In Gitlab, when I read https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html, it seems that the number of characters for a personal access token is 20.
The token string must be 20 characters in length, or it will not be recognized as a personal access token.
In Github, the pat is a 40 characters token.
In my ecosystem, I have both applications and I use a proxy in order to analyze what passes through the server. I use the length of the password being transferred in order to assess whether a user is using his password or his token in order to access Git. It would be simpler for me if Gitlab could use a token with the same length as github, i.e. 40 characters instead of 20.
Is it possible to tune Gitlab so that the personal access token is longer than 20 ?
My guess is probably not but someone might have found a trick.
The length seems fixed, according to the GitLab documentation
That differs from GitHub which:
is 40
is changing from [a-f0-9] to [A-Za-z0-9_]
will support tokens up to 255 characters after June 1, 2021.
(See "GitHub Authentication token format updates")
Maybe GitLab will at some point follow suit, but for now (S1 2021), that is not the case
Note: GitLab 14.5 (November 2021)
New GitLab access token prefix and detection
With GitLab 14.5 we have updated the GitLab Personal Access Tokens and Project Access Tokens to include a standard prefix, glpat- by default for both GitLab.com and GitLab self-managed instances.
We’ve also updated our Secret Detection scanning to detect this new pattern which will help protect you against accidentally leaked GitLab access tokens in commits.
This improvement helps make it easy to detect GitLab tokens leaked in commits and builds on community contribution improvements added in Gitlab 13.7 that allowed Admins to set Personal Access Token prefixes at the instance level, shoutout to #max-wittig and #dlouzan at Siemens for this contribution!
Existing access tokens will not be modified but any new tokens will follow this new pattern or the custom pattern set by your self-hosted GitLab instance.
If you would like to detect GitLab Personal Access Tokens and Project Access Tokens you can use the following regex detection pattern: glpat-[0-9a-zA-Z\-]{20}.
See Documentation and Issue.
As a result (Jan. 2023): "Secret Detection update: Leaked Personal Access Tokens will soon be revoked "
GitLab will soon begin automatically revoking Personal Access Tokens (PATs) when GitLab Secret Detection finds them in public repositories, an update that will better protect GitLab users and organizations.
Related
I'm looking into DocuSign's eSignature API. Trying out their 0Auth using a demo account (https://developers.docusign.com/platform/auth/authcode/authcode-get-token/).
In some 0Auth systems, the access token of a given user gets invalidated after requesting another accessToken for the same user. But it seems previous token continues to be valid as long as it hasn't expire.
Is this a behaviour just for the Demo/Sandbox account or it is possible to rely on behaviour for live accounts as well? (Where several access tokens can be used for the same DocuSign user?
Can each of these accessTokens be refreshed with their respective refreshTokens without limitations/problems?
in this regard, Demo and Production behave the same - you can generate multiple valid tokens for the same user.
That said, this is not a good practice - while the Account Server does not currently have throttles related to token generation, it may in the future. A token should be re-used throughout its lifespan - continuously generating unnecessary tokens is not an appropriate workflow.
Can I run script from .gitlab-ci.yml, which will be editing wiki pages via GitLab REST API?
I am not sure, because I use old version of GitLab, which doesn't have Access Tokens.
Can I use something else to PRIVATE-TOKEN?
You can use a Predefined Variable called CI_JOB_TOKEN which will contain an access token you can use to authenticate against the API. If you need a token with Admin access, you'll have to use an Admin User's personal access token, which you can store as a secret variable in Project's Settings -> CI/CD Settings -> Variables.
I have a github bot with a personal access token that some github actions use to make commits during some action runs. I'd like to make a script that can automatically swap out this personal access token, and delete the old one via a cron job. Is this possible with the github API? If it's not possible, is there another mechanism I should be using instead perhaps?
No, not for personal access token, whose API is deprecated, and removed in Nov. 2020.
You could try instead an installation access token for an app, which does have an API for creation.
By default the installation token has access to all repositories that the installation can access.
To restrict the access to specific repositories, you can provide the repository_ids when creating the token. When you omit repository_ids, the response does not contain the repositories key.
But that token, valid only one hour from the time you create them, might not have access to the same kind of action a PAT would have.
I am trying to connect gitlab api from code to download artifacts.
To do so, i'm required to generate a private access token and send it with the request.
I don't want to set a permanent token because it is not secure, so i tried to find some api to delete and generate new token when the old is expired, but i couldn't find anything.
I also tried to use deploy-tokens but it has no permission to gitlab api.
Any suggestions?
I don't want to set a permanent token because it is not secure
Since 13.3 gitlab version there is available Project access tokens, which let you opportunity to issue a token for a specific project and limit it's scope. So it's definitely better than using yourself private token
Project level access tokens allow access to a project without the need to provision a new GitLab user. Project access tokens can be generated by project Maintainers or Owners and be used to authenticate with the GitLab API. Project access tokens will be authorized as Maintainers. This new functionality will make programmatic access to GitLab easier and more secure.
Previous answer:
Probably it would be less insecure if create extra user with permissions only for desired repository (from which we want to download artifacts) and issue personal-token for this user. So even the token will be compromised the offender will be capable only to download artifacts.
It is not possible yet, but they have an issue opened to add it
you can follow the discussion here https://gitlab.com/gitlab-org/gitlab/-/issues/17176
I've created a bundle with integration & script in one account (A). Then I installed it in another account (B). Now I created an token in installed account (B) using bundle integration's consumer key & account (B) credentials.
By using that token I can able to access account (B) contents.
My questions are,
Whenever I uninstall that bundle from account B, then it also expire my token that I've created using bundle integration ?
How many tokens can be created for an account, Is there is any limitation?
Thanks in advance
I will try to reply your questions:
I do not think the token will expire when you uninstall your bundle, however I do not think the token will be useful anymore since the integration application will probably not exist anymore, so the consumer key and consumer secret used by the token will not longer work.
I am not aware of any limitation for the amount of tokens record created in an account.
It would be useful for you:
Tokens created in your production account are not copied to your sandbox during a refresh. To test token-based authentication in your sandbox, you must create tokens in the sandbox account. Each time your sandbox is refreshed, you will need to create new tokens in the sandbox
Source from suiteanswer