)]}'
{"specs/keystone/backlog/oidc-improved-support.rst":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"20c92d67d95e60ee061cf91402b2976e6a1d9225","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Improved OpenID Connect Support"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bp improved-oidc-support \u003chttps://blueprints.launchpad.net/keystone/+spec/improved-oidc-support\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"User access based on OpenID Connect is supported in keystone by leveraging the"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_319aaac4","line":11,"updated":"2019-12-10 18:34:51.000000000","message":"Would be better to change this to the RFE bug: https://bugs.launchpad.net/keystone/+bug/1815971\n\n(could be done in a followup patch)","commit_id":"1d246348112cc890db5d0d6fe8d091161e05d831"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"43cb8272393ca7e284b53e20f451abd6cb01c4c3","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Improved OpenID Connect Support"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bp improved-oidc-support \u003chttps://blueprints.launchpad.net/keystone/+spec/improved-oidc-support\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"User access based on OpenID Connect is supported in keystone by leveraging the"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_a0f6788f","line":11,"in_reply_to":"3fa7e38b_319aaac4","updated":"2020-01-02 14:58:47.000000000","message":"+1","commit_id":"1d246348112cc890db5d0d6fe8d091161e05d831"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"20c92d67d95e60ee061cf91402b2976e6a1d9225","unresolved":false,"context_lines":[{"line_number":131,"context_line":"and the mapping set by the administrator can be based on them. If we do so,"},{"line_number":132,"context_line":"operators should configure this plugin, instead of the current mapped plugin"},{"line_number":133,"context_line":"(``keystone.auth.plugins.mapped.Mapped``)."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"Proposed Change"},{"line_number":136,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":137,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_91dcbe71","line":134,"updated":"2019-12-10 18:34:51.000000000","message":"This is very well explained, thank you","commit_id":"1d246348112cc890db5d0d6fe8d091161e05d831"}],"specs/keystone/ocata/oidc-improved-support.rst":[{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"7692f0d5ca0895a91783c7c8b6bbf83ad6d73f24","unresolved":false,"context_lines":[{"line_number":11,"context_line":"`bp improved-oidc-support \u003chttps://blueprints.launchpad.net/keystone/+spec/improved-oidc-support\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"OpenID Connect is supported in Keystone by leveraging the Apache module"},{"line_number":15,"context_line":"``mod_auth_oidc`` module and the Keystone Federation plugin. OpenID Connect"},{"line_number":16,"context_line":"works fine when accessing OpenStack thorugh the dashboard, but it requires"},{"line_number":17,"context_line":"additional configuration steps to make it work when using the OpenStack CLI"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a95cdbc_ef37aefc","line":14,"range":{"start_line":14,"start_character":65,"end_line":14,"end_character":71},"updated":"2016-10-08 07:32:31.000000000","message":"remove \"module\" as it\u0027s repeated a few words later","commit_id":"74ba5fa35226955dd6c5b1d28e686a6fe9c2f320"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"7692f0d5ca0895a91783c7c8b6bbf83ad6d73f24","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"OpenID Connect is supported in Keystone by leveraging the Apache module"},{"line_number":15,"context_line":"``mod_auth_oidc`` module and the Keystone Federation plugin. OpenID Connect"},{"line_number":16,"context_line":"works fine when accessing OpenStack thorugh the dashboard, but it requires"},{"line_number":17,"context_line":"additional configuration steps to make it work when using the OpenStack CLI"},{"line_number":18,"context_line":"tools. This blueprint aims at improving the support, so that the same outcome"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a95cdbc_0362f6d7","line":15,"range":{"start_line":15,"start_character":2,"end_line":15,"end_character":15},"updated":"2016-10-08 07:32:31.000000000","message":"mod_auth_openidc","commit_id":"74ba5fa35226955dd6c5b1d28e686a6fe9c2f320"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"7692f0d5ca0895a91783c7c8b6bbf83ad6d73f24","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"OpenID Connect is supported in Keystone by leveraging the Apache module"},{"line_number":15,"context_line":"``mod_auth_oidc`` module and the Keystone Federation plugin. OpenID Connect"},{"line_number":16,"context_line":"works fine when accessing OpenStack thorugh the dashboard, but it requires"},{"line_number":17,"context_line":"additional configuration steps to make it work when using the OpenStack CLI"},{"line_number":18,"context_line":"tools. This blueprint aims at improving the support, so that the same outcome"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a95cdbc_2f3ef6d9","line":15,"range":{"start_line":15,"start_character":53,"end_line":15,"end_character":59},"updated":"2016-10-08 07:32:31.000000000","message":"s/plugin/APIs","commit_id":"74ba5fa35226955dd6c5b1d28e686a6fe9c2f320"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"7692f0d5ca0895a91783c7c8b6bbf83ad6d73f24","unresolved":false,"context_lines":[{"line_number":15,"context_line":"``mod_auth_oidc`` module and the Keystone Federation plugin. OpenID Connect"},{"line_number":16,"context_line":"works fine when accessing OpenStack thorugh the dashboard, but it requires"},{"line_number":17,"context_line":"additional configuration steps to make it work when using the OpenStack CLI"},{"line_number":18,"context_line":"tools. This blueprint aims at improving the support, so that the same outcome"},{"line_number":19,"context_line":"is obtained, regardless of the way the user accesses the cloud."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a95cdbc_4f27c2c9","line":18,"range":{"start_line":18,"start_character":70,"end_line":18,"end_character":77},"updated":"2016-10-08 07:32:31.000000000","message":"can you elaborate on the outcome?","commit_id":"74ba5fa35226955dd6c5b1d28e686a6fe9c2f320"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"7692f0d5ca0895a91783c7c8b6bbf83ad6d73f24","unresolved":false,"context_lines":[{"line_number":25,"context_line":"Currently OpenID Connect Provider (OP) as an external Identity Provider (IdP)"},{"line_number":26,"context_line":"is supported by using:"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"* Apache + mod_auth_oidc configured as an OpenID Connect Relying Party (RP)."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"* Keystone with the Federation drivers enabled, using the"},{"line_number":31,"context_line":"  ``keystone.auth.plugins.mapped.Mapped`` auth plugin."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a95cdbc_63881a72","line":28,"range":{"start_line":28,"start_character":11,"end_line":28,"end_character":24},"updated":"2016-10-08 07:32:31.000000000","message":"``mod_auth_oidc``","commit_id":"74ba5fa35226955dd6c5b1d28e686a6fe9c2f320"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"7692f0d5ca0895a91783c7c8b6bbf83ad6d73f24","unresolved":false,"context_lines":[{"line_number":46,"context_line":"does not need to do anything with the OP, apart from the usual confirmation"},{"line_number":47,"context_line":"that she is autenticating against the RP."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"However, we the OpenStack CLIs are being used the RP is not the Apache server,"},{"line_number":50,"context_line":"but the CLI (actually, keystoneauth1). In this case, the user has to feed the"},{"line_number":51,"context_line":"client id and secret to the libraty, therefore the user has to go to the OP and"},{"line_number":52,"context_line":"create a new OpenID Connect client, fetch the discovery document endpoint,"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a95cdbc_235d3215","line":49,"range":{"start_line":49,"start_character":9,"end_line":49,"end_character":11},"updated":"2016-10-08 07:32:31.000000000","message":"remove \"we\"","commit_id":"74ba5fa35226955dd6c5b1d28e686a6fe9c2f320"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"7692f0d5ca0895a91783c7c8b6bbf83ad6d73f24","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"However, we the OpenStack CLIs are being used the RP is not the Apache server,"},{"line_number":50,"context_line":"but the CLI (actually, keystoneauth1). In this case, the user has to feed the"},{"line_number":51,"context_line":"client id and secret to the libraty, therefore the user has to go to the OP and"},{"line_number":52,"context_line":"create a new OpenID Connect client, fetch the discovery document endpoint,"},{"line_number":53,"context_line":"client id and client secret and pass all to the library. Then through"},{"line_number":54,"context_line":"keystoneauth performingas the authentication flow using the requrested grant"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a95cdbc_c3b2ce4b","line":51,"range":{"start_line":51,"start_character":28,"end_line":51,"end_character":35},"updated":"2016-10-08 07:32:31.000000000","message":"library*","commit_id":"74ba5fa35226955dd6c5b1d28e686a6fe9c2f320"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"7692f0d5ca0895a91783c7c8b6bbf83ad6d73f24","unresolved":false,"context_lines":[{"line_number":51,"context_line":"client id and secret to the libraty, therefore the user has to go to the OP and"},{"line_number":52,"context_line":"create a new OpenID Connect client, fetch the discovery document endpoint,"},{"line_number":53,"context_line":"client id and client secret and pass all to the library. Then through"},{"line_number":54,"context_line":"keystoneauth performingas the authentication flow using the requrested grant"},{"line_number":55,"context_line":"type against the OP, eventually obtaining an access_token. This access_token is"},{"line_number":56,"context_line":"then exchanged with an ``oauth20`` protected url, that needs to be configured"},{"line_number":57,"context_line":"to do token introspection against the RP, as in this `configuration guide`_."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a95cdbc_23b45233","line":54,"range":{"start_line":54,"start_character":13,"end_line":54,"end_character":25},"updated":"2016-10-08 07:32:31.000000000","message":"performing*","commit_id":"74ba5fa35226955dd6c5b1d28e686a6fe9c2f320"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"7692f0d5ca0895a91783c7c8b6bbf83ad6d73f24","unresolved":false,"context_lines":[{"line_number":52,"context_line":"create a new OpenID Connect client, fetch the discovery document endpoint,"},{"line_number":53,"context_line":"client id and client secret and pass all to the library. Then through"},{"line_number":54,"context_line":"keystoneauth performingas the authentication flow using the requrested grant"},{"line_number":55,"context_line":"type against the OP, eventually obtaining an access_token. This access_token is"},{"line_number":56,"context_line":"then exchanged with an ``oauth20`` protected url, that needs to be configured"},{"line_number":57,"context_line":"to do token introspection against the RP, as in this `configuration guide`_."},{"line_number":58,"context_line":"Since this endpoint is an OAuth 2.0 endpoint it is not able to fetch any"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a95cdbc_4385de57","line":55,"range":{"start_line":55,"start_character":45,"end_line":55,"end_character":57},"updated":"2016-10-08 07:32:31.000000000","message":"``access_token``","commit_id":"74ba5fa35226955dd6c5b1d28e686a6fe9c2f320"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"7692f0d5ca0895a91783c7c8b6bbf83ad6d73f24","unresolved":false,"context_lines":[{"line_number":73,"context_line":"the user client. If so, when a user wants to authenticate with OpenID Connect"},{"line_number":74,"context_line":"as an IdP the client should contact the federation URL that should be protected"},{"line_number":75,"context_line":"with OpenID Connect. Then the authentication flow should be the same as in the"},{"line_number":76,"context_line":"horizon+websso case, all handled by mod_auth_openidc and the Keystone app will"},{"line_number":77,"context_line":"get all the OpenID Connect claims (i.e from the id token and userinfo). This"},{"line_number":78,"context_line":"way keystoneauth should not implement any openid logic apart from maybe"},{"line_number":79,"context_line":"intercepting the redirect request to the login endpoint and popping out a"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a95cdbc_63ef3a1e","line":76,"range":{"start_line":76,"start_character":36,"end_line":76,"end_character":52},"updated":"2016-10-08 07:32:31.000000000","message":"``mod_auth_openidc``","commit_id":"74ba5fa35226955dd6c5b1d28e686a6fe9c2f320"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":11,"context_line":"`bp improved-oidc-support \u003chttps://blueprints.launchpad.net/keystone/+spec/improved-oidc-support\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"User access based on OpenID Connect is supported in Keystone by leveraging the"},{"line_number":15,"context_line":"Apache ``mod_auth_openidc`` module and the Keystone Federation APIs."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"This involves setting the Apache server as an OpenID Connect client (Relying"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_9208942f","line":14,"range":{"start_line":14,"start_character":52,"end_line":14,"end_character":60},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"User access based on OpenID Connect is supported in Keystone by leveraging the"},{"line_number":15,"context_line":"Apache ``mod_auth_openidc`` module and the Keystone Federation APIs."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"This involves setting the Apache server as an OpenID Connect client (Relying"},{"line_number":18,"context_line":"Party) that will perform the configured authentication flow, getting the user"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_4d0d7d36","line":15,"range":{"start_line":15,"start_character":52,"end_line":15,"end_character":62},"updated":"2016-11-16 01:51:14.000000000","message":"federation","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"User access based on OpenID Connect is supported in Keystone by leveraging the"},{"line_number":15,"context_line":"Apache ``mod_auth_openidc`` module and the Keystone Federation APIs."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"This involves setting the Apache server as an OpenID Connect client (Relying"},{"line_number":18,"context_line":"Party) that will perform the configured authentication flow, getting the user"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_edff29ff","line":15,"range":{"start_line":15,"start_character":43,"end_line":15,"end_character":51},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":21,"context_line":"username, name, surname, etc. However, when using the OpenStack CLI, the oidc"},{"line_number":22,"context_line":"RP is the CLI itself. The CLI will obtain an ``access_token`` from the OpenID"},{"line_number":23,"context_line":"Connect Provider, and this token will be exchanged with an Oauth 2.0 protected"},{"line_number":24,"context_line":"url (previously configured by the Keystone Operator to do token instrospection"},{"line_number":25,"context_line":"or local validation using ``mod_auth_openidc`` as well). In this case, only the"},{"line_number":26,"context_line":"claims contained in the access token or returned by the introspection endpoint"},{"line_number":27,"context_line":"will be present, as the userinfo endpoint is specific to OpenID Connect."}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_d22bec92","line":24,"range":{"start_line":24,"start_character":0,"end_line":24,"end_character":3},"updated":"2016-11-16 01:51:14.000000000","message":"URL","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":21,"context_line":"username, name, surname, etc. However, when using the OpenStack CLI, the oidc"},{"line_number":22,"context_line":"RP is the CLI itself. The CLI will obtain an ``access_token`` from the OpenID"},{"line_number":23,"context_line":"Connect Provider, and this token will be exchanged with an Oauth 2.0 protected"},{"line_number":24,"context_line":"url (previously configured by the Keystone Operator to do token instrospection"},{"line_number":25,"context_line":"or local validation using ``mod_auth_openidc`` as well). In this case, only the"},{"line_number":26,"context_line":"claims contained in the access token or returned by the introspection endpoint"},{"line_number":27,"context_line":"will be present, as the userinfo endpoint is specific to OpenID Connect."}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_cd198d7b","line":24,"range":{"start_line":24,"start_character":43,"end_line":24,"end_character":51},"updated":"2016-11-16 01:51:14.000000000","message":"operator","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":26,"context_line":"claims contained in the access token or returned by the introspection endpoint"},{"line_number":27,"context_line":"will be present, as the userinfo endpoint is specific to OpenID Connect."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The above situation makes difficult to implement complex policies that rely on"},{"line_number":30,"context_line":"the information returned by the userinfo endpoing (such as email address) and"},{"line_number":31,"context_line":"it presents a lack of behaviour consistency in the Keystone setups leveraging"},{"line_number":32,"context_line":"This blueprint aims at fixing this issue, by adding an additional user"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_d2a68c52","line":29,"range":{"start_line":29,"start_character":20,"end_line":29,"end_character":25},"updated":"2016-11-16 01:51:14.000000000","message":"makes it","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":27,"context_line":"will be present, as the userinfo endpoint is specific to OpenID Connect."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The above situation makes difficult to implement complex policies that rely on"},{"line_number":30,"context_line":"the information returned by the userinfo endpoing (such as email address) and"},{"line_number":31,"context_line":"it presents a lack of behaviour consistency in the Keystone setups leveraging"},{"line_number":32,"context_line":"This blueprint aims at fixing this issue, by adding an additional user"},{"line_number":33,"context_line":"information retrieval for the OpenID Connect plugin."}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_927334e7","line":30,"range":{"start_line":30,"start_character":41,"end_line":30,"end_character":49},"updated":"2016-11-16 01:51:14.000000000","message":"endpoint","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The above situation makes difficult to implement complex policies that rely on"},{"line_number":30,"context_line":"the information returned by the userinfo endpoing (such as email address) and"},{"line_number":31,"context_line":"it presents a lack of behaviour consistency in the Keystone setups leveraging"},{"line_number":32,"context_line":"This blueprint aims at fixing this issue, by adding an additional user"},{"line_number":33,"context_line":"information retrieval for the OpenID Connect plugin."},{"line_number":34,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_4d249dae","line":31,"range":{"start_line":31,"start_character":51,"end_line":31,"end_character":59},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The above situation makes difficult to implement complex policies that rely on"},{"line_number":30,"context_line":"the information returned by the userinfo endpoing (such as email address) and"},{"line_number":31,"context_line":"it presents a lack of behaviour consistency in the Keystone setups leveraging"},{"line_number":32,"context_line":"This blueprint aims at fixing this issue, by adding an additional user"},{"line_number":33,"context_line":"information retrieval for the OpenID Connect plugin."},{"line_number":34,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_5248bc87","line":31,"range":{"start_line":31,"start_character":60,"end_line":31,"end_character":66},"updated":"2016-11-16 01:51:14.000000000","message":"setup.  \n\nremove leveraging","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c32b0a360ee8c0e8fd491a4490550b2c03bfbd7","unresolved":false,"context_lines":[{"line_number":44,"context_line":"* Keystone with the Federation drivers enabled, using the"},{"line_number":45,"context_line":"  ``keystone.auth.plugins.mapped.Mapped`` auth plugin."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"According to OpenID Connect specification, the Relying Party should be the"},{"line_number":48,"context_line":"OpenID client application that will contact the OP in order to get the"},{"line_number":49,"context_line":"access/id tokens and eventually the additional user info from the corresponding"},{"line_number":50,"context_line":"endpoint."}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_3213325e","line":47,"updated":"2016-11-22 15:59:16.000000000","message":"Do we have a link or reference for the specification?","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":52,"context_line":"In the dashboard case mentioned above, the OpenID RP is the Apache server,"},{"line_number":53,"context_line":"therefore Apache is configured with the OpenID Connect client id and secret"},{"line_number":54,"context_line":"that will be used for any of the OP grant types supported. Therefore, the"},{"line_number":55,"context_line":"Keystone administrator would register an OpenID Client in the OP, and add"},{"line_number":56,"context_line":"its client id/secret to the ``mod_auth_openidc`` configuration. In this case,"},{"line_number":57,"context_line":"since everything is handled within Apache and ``mod_auth_openidc``, Keystone"},{"line_number":58,"context_line":"receives the access_token, id_token and all the additional grants obtained"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_ad3531db","line":55,"range":{"start_line":55,"start_character":0,"end_line":55,"end_character":8},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":54,"context_line":"that will be used for any of the OP grant types supported. Therefore, the"},{"line_number":55,"context_line":"Keystone administrator would register an OpenID Client in the OP, and add"},{"line_number":56,"context_line":"its client id/secret to the ``mod_auth_openidc`` configuration. In this case,"},{"line_number":57,"context_line":"since everything is handled within Apache and ``mod_auth_openidc``, Keystone"},{"line_number":58,"context_line":"receives the access_token, id_token and all the additional grants obtained"},{"line_number":59,"context_line":"from the userinfo endpoint in the HTTPD environment variables. The user"},{"line_number":60,"context_line":"does not need to do anything with the OP, apart from the usual confirmation"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_8d3dd5bd","line":57,"range":{"start_line":57,"start_character":68,"end_line":57,"end_character":76},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c32b0a360ee8c0e8fd491a4490550b2c03bfbd7","unresolved":false,"context_lines":[{"line_number":60,"context_line":"does not need to do anything with the OP, apart from the usual confirmation"},{"line_number":61,"context_line":"that she is authenticating against the RP."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"However, the OpenStack CLIs are being used the RP is not the Apache server,"},{"line_number":64,"context_line":"but the CLI (actually, keystoneauth1). In this case, the user has to feed the"},{"line_number":65,"context_line":"client id and secret to the library, therefore the user has to go to the OP and"},{"line_number":66,"context_line":"create a new OpenID Connect client, fetch the discovery document endpoint,"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_152380a8","line":63,"updated":"2016-11-22 15:59:16.000000000","message":"However, if the* ?","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c32b0a360ee8c0e8fd491a4490550b2c03bfbd7","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"However, the OpenStack CLIs are being used the RP is not the Apache server,"},{"line_number":64,"context_line":"but the CLI (actually, keystoneauth1). In this case, the user has to feed the"},{"line_number":65,"context_line":"client id and secret to the library, therefore the user has to go to the OP and"},{"line_number":66,"context_line":"create a new OpenID Connect client, fetch the discovery document endpoint,"},{"line_number":67,"context_line":"client id and client secret and pass all to the library. Then through"},{"line_number":68,"context_line":"keystoneauth performing the authentication flow using the requested grant type"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_1571c0a8","line":65,"updated":"2016-11-22 15:59:16.000000000","message":"s/library/keystoneauth1/ ?","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":67,"context_line":"client id and client secret and pass all to the library. Then through"},{"line_number":68,"context_line":"keystoneauth performing the authentication flow using the requested grant type"},{"line_number":69,"context_line":"against the OP, eventually obtaining an ``access_token``. This access_token is"},{"line_number":70,"context_line":"then exchanged with an ``oauth20`` protected url, that needs to be configured"},{"line_number":71,"context_line":"to do token introspection against the RP, as in this `configuration guide`_."},{"line_number":72,"context_line":"Since this endpoint is an OAuth 2.0 endpoint it is not able to fetch any"},{"line_number":73,"context_line":"additional claims from the userinfo endpoint, as this is something specific to"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_722698cf","line":70,"range":{"start_line":70,"start_character":45,"end_line":70,"end_character":48},"updated":"2016-11-16 01:51:14.000000000","message":"URL","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":".. _configuration guide: https://developer.ibm.com/opentech/2015/06/17/use-websphere-liberty-as-an-openid-connect-provider-for-openstack"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Therefore, the Keystone server does not have any additional claims obtained"},{"line_number":79,"context_line":"from the userinfo endpoint apart from the ones that are already present in the"},{"line_number":80,"context_line":"token, so it is not possible to create any mapping based on this (for example"},{"line_number":81,"context_line":"group membership, email address, and so on). The tokens may include additional"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_5216fc55","line":78,"range":{"start_line":78,"start_character":15,"end_line":78,"end_character":23},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":80,"context_line":"token, so it is not possible to create any mapping based on this (for example"},{"line_number":81,"context_line":"group membership, email address, and so on). The tokens may include additional"},{"line_number":82,"context_line":"claims, but this is not mandatory in the standard, being dependant on the OP"},{"line_number":83,"context_line":"implementation. For example, Google\u0027s OAuth 2.0 introspection endpoint return"},{"line_number":84,"context_line":"these additional claims."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Following the OpenID Connect terminology, the RP should be Keystone, and not"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_ad4c5171","line":83,"range":{"start_line":83,"start_character":71,"end_line":83,"end_character":77},"updated":"2016-11-16 01:51:14.000000000","message":"returns","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":83,"context_line":"implementation. For example, Google\u0027s OAuth 2.0 introspection endpoint return"},{"line_number":84,"context_line":"these additional claims."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Following the OpenID Connect terminology, the RP should be Keystone, and not"},{"line_number":87,"context_line":"the user client. If so, when a user wants to authenticate with OpenID Connect"},{"line_number":88,"context_line":"as an IdP the client should contact the federation URL that should be protected"},{"line_number":89,"context_line":"with OpenID Connect. Then the authentication flow should be the same as in the"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_2d6f61c6","line":86,"range":{"start_line":86,"start_character":59,"end_line":86,"end_character":67},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":87,"context_line":"the user client. If so, when a user wants to authenticate with OpenID Connect"},{"line_number":88,"context_line":"as an IdP the client should contact the federation URL that should be protected"},{"line_number":89,"context_line":"with OpenID Connect. Then the authentication flow should be the same as in the"},{"line_number":90,"context_line":"horizon+websso case, all handled by ``mod_auth_openidc`` and the Keystone app"},{"line_number":91,"context_line":"will get all the OpenID Connect claims (i.e from the id token and userinfo)."},{"line_number":92,"context_line":"This way keystoneauth should not implement any openid logic apart from maybe"},{"line_number":93,"context_line":"intercepting the redirect request to the login endpoint and popping out a"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_ed9ba9c7","line":90,"range":{"start_line":90,"start_character":65,"end_line":90,"end_character":73},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":98,"context_line":"However, there are several disadvantages in doing this:"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"* Only one grant type can be configured per provider, therefore if a grant type"},{"line_number":101,"context_line":"  of authz code is configured in the Keystone server (the RP) the user won\u0027t be"},{"line_number":102,"context_line":"  able to use the client credentials grant, even if the OP allows to do so."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"* All the code in keystoneauth regarding OpenID connect (that has been"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_4da9fdde","line":101,"range":{"start_line":101,"start_character":37,"end_line":101,"end_character":45},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c32b0a360ee8c0e8fd491a4490550b2c03bfbd7","unresolved":false,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"* Only one grant type can be configured per provider, therefore if a grant type"},{"line_number":101,"context_line":"  of authz code is configured in the Keystone server (the RP) the user won\u0027t be"},{"line_number":102,"context_line":"  able to use the client credentials grant, even if the OP allows to do so."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"* All the code in keystoneauth regarding OpenID connect (that has been"},{"line_number":105,"context_line":"  released) becomes useless and should be deprecated, as it should not handle"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_95feb0ac","line":102,"updated":"2016-11-22 15:59:16.000000000","message":"How likely is it to have multiple grant types? This statement makes it seem like we will be backing ourselves in to a corner.","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c32b0a360ee8c0e8fd491a4490550b2c03bfbd7","unresolved":false,"context_lines":[{"line_number":105,"context_line":"  released) becomes useless and should be deprecated, as it should not handle"},{"line_number":106,"context_line":"  any oidc grant type anymore."},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"* The interception of the redirection could be more complicated."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"But it has a big advantage:"},{"line_number":111,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_751af418","line":108,"updated":"2016-11-22 15:59:16.000000000","message":"How so?","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":115,"context_line":"Nevertheless, CLI users may be expecting a similar experience to the one"},{"line_number":116,"context_line":"obtained in other cloud providers (like Google Cloud Engine) where the"},{"line_number":117,"context_line":"behaviour is like the one we have in place right now (i.e. the user needs to"},{"line_number":118,"context_line":"create and OpenID Connect client and user the obtained client id and secret)."},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"However, if we continue with this design, we can leave everything as it is"},{"line_number":121,"context_line":"right now, but we need a specific OpenID Connect plugin in Keystone that is"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_6db07944","line":118,"range":{"start_line":118,"start_character":7,"end_line":118,"end_character":10},"updated":"2016-11-16 01:51:14.000000000","message":"an","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":118,"context_line":"create and OpenID Connect client and user the obtained client id and secret)."},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"However, if we continue with this design, we can leave everything as it is"},{"line_number":121,"context_line":"right now, but we need a specific OpenID Connect plugin in Keystone that is"},{"line_number":122,"context_line":"able to fetch the additional claims from the userinfo endpoint when it only"},{"line_number":123,"context_line":"receives an id token. This way Keystone will get all these additional claims"},{"line_number":124,"context_line":"and the mapping set by the administrator can be based on them. If we do so,"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_adba9121","line":121,"range":{"start_line":121,"start_character":59,"end_line":121,"end_character":67},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":8119,"name":"Eric Brown","email":"eric_wade_brown@yahoo.com","username":"ericwb"},"change_message_id":"0cbf7d8689c2e89d86942a550dab53acf9a714e8","unresolved":false,"context_lines":[{"line_number":120,"context_line":"However, if we continue with this design, we can leave everything as it is"},{"line_number":121,"context_line":"right now, but we need a specific OpenID Connect plugin in Keystone that is"},{"line_number":122,"context_line":"able to fetch the additional claims from the userinfo endpoint when it only"},{"line_number":123,"context_line":"receives an id token. This way Keystone will get all these additional claims"},{"line_number":124,"context_line":"and the mapping set by the administrator can be based on them. If we do so,"},{"line_number":125,"context_line":"operators should configure this plugin, instead of the current mapped plugin"},{"line_number":126,"context_line":"(``keystone.auth.plugins.mapped.Mapped``)."}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_0d862565","line":123,"range":{"start_line":123,"start_character":31,"end_line":123,"end_character":39},"updated":"2016-11-16 01:51:14.000000000","message":"keystone","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c32b0a360ee8c0e8fd491a4490550b2c03bfbd7","unresolved":false,"context_lines":[{"line_number":134,"context_line":""},{"line_number":135,"context_line":"1. Contact the OpenID Discovery Endpoint (based on the token issuer URL) to"},{"line_number":136,"context_line":"   fetch the discovery document and obtain the userinfo endpoint."},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"2. Contact the userinfo endpoint, exchanging the user id token to get the"},{"line_number":139,"context_line":"   additional claims."},{"line_number":140,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_35ca3c50","line":137,"updated":"2016-11-22 15:59:16.000000000","message":"I assume this will also consist of configuration changes required to let the new plugin know about required oauth2.0 endpoints? Naming, or defining them here is an implementation detail, but just saying that information would be gathered through keystone\u0027s configuration would be useful.","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":17860,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@gmail.com","username":"samueldmq"},"change_message_id":"3695a09b46ebd1b90e30122ecde9b082497a0ea6","unresolved":false,"context_lines":[{"line_number":141,"context_line":"Afterwards the plugin will continue as the vanilla mapped plugin, but the"},{"line_number":142,"context_line":"additional claims will be present."},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"The discovery document is defined in the `OpenID Connect Dicovery specification"},{"line_number":145,"context_line":"https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig`"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_2893b3a4","line":144,"range":{"start_line":144,"start_character":57,"end_line":144,"end_character":65},"updated":"2016-11-16 14:15:02.000000000","message":"(nit) Discovery","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c32b0a360ee8c0e8fd491a4490550b2c03bfbd7","unresolved":false,"context_lines":[{"line_number":148,"context_line":"------------"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"The other alternative would be that all the OpenID Connect flow is done by"},{"line_number":151,"context_line":"the Apache server where Keystone is running.  The advantages and disadvantages"},{"line_number":152,"context_line":"of this are described in the \"Problem Description\" section."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Security Impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_752034f8","line":151,"updated":"2016-11-22 15:59:16.000000000","message":"The \"Proposed Change\" says that this will be done in a new authentication which is running in the Apache server, no? If there is a clear alternative in the \"Problem Description\" section we should move and it\u0027s advantages/disadvantages to this section so that it is clear to the readers.","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"},{"author":{"_account_id":17860,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@gmail.com","username":"samueldmq"},"change_message_id":"3695a09b46ebd1b90e30122ecde9b082497a0ea6","unresolved":false,"context_lines":[{"line_number":170,"context_line":"------------------"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"Additional calls need to be made to the external endpoints, that may introduce"},{"line_number":173,"context_line":"a delay when responding to the user."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"Other Deployer Impact"},{"line_number":176,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a77a97e_08dfd769","line":173,"updated":"2016-11-16 14:15:02.000000000","message":"Can this delay be significant to our API responses ?","commit_id":"8214762e59ddf226ce906fa6d8d09d0db8036435"}]}