The issue may happen if somebody manages to attach an API token when "user is not a valid user in the backend SecurityRealm." (http://javadoc.jenkins-ci.org/hudson/model/User.html#impersonate%28%29).
Is this really a use case we want to support? With the tokens no longer being admin-visible, I think we decided this is not valid.
Daniel Beck Missed the comment. I have added the pull request link, I am fine with closing as Not a defect
After the PR review Wadeck Follonier and Daniel Beck said that it is probably not required since the issue cannot really happen. Since there is no other votes, I will just close the ticket