)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"change_message_id":"9671154712833324ef70f1447ba703f416425cbc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"0f200e55_120a3009","updated":"2026-03-20 16:04:12.000000000","message":"Thanks for putting this together. I agree that updating ⁠last_active_at on AppCred authentication is a solid improvement and aligns better with operator expectations for active credential tracking.\nHowever, we should make this behavior configurable (e.g., via a new ⁠[application_credential] config option, perhaps defaulting to ⁠True for this new behavior). There are deployment scenarios where operators explicitly do not want an automated script or background service using an AppCred to keep the credential alive ad infinitum—they may want the credential to expire or be flagged for rotation based on the user’s actual interactive login activity rather than the script’s polling.\nAdding a toggle gives us the best of both worlds without breaking strict rotation policies.","commit_id":"3ad1d79908f49c7c3a03ba04578c92c4dcf69f03"},{"author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"change_message_id":"8b837a5903714c52f24040060cc9ff8440c8f341","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b9a0c244_5baff488","in_reply_to":"0f200e55_120a3009","updated":"2026-03-20 16:33:57.000000000","message":"Sounds good. The flag will by default maintain the current behavior. Please yell if you disagree.","commit_id":"3ad1d79908f49c7c3a03ba04578c92c4dcf69f03"},{"author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"change_message_id":"5cb8b49049c78176cfe3d6b9c0a88e92ecabac31","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"04a59596_509cab26","in_reply_to":"b9a0c244_5baff488","updated":"2026-03-20 18:39:47.000000000","message":"sorry, i misread it the first time. I will add the option to disable updating last_active_at","commit_id":"3ad1d79908f49c7c3a03ba04578c92c4dcf69f03"},{"author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"change_message_id":"8ce209db8a2bb4ca31aa4ce4890a5a6f826abf71","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"53d992c0_df71a4d3","updated":"2026-03-25 00:32:43.000000000","message":"@dwilde@redhat.com tbh after your comment i am not sure any more that the flag should switch to the new functionality by default. This has been like this forever, and the bugreport was the fist ever since years.\n\nI think now that there are more users relying on the old behavior than users who want the new one. What do you think about setting the flag to \"False\" by default?","commit_id":"3d46e9d4603a5a04164d985935d1ef75113dbd95"}]}