github
Fine-grained and classic PAT expiry policies for organizations and enterprises
Summary
Fine-grained personal access tokens currently require all tokens to expire, but administrators who want specific expiration times must manually check each token to validate that they hew to an acceptable expiration time.
Rather than force developers to do a back-and-forth with their organization administrator to discover acceptable expiry times, we want to give administrators defined controls over the acceptable expiration times for fine-grained PATs in their organization.
This work provides organization administrators a policy for maximum acceptable expiry times in their organization. When a developer attempts to create a token with an expiry time longer than what's accepted, they'll immediately be told that a shorter expiration is required.
Intended Outcome
We don't want to force a back-and-forth discussion between administrators and developers around discovery of acceptable expiration times on tokens. Instead, administrators can set this value up front, and the developer will learn about it immediately as part of token creation.
This will allow more administrators to trust in the least privilege access of their developers, and remove their manual approval from the inner-loop of development.
How will it work?
Organization admins will be able to configure a policy in their organization around maximum acceptable token lifetimes. This policy will apply only to fine-grained PATs, and be enabled by default with an expiration maximum of 1 year.
During PAT creation, developers will see a note as soon as they select the organization as the resource owner, indicating the maximum acceptable expiry time.
