Ok, so apparently you have to be an admin of all Keystone to grant or revoke roles. Since in this case you can just revoke any token anyway, there is no vulnerability here.
The bug is still valid: invalidation of tokens in that scenario should be limited to affected tenant.
Ok, so apparently you have to be an admin of all Keystone to grant or revoke roles. Since in this case you can just revoke any token anyway, there is no vulnerability here.
The bug is still valid: invalidation of tokens in that scenario should be limited to affected tenant.