Gitlab : increase number of characters in personal access token
In Gitlab, when I read https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html, it seems that the number of characters for a personal access token is 20.
The token string must be 20 characters in length, or it will not be recognized as a personal access token.
In Github, the pat is a 40 characters token.
In my ecosystem, I have both applications and I use a proxy in order to analyze what passes through the server. I use the length of the password being transferred in order to assess whether a user is using his password or his token in order to access Git. It would be simpler for me if Gitlab could use a token with the same length as github, i.e. 40 characters instead of 20.
Is it possible to tune Gitlab so that the personal access token is longer than 20 ? My guess is probably not but someone might have found a trick.
The length seems fixed, according to the GitLab documentation
That differs from GitHub which:
- is 40
- is changing from
[a-f0-9]to[A-Za-z0-9_] - will support tokens up to 255 characters after June 1, 2021.
(See "GitHub Authentication token format updates")
Maybe GitLab will at some point follow suit, but for now (S1 2021), that is not the case
Note: GitLab 14.5 (November 2021)
New GitLab access token prefix and detection
With GitLab 14.5 we have updated the GitLab Personal Access Tokens and Project Access Tokens to include a standard prefix,
glpat-by default for both GitLab.com and GitLab self-managed instances.
We’ve also updated our Secret Detection scanning to detect this new pattern which will help protect you against accidentally leaked GitLab access tokens in commits.This improvement helps make it easy to detect GitLab tokens leaked in commits and builds on community contribution improvements added in Gitlab 13.7 that allowed Admins to set Personal Access Token prefixes at the instance level, shoutout to @max-wittig and @dlouzan at Siemens for this contribution!
Existing access tokens will not be modified but any new tokens will follow this new pattern or the custom pattern set by your self-hosted GitLab instance.
If you would like to detect GitLab Personal Access Tokens and Project Access Tokens you can use the following regex detection pattern:
glpat-[0-9a-zA-Z\-]{20}.
See Documentation and Issue.
As a result (Jan. 2023): "Secret Detection update: Leaked Personal Access Tokens will soon be revoked "
GitLab will soon begin automatically revoking Personal Access Tokens (PATs) when GitLab Secret Detection finds them in public repositories, an update that will better protect GitLab users and organizations.
Q4 2024: as noted by Nicholas Hollander in the comments:
At some point GitLab updated their project access tokens to permit an underscore.
I was not able to find any specific documentation for this change (in a brief search) but the regular expression used by the secrets detection service is nowglpat-[0-9a-zA-Z_\-]{20}(/spec/lib/gitlab/secret_detection/core/scanner_spec.rb).
- GitLab OAuth access token validity
- Accents not displaying in GitLab
- Possible to add kaniko to alpine image or add jq to kaniko image
- Gitlab: team member project access levels
- How to search for code in all projects simultaneously?
- Using $CI_JOB_TOKEN Gives 404 Error On Triggering Pipelines
- Is there a way to revert a merge if neither target nor source branch exist anymore?
- Git magic keywords in commit messages (Signed-off-by, Co-authored-by, Fixes, ...)
- What is 'gitlab/gitlab-runner-helper' docker image used for?
- is it possible to use Gitlabci parallel matrix to build docker image with certain time delay for each image?
- Intellij Gitlab Push rejected
- GitLab API - get the overall # of lines of code
- How to change video size in Gitlab?
- How to create a module for gitlab_user_runner and use the token every time a new runner is created in root
- How to access multiple repositories in CI build?
- Using multiple runners in one gitlab-ci pipeline action
- Keep getting "requested access to the resource is denied" when pulling from gitlab
- error: RPC failed; curl transfer closed with outstanding read data remaining
- Remove buttons from Gitlab interface
- gitlab implementing a a hook when merge is requested
- Pull request vs Merge request
- How to change a merge commit message after merging and deleting the branch in gitlab
- git fetch succeeds but git fetch --all gives a public key error
- Gitlab CI has empty variable defined in same CI file
- common folder with template files for gitlab python projects
- Gitlab CI/CD variables are not being passed down to Firebase when deploying
- Cannot understand how to download secure files in GitLab
- how do i create a merge request from a fork in gitlab
- Gitlab CI/CD with docker:stable as base image, install JDK but /bin/sh: eval: line 155: java: not found upon java --version
- MYSY2 Git will not let me type when I try to enter my GitHub username