alitheg commented on issue #971: URL: https://github.com/apache/tooling-trusted-releases/issues/971#issuecomment-4224972275
Reading this again, I don't think we have an issue here. JWTs validate that their PAT is still valid before they are accepted, so any revoked PATs would revoke their JWTs immediately. And web sessions are totally separate. The only think we could do, if we particularly wanted to, would be to ask a user on issuing PAT 2, do they want to revoke PAT 1? But I'm not really sure we want to do that anyway since they already have the easy ability to revoke. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
