💬 RFC: Allow to do auto-refresh of OAuth tokens if user gives explicit consent for that #24818
Comments
acierto
added
rfc
|
Hey 👋 We've been having a think about this recently with @Rugvip as it's come up before. It's something that we might look at in the future, but for now thinking that we're probably gonna wanna avoid this as much as we can. Refresh keys are pretty big security concern, and right now wondering if it's wise for us to start digging down this path. I'm wondering if #16996 might get us in a nice place where we know what secrets a template needs, and how to collect them, and if they expire we can issue notifications or something for end users to go back to refresh the secrets on the task page or something. Just an idea, but I think that it could be a good middleground for now. It's also something that i've been wanting to do for a while, and standardizing the secrets into a schema like the parameters is probably a good thing anyways. |
|
Hey @benjdlambert, maybe we can show to the user the indication in the template's review step how long the token valid is yet with a possibility to refresh it on that stage, to minimise the cases when token is getting expired during the template run. |
🔖 Need
In case of having the scaffolder template which takes a while to perform the execution and requires using OAuth access token during this process, for example by triggering GitLab Api, it might happen that the token get expired.
Having a possibility to auto-refresh it meanwhile can make the flow more robust.
🎉 Proposal
Ask the consent from the user that we would like to use the token to auto-refresh it during a task run.
Based on #24815 we can check in background if token is about to expire, refresh it and auto-update it (i.e. with help of signals).
〽️ Alternatives
No response
❌ Risks
No response
👀 Have you spent some time to check if this RFC has been raised before?
🏢 Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: