Open bryanoltman opened 3 weeks ago
We should move to issuing our own (secret, revokable) session tokens for CI, separate from the OAuth system. Ideally those tokens would also have minimal permissions separate from what a human account holder would.
Description
This would involve us implementing a layer of token management on our side instead of treating CI tokens as raw credentials.
Requirements
login:ci
invalid without the user needing to reset the password for the account used to generated the tokenAdditional Context
A customer asked for this on Discord https://discord.com/channels/1030243211995791380/1230886476439359488