[bug]: Connected App Token & LoginAs

[tprouvot]

Prerequisites

• I've read the common issues and the one I'm about to create is not one of those documented.
• I've searched in the existing issues and the one I'm about to create is not one of those created.
• I've read the release note and the one I'm about to create is not already fixed.

Describe the bug

Let's say I'm using the Reloaded connected app on my org because I enabled API Access Control.
If I'm connecting to this org with several users, we may have a discrepancy between the connected user and the token used.

To Reproduce

I'm connecting to the org with userA, refreshing my expired token and using reloaded as user1.
Then I'm login to userB on the same org, the token I just generated is still valid and I'm using inspector.
The issue is: I'm using Inspector as user1 but logged in the org as userB.

Version

beta

What browser are you using?

Chrome

[FeldhackerChrisPFG]

Just to highlight that there's a larger issue here: When an org has API Access Control enabled, then users must be granted the "Use Any API Client" permission (which presents a huge security risk), because Salesforce Inspector Reloaded does not utilize a Connected App Id with every request, because authentication is not properly setup. There's a cascade of problems here that result in this issue.

[tprouvot]

Hi @FeldhackerChrisPFG

If the org has Api Access Control enabled, you must use the generate token button as described in the documentation.
Granting access to the API through Use any api is not recommended.