Comment 17 for bug 890411

After much consideration, we've decided to make the serviceId parameter "optional" in order to fulfill backward compatible requirement.

GET/HEAD /tokens/{tokenId}?[belongsTo=<tenantID>&][serviceId=<comma-separated service IDs>]

Keep in mind that the absence of serviceId, if one chooses to, means we still have tenant role conflicts/overlaps security problems as described in the bug.

Please let me know if there are objections. Otherwise, I'll start implementing the changes.