I'm not sure that's a vulnerability to be honest. I'm fine with fixing it -- just not convinced the current behavior should be seen as a vulnerability (in the same way as bug 1097995 is not seen as one).
You can still revoke those tokens manually, I suspect ? I guess that's a question of natural expectations. Is the revocation operation seen as atomic (revoke token), or functional (revoke this token and everything related to it) ? Unless we clearly advertised that the "revoke token" operation also revokes tokens created by this token, I think this is not vulnerability territory.
I'm not sure that's a vulnerability to be honest. I'm fine with fixing it -- just not convinced the current behavior should be seen as a vulnerability (in the same way as bug 1097995 is not seen as one).
You can still revoke those tokens manually, I suspect ? I guess that's a question of natural expectations. Is the revocation operation seen as atomic (revoke token), or functional (revoke this token and everything related to it) ? Unless we clearly advertised that the "revoke token" operation also revokes tokens created by this token, I think this is not vulnerability territory.