When a role is revoked on a group at the domain level we are aggressive and revoke all tokens that match the domain and role. In your case, the domain and role you are revoking (default + admin) are the same ones you are using to auth! Note that this only happens with groups, and if you decided to give the group a role that you are not using, then this wouldn't happen.
I believe the intention here was for (as Dolph said in comment #4) security vs performance.
This bug doesn't seem like something that can be routinely hit in practice. I'd rather not decrease security in this specific case, since the only workaround I can think of would be to revoke tokens that match all 3 criteria (domain + group + role)
When a role is revoked on a group at the domain level we are aggressive and revoke all tokens that match the domain and role. In your case, the domain and role you are revoking (default + admin) are the same ones you are using to auth! Note that this only happens with groups, and if you decided to give the group a role that you are not using, then this wouldn't happen.
I believe the intention here was for (as Dolph said in comment #4) security vs performance.
See the code here: https:/ /github. com/openstack/ keystone/ blob/94e83aff17 2feee3874604ab1 a92d4038be4965f /keystone/ assignment/ core.py# L380-L402
This bug doesn't seem like something that can be routinely hit in practice. I'd rather not decrease security in this specific case, since the only workaround I can think of would be to revoke tokens that match all 3 criteria (domain + group + role)