When unit is configured to use subdomain-based cell url, a Role url in Tokens such as Visitor Local Access Token is supposed to be in the form of "subdomain-based" cell url.
But current implementation (for more than a year since subdomain-based cell url is introduced), uses path-based url in tokens.
Up to 1.7.20, however, the path-based url in the tokens are somehow interpreted and the whole personium-core access control model worked. In a recent change, when role url related modules are refactored, tokens with broken role url gets strictly evaluated.
When unit is configured to use subdomain-based cell url, a Role url in Tokens such as Visitor Local Access Token is supposed to be in the form of "subdomain-based" cell url. But current implementation (for more than a year since subdomain-based cell url is introduced), uses path-based url in tokens.
Up to 1.7.20, however, the path-based url in the tokens are somehow interpreted and the whole personium-core access control model worked. In a recent change, when role url related modules are refactored, tokens with broken role url gets strictly evaluated.
This issue is an obstacle for 1.7.21 release