Revoke user tokens warning

[Jonathan Bergh]

Hi all,

thanks in advance for any assistance.

we have recently received the Jenkins security warning about users using a Legacy token. This is a production installation so before i hit the "revoke" button for all users, i just wanted to check what this actually does?

all our users log in via front page using user credentials (username / password). I dont think anyone is using a token for anything?

is it safe to just revoke all legacy tokens?

thanks in advance

regards

jb

[Matthew...@diamond.ac.uk]

You might want to wait for someone else to confirm this, but for us at least:

You’re correct, that the front page login is unrelated to the tokens.

We revoked all legacy tokens without problems. We had a couple of infrastructure accounts using tokens, which we knew about (and set up new-style tokens for them first).

Matthew

 

--

 

-- 

This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
 

[Jeff Thompson]

Yes, the API tokens are typically used by processes to connect to Jenkins APIs and perform scheduled or responsive operations. These are usually separate from regular users who login using the login page. The prior behavior involved automatic creation of API tokens for users, whether there was any need for them or not. Better practice is to only create them as needed.

If you haven’t set up any processes or agents to connect via API tokens, then you should be safe to just revoke all legacy ones. If you have some API tokens in use, then you should re-configure them for the new-style tokens as Matthew mentions. If you revoke all tokens and then discover some processes or agents can no longer connect and authenticate, then you’ll need to perform that re-configuration after the fact.

Jeff Thompson

-- 
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/1c51b80c52914fde9f6c06930da64e5c%40Diamond.ac.uk.
For more options, visit https://groups.google.com/d/optout.

[Jonathan Bergh]

hi Jeff / Matthew,

Thanks very much for your answers here - i appreciate that.

I have revoked the tokens, and can still access the install so that is great.

thanks very much for taking the time out to answer,

cheers

jon