1) When users are deleted, their existing tokens are not invalidated, so they stay valid for the duration of the token life ? Yes, the workaround here is to disable the user prior to deleting them, which will result in tokens being revoked as expected.
2) What is the default lifetime for a token? 24 hours; this is configurable via keystone.conf [token] expiration (defaults to 86400 seconds)
3) Which types of tokens are affected? PKI and UUID, both.
And as henry-nash pointed out, this only affects the delete user call on the v2 API, but both APIs will continue to validate pre-existing tokens. After a user is either disabled or deleted, they are not able to generate new tokens.
1) When users are deleted, their existing tokens are not invalidated, so they stay valid for the duration of the token life ? Yes, the workaround here is to disable the user prior to deleting them, which will result in tokens being revoked as expected.
2) What is the default lifetime for a token? 24 hours; this is configurable via keystone.conf [token] expiration (defaults to 86400 seconds)
3) Which types of tokens are affected? PKI and UUID, both.
And as henry-nash pointed out, this only affects the delete user call on the v2 API, but both APIs will continue to validate pre-existing tokens. After a user is either disabled or deleted, they are not able to generate new tokens.