)]}'
{"keystoneauth1/identity/v3/oidc.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"8f39ec3b821035f46564dc0e46b006177a24b39f","unresolved":true,"context_lines":[{"line_number":888,"context_line":"            client_auth \u003d None"},{"line_number":889,"context_line":""},{"line_number":890,"context_line":"        # rfc8628 does not require client_id when a client_secret is provided,"},{"line_number":891,"context_line":"        # but Microsoft EntraID does"},{"line_number":892,"context_line":"        payload \u003d {\u0027client_id\u0027: self.client_id, \u0027scope\u0027: self.scope}"},{"line_number":893,"context_line":""},{"line_number":894,"context_line":"        if self.code_challenge_method:"}],"source_content_type":"text/x-python","patch_set":1,"id":"4b8e8ad7_271b6a47","line":891,"updated":"2025-06-30 17:57:29.000000000","message":"We should probably clarify here that this is a no-op for other OpenID Connect implementations such as keycloak. Are we sure that\u0027s the case? Ditto for below.","commit_id":"c938172d05cc934a6ad32d4eb22b03e108368051"},{"author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"change_message_id":"9ecacaeed003ab60b1c8f4d1d74594020a484b55","unresolved":true,"context_lines":[{"line_number":888,"context_line":"            client_auth \u003d None"},{"line_number":889,"context_line":""},{"line_number":890,"context_line":"        # rfc8628 does not require client_id when a client_secret is provided,"},{"line_number":891,"context_line":"        # but Microsoft EntraID does"},{"line_number":892,"context_line":"        payload \u003d {\u0027client_id\u0027: self.client_id, \u0027scope\u0027: self.scope}"},{"line_number":893,"context_line":""},{"line_number":894,"context_line":"        if self.code_challenge_method:"}],"source_content_type":"text/x-python","patch_set":1,"id":"0d94dd7d_d46420ed","line":891,"in_reply_to":"4b8e8ad7_271b6a47","updated":"2025-07-30 14:21:52.000000000","message":"+1, we need verification that this is indeed a noop for keycloak, el al.","commit_id":"c938172d05cc934a6ad32d4eb22b03e108368051"},{"author":{"_account_id":37881,"name":"Wesley Hershberger","display_name":"Wesley Hershberger","email":"wesley.hershberger@canonical.com","username":"whershberger","status":"Support Engineering @ Canonical"},"change_message_id":"afbdcaaa8d3061e062911bd1cbf8878022a66ac2","unresolved":false,"context_lines":[{"line_number":888,"context_line":"            client_auth \u003d None"},{"line_number":889,"context_line":""},{"line_number":890,"context_line":"        # rfc8628 does not require client_id when a client_secret is provided,"},{"line_number":891,"context_line":"        # but Microsoft EntraID does"},{"line_number":892,"context_line":"        payload \u003d {\u0027client_id\u0027: self.client_id, \u0027scope\u0027: self.scope}"},{"line_number":893,"context_line":""},{"line_number":894,"context_line":"        if self.code_challenge_method:"}],"source_content_type":"text/x-python","patch_set":1,"id":"76d850c1_d0e48c9a","line":891,"in_reply_to":"4b8e8ad7_271b6a47","updated":"2025-07-30 14:26:07.000000000","message":"Sorry, I did the validation and wrote this comment but missed sending it.\n\nI\u0027ve verified that Keycloak still grants tokens when a `client_secret` is provided with `client_id` and `scope` included.\n\nThe RFC doesn\u0027t specifically address this question, but it does provide that \"The authorization server MUST ignore unrecognized request parameters.\"; so long as `client_id` and `scope` are \"unrecognized\" when the `client_secret` is provided, I think it\u0027s reasonable to still consider this change compliant with the RFC. I\u0027ve updated the comments.","commit_id":"c938172d05cc934a6ad32d4eb22b03e108368051"}]}