Validated that assigning roles to User/Group does not revoke the token anymore, this was fixed in Keystone.
Revoking roles from User/Group still revokes the token.
For revoking roles from User/Group, it is by design to revoke the token immediately because from security perspective revoking roles must be immediate to prevent user from further accessing the system. Adding roles is less important and could wait until the user re-authenticates.
Validated that assigning roles to User/Group does not revoke the token anymore, this was fixed in Keystone.
Revoking roles from User/Group still revokes the token.
For revoking roles from User/Group, it is by design to revoke the token immediately because from security perspective revoking roles must be immediate to prevent user from further accessing the system. Adding roles is less important and could wait until the user re-authenticates.