Sonar token is not expiring on changing the password


(Abhishek Bhatt) #1

Template for a good bug report, formatted with Markdown:

  • versions used : SonarQube 6.7.5
  • error observed : Sonar token does not have a expiry set even when the user changes there password.
  • steps to reproduce : generate a token --> use the token in running sonar analysis --> change your password --> use the same token to run sonar analysis . Expected result should be that token should not be acceptable.
  • potential workaround : May be setting token expiry to no of days.

(Colin Mueller) #2


Do you use other tools that revoke tokens when passwords change? IMO, one of the goals of tokens is that they can be individually revoked and when used for automations aren’t revoked just because of a password reset. Otherwise stated, a token is an alternative password, not just a alternative representation of a single password.

That said, +1 on the idea of being able to set a token expiration date/time period.


Will token get invalidated on password change?