Back in Folsom, when a user creates a project and add himself onto that project, only the scoped token gets revoked and then we reuse the unscoped token to reauthenticate so that the user won't be logged out of the system.
In grizzly, adding a user to a project would result to all his tokens being revoked even the unscoped ones. I've also tried Keystone V3 hoping that token scoping on domains would solve my problem but still the same thing happens
My test:
Token: UUID
I've created a bunch of tokens with different scopes, some scoped to domain and some with projects
Back in Folsom, when a user creates a project and add himself onto that project, only the scoped token gets revoked and then we reuse the unscoped token to reauthenticate so that the user won't be logged out of the system.
In grizzly, adding a user to a project would result to all his tokens being revoked even the unscoped ones. I've also tried Keystone V3 hoping that token scoping on domains would solve my problem but still the same thing happens
My test:
Token: UUID
I've created a bunch of tokens with different scopes, some scoped to domain and some with projects
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4a efbe1b1699e5a62 956" AND valid = 1; ------- ------- ------- ------- ------- ------- ------- --+---- ---+ ------- ------- ------- ------- ------- ------- ------- --+---- ---+ c916c4db73693df ff | 1 | f925d680068eb79 7e | 1 | f8bb4339afc7ae2 ec | 1 | bab41e63a353138 67 | 1 | ------- ------- ------- ------- ------- ------- ------- --+---- ---+
+------
| id | valid |
+------
| 067bb96c5ee3491
| 3ba0ee57018c400
| cdb6fe2a1d23477
| e0f66872d37b4c8
+------
--------> Then I added that user to a project
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4a efbe1b1699e5a62 956" AND valid = 1;
Empty set (0.00 sec)
--------> All tokens no matter what scope became invalid
I need to verify if this is a bug or if this is how Keystone should actually work.