Based upon research and discussions in IRC, turns out we do not store
the application_credential_id in the token payload. This means that if
the token is not pre-populated in the cache, the test will fail.

This also means that if the token cache expires, subsequent uses of the
token with the application cred will also fail / have inconsistent or
inappropriate behavior.

This requires a fix to add a formatter that includes
application_credentials (likely more than one). The issue is identified
by looking at
and seeing that application credential is not stored anywhere but the
auth methods are properly populated.

** Also affects: keystone/rocky
   Importance: Critical
     Assignee: Lance Bragstad (lbragstad)
       Status: In Progress

** Also affects: keystone/queens
   Importance: Undecided
       Status: New

** Changed in: keystone/queens
   Importance: Undecided => Critical

** Changed in: keystone/queens
       Status: New => Triaged

** Changed in: keystone/queens
     Assignee: (unassigned) => Lance Bragstad (lbragstad)

You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).

  validation of app cred tokens is dependent on

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) queens series:
Status in OpenStack Identity (keystone) rocky series:
  In Progress

Bug description:
  Some information in tokens obtained with application credentials isn't
  available unless caching is enabled. I was able to recreate this using
  some of the tests in and by setting
  CONF.token.cache_on_issue to False, which resulted in a 500 because a
  specific key in the token reference wasn't available [0].

  Without digging into a bunch, I think this is because the token is
  cached when it is created, meaning the process to rebuild the entire
  authorization context at validation time is short-circuited.


To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to