Removing inactive tokens after 60 days

SonarQube Cloud Announcements
,
1

Hello SonarQube Cloud Users,

To enhance enterprise, organization, and user security, a new policy will be implemented. Effective immediately, User API tokens that have been inactive for 60 days will be automatically removed.

SonarQube Cloud’s token capabilities will be further enhanced in the coming months. Please don’t hesitate to share any feedback on this important topic directly via our roadmap.

1 Like
Project Not Found After Long Inactivity – Is Token Expired?
Failed to query JRE metadata:failed with HTTP 403
Unexpected Token Invalidation in Sonar Organization
SonarQube Cloud Authentication Issues
Github action should fail on authentication error
Project key and organization key no longer being detected by bitbucket pipeline sonarcloud-scan
Failed to query JRE metadata:failed with HTTP 403
3

Can you elaborate a bit on this. Are you saying SONAR_TOKEN will expire if bitbucket pipeline isn’t run more often than 60 days? Or that users need to re-login to site for their accesses to still work… without UI informing them? Cause since this change we have users not seeing projects anymore, with no clue as to why. :wink:

4

The change will affect the tokens you have under “My Account → Security”, and so likely your SONAR_TOKEN as well. In your case, if the token is not used elsewhere, it means that if the pipeline is not run for 60 days the token associated with it will be removed. Your user does not have to log into the UI.

Cause since this change we have users not seeing projects anymore, with no clue as to why.

If this is happening in the UI then it is unrelated to this change. Please open a new thread so that we can investigate the problem.

5

Can/will we receive notifications when an inactive token is revoked?

Also, is there any chance of improving the error message? It implies that the token is missing, when it has actually been revoked for inactivity - which would be so very helpful to know.

1 Like
6

I’ve seem to haven been hit by this change in at least one repo now. I did not see any notification for token expiry.

7

Well.. it’s clear the people coming up with the idea hadn’t thought it trough from usage viewpoint. So they key silently expires and we get complaints that pipelines starts failing some month later. It would be natural that at least admins would be notified by email. Or at least there would need to be a easy UI list of projects with key expired… i mean gone completely! :wink: This product is nice but with lots of quirks… this one and the oddness that we can’t give a (bitbucket) user rights before they have once logged in.