"Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token's lifespan, or until explicitly invalidated."
The proposed patch invalidates all tokens held by a user upon role grant/revoke to circumvent the issue.
"Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token's lifespan, or until explicitly invalidated."
The proposed patch invalidates all tokens held by a user upon role grant/revoke to circumvent the issue.