Comment 6 for bug 1186059

I think we should not make these APIs open for all, because that way we will lose all audit ability of who revoked the token as In a well behaved system, the admin would have a priv to revoke tokens of their users. We need it at least for public cloud scenarios and policy engine supports it.

I know holder of token (user/impersonator) can revoke a token then why authorization, but what I want to achieve here in this bug is, someone (a good team member) should not accidentally revoke my token we can control impersonator use case if someone has access to my token.

thoughts???