GitLab OAuth access token validity

Question

Does anyone know what the expiration period of an OAuth Access Token on GitLab is?

It's at least 12 hours (from experience), but I would like to know for sure so I don't refresh the token unnecessary.

PS: GitLab ... it would be very convenient if the expiration is simply returned when getting/refreshing token (PS: the documentation states that "expires_in": is returned ... BUT IT ISN'T)

Answer 1

2016: It should be 8 hours by default:

lib/gitlab/o_auth/session.rb mentions:

Rails.cache.write("gitlab:#{provider}:#{ticket}", 
                   ticket, expires_in: Gitlab.config.omniauth.cas3.session_duration)

In gitlab.yml, you have:

# SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
# cas3:
#   session_duration: 28800

---

2022: the Expiring access tokens documentation mentions:

• no more opt-out of expiring access tokens since GitLab 15.0 (June 2022)
• Access tokens expire in two hours which means that integrations that use them must support generating new access tokens at least every two hours.

---

Note: with GitLab 17.1 (June 2024), you now have:

Project Owners receive expiring access token notifications

Both project Owners and Maintainers with direct membership now receive email notifications when their project access tokens are close to expiring. Previously, only project Maintainers received this notification. This helps keep more people informed about upcoming token expiration.

Thank you Jacob Henner for your contribution!

See Documentation and Issue.

---

And with GitLab 17.4 (September 2024), you can set the validity yourself for all users:

Optional token expiration

Administrators can now decide if they want to enforce a mandatory expiration date for personal, project, and group access tokens.
If administrators disable this setting, any new access token generated will not be required to have an expiration date.

By default this setting is enabled, and an expiration less than that of the maximum allowed lifetime is required. This setting is available in GitLab 16.11 and later.

See Documentation and Issue.

---

GitLab 17.7 (December 2024) adds:

Extended token expiration notifications

Previously, token expiration email notifications were only sent seven days before expiry. Now, these notifications are also sent 30 and 60 days before expiry. The increased frequency and date range of notifications makes users more aware of tokens that may be expiring soon.

See Documentation and Issue.

And:

New description field for access tokens

When creating a personal, project, group, or impersonation access token, you can now optionally enter a description of that token. This helps provide extra context about the token, such as where and how is it used.

See Documentation and Issue.

Answer 2

On GitLab, OAuth "access tokens expire in two hours".

Access tokens expire in two hours which means that integrations that use them must support generating new access tokens at least every two hours.

In older versions, OAuth applications could opt-out of access token expiry.

The ability to opt-out of expiring access tokens was deprecated in GitLab 14.3 and removed in 15.0. All existing integrations must be updated to support access token refresh.

Answer 3

from https://forum.gitlab.com/t/missing-expires-in-in-the-token-response/1232/2:

Gitlab uses Doorkeeper for oauth.

The Doorkeeper wiki has an ariticle "Customizing Token Expiration" > https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-Token-Expiration2

This wiki tells us a configuration "access_token_expires_in". I > searched in gitlab source code and found it sets to nil.

This meas the 'access_token' will never expire.

Also, this is from https://gitlab.com/gitlab-org/gitlab-foss/-/blob/50d66f5ece57dcfbe074d97703691a8d3c38f4ac/config/initializers/doorkeeper.rb#L42:

 # Access token expiration time (default 2 hours).
 # If you want to disable expiration, set this to nil.
 access_token_expires_in nil