© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
When a role is revoked on a group at the domain level we are aggressive and revoke all tokens that match the domain and role. In your case, the domain and role you are revoking (default + admin) are the same ones you are using to auth! Note that this only happens with groups, and if you decided to give the group a role that you are not using, then this wouldn't happen.
I believe the intention here was for (as Dolph said in comment #4) security vs performance.
See the code here: https:/
This bug doesn't seem like something that can be routinely hit in practice. I'd rather not decrease security in this specific case, since the only workaround I can think of would be to revoke tokens that match all 3 criteria (domain + group + role)