Comment 1 for bug 1511775

Assigning this to Jorge Munoz, who started working on a related patch at the OpenStack summit this week.

With Fernet, we can not bother revoking either of these tokens. Instead, the new role set is computed at token validation time, and the scoped token would only be invalid if it was the last remaining role the user had on the project. Otherwise, both tokens would remain valid and the scoped token would simply be missing the revoked role.