When creating an a time limited access token using transient user's long lived access token we've observed following issues:
- username for token becomes token:<transient username>
- access token with time limit is eligible to be used for new access tokens
We've also noted following issue related to transient users:
- permission of transient user is not visible in API / UI
The first issue, is more or less a cosmetic issue. Obviously it would be nice, if nested tokens had same username as original token and level of nesting was shown in additional field.
The second issue worries me. If someone is able to capture access token, it can be refreshed indefinitely. Imho to prevent refreshing, transient users should only be allowed to either create single level of access tokens or nested access tokens should be set to expire at the same time with their parent.
Third issue is something that we can probably manage with manual bookkeeping or by using playbooks for creating technical accounts. Obviously, I'd prefer, that scope was stored in Artifactory database and that it was visible in Artifactory API.
I know I shouldn't have bundled all these issues in a single bug report. But without issue templates, writing issue descriptions is just annoying.
We're enterprise customer, if it matters in prioritizing the issue.