Revoke OAUTH application refresh token as admin

mfriedenhagen · March 30, 2025, 5:25pm

Hi,

I am one of the admins of a self-managed (premium) GitLab instance.
On the instance level we created an oauth application, so people may use glab or git-credential-oauth as credential helper.
glab does store both an access and refresh token and so may be used “forever”.
To enhance security we would like everyone to login to GitLab once per week (Monday morning) via MFA/SAML using our internal IdP.

Is there a way to delete/revoke all refresh-tokens as an admin in a programmaticall way? Ideally this could be done via REST/GraphQL but accessing the DB would be OKish as well.

git2 · April 2, 2025, 8:21pm

git2

25m

Hi there,

you can achieve this via the Gitlab API in both premium & CE, its how I migrated all of my repo’s from GitHub to my own Gitlab instance!

I assume you got this figured out but if not let me know and I can provide steps

Cheers

Topic		Replies	Views
How to revoke Gitlab authorize token? How to Use GitLab api , openid	3	3011	March 29, 2023
Deleting personal access tokens via the API Self-managed	9	7214	May 26, 2023
Deleting application links for users programmatically Self-managed api , oauth	0	18	September 30, 2024
What is the validity of gitlab refresh token while using gitlab as oauth2 application General token , oauth	0	397	May 23, 2022
Personal access token with access to specific repos only How to Use GitLab token	0	366	August 24, 2023

Revoke OAUTH application refresh token as admin

Related topics