Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gitlab oauth/personal access token confusion #10967

Closed
ederuiter opened this issue Jul 27, 2022 · 4 comments
Closed

Gitlab oauth/personal access token confusion #10967

ederuiter opened this issue Jul 27, 2022 · 4 comments
Labels
Feature
Milestone
2.4

Comments

@ederuiter
Copy link

Since #10104 the interactive prompt for gitlab authorization points the to personal access token profile page of gitlab. This is confusing as it implies that it generated an personal access token, which it does not. It always generates an oauth token, and that the right url should be: -/profile/applications

It would be nice if composer would indeed generate personal access tokens as since recent changes in gitlab the oauth tokens are only valid for a maximum of 2 hours: https://northflank.com/blog/supporting-expiring-oauth-access-tokens-for-gitlab
Unfortunately the api to create personal access tokens is only available for admins: https://docs.gitlab.com/ee/api/personal_access_tokens.html#create-a-personal-access-token-administrator-only

My proposal would be to:

  • change to url to -/profile/applications
  • add additional text to indicate the limited lifetime of the oauth token
  • add additional text with instructions how to create a personal access token and store it in your composer/auth.json
@tlueder
Copy link
Contributor

tlueder commented Aug 9, 2022

Once this #10988 is approved oauth token expiration is not an issue anymore.

@ederuiter
Copy link
Author

Nice! I was trying to find some time to implement this myself. Regarding the url: I think it still has to change; #10988 still refers to the personal access token page which is incorrect for oauth tokens.
Maybe the wording can be changed to something like this:

To revoke access to this token you can visit '.$scheme.'://'.$originUrl.'/-/profile/applications
Alternatively you can setup an personal access token on  '.$scheme.'://'.$originUrl.'/-/profile/personal_access_token and store it under 'gitlab-token' see https://getcomposer.org/doc/articles/authentication-for-private-packages.md#gitlab-token for more details.

Note: this should be done for both authorizeOAuthInteractively and authorizeOAuthRefresh

@tlueder
Copy link
Contributor

tlueder commented Aug 12, 2022

Ok, i've updated the note to your suggestion.

@Seldaek Seldaek added this to the 2.4 milestone Aug 16, 2022
@Seldaek
Copy link
Member

Seldaek commented Aug 16, 2022

Hopefully fixed by #10988 - it'd be great to get confirmation that things work well now with the latest snapshot (composer self-update --snapshot)

@Seldaek Seldaek closed this as completed Aug 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
2.4
Development

No branches or pull requests
3 participants
@Seldaek @tlueder @ederuiter