to
log
you
in
that
way.
So
that's
one
client
context
and
one
other
client
context
would
be
like
single
page
applications
where
it's
a
single
page
application.
B
As
the
name
says
you
don't
have
like
you're,
not
logging
in
on
behalf
of
google,
or
something
like
that.
So
that's
a
totally
different
context.
So,
depending
on
the
context
like
the
first
question
they
would
ask
you
is:
is
the
client
here
like
a
single
page
application?
If,
yes,
then
they
would
only
enforce
this
specific
grant
type
called.
B
I
think
it's
pixie
for
single
page
applications,
so
the
whole
flow
of
how
they
generate
the
token
and
what
kind
of
token
it
is
depends
on
the
client
or
the
context
in
which
the
token
is
being
used,
and
if
it's
totally
a
back
end
oauth
client,
then
they
would
use
like
a
different
grant.
I
think
it's
called
client
credentials
grant
and
the
process
to
generate
and
refresh
tokens
is
totally
different
based
on
the
context.