)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":1004,"name":"Mohammed Naser","email":"mnaser@vexxhost.com","username":"mnaser"},"change_message_id":"414bb583249431e2eae52b54252fac8915621701","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"dc46c510_2a90392e","updated":"2025-12-11 15:46:01.000000000","message":"Personally, I\u0027m not too excited about this.\n\nAt the moment, we\u0027re able to make iterative changes at a fast pace, no need for contributors to learn Gerrit or use it.  As a matter of fact, the initial contributors that built all of this wanted to have it on GitHub.  I\u0027m not a fan of this change because:\n\n- The actual authors of this project now will _have_ to use Gerrit.\n- The authors are now at the mercy of the (honestly) slow to review Keystone team\n- The changes are now tied to OpenStack releases (when they don\u0027t need to be).\n\nI just don\u0027t understand the purpose of this change, if it\u0027s to make it easier, just add it as a dependency to requirements.txt and job done, why do we have to vendor the code in and now force the original authors into this world.","commit_id":"19a8e8cf3bacd14ee59bc1252d023c7fb8df177a"},{"author":{"_account_id":37730,"name":"Steve Keay","email":"steve@keay.com","username":"steve.keay"},"change_message_id":"e3692c51f4ddb5ff755e2dbfe015486b9765ce01","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"92ca2bf2_fa06344e","updated":"2025-12-11 14:40:19.000000000","message":"We use this v3websso and it works well.","commit_id":"19a8e8cf3bacd14ee59bc1252d023c7fb8df177a"},{"author":{"_account_id":36720,"name":"Syed Haseeb Ahmed","display_name":"haseeb","email":"syedhaseebahmed12@gmail.com","username":"haseeb"},"change_message_id":"195e7eee2bd9bf8ec6975df14a708c9a7bf2fdc6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"75bd5170_5ea25dc9","updated":"2025-12-11 14:42:58.000000000","message":"plz prioritize this feature !!!","commit_id":"19a8e8cf3bacd14ee59bc1252d023c7fb8df177a"},{"author":{"_account_id":1004,"name":"Mohammed Naser","email":"mnaser@vexxhost.com","username":"mnaser"},"change_message_id":"9fdfba1c03485feeaef2c7f5c51b67236e641a24","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"d73fefd0_b64f4bcc","in_reply_to":"2f4337be_ae61c164","updated":"2025-12-16 14:35:40.000000000","message":"Sorry, follow up is that I saw this:\n\nhttps://review.opendev.org/c/openstack/governance/+/971178\n\nI feel better about it living under OpenStack SDK personally.","commit_id":"19a8e8cf3bacd14ee59bc1252d023c7fb8df177a"},{"author":{"_account_id":1004,"name":"Mohammed Naser","email":"mnaser@vexxhost.com","username":"mnaser"},"change_message_id":"634805477c364ad3daaa1a6c3244509b4280eb6a","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"2f4337be_ae61c164","in_reply_to":"36539228_ba930dbc","updated":"2025-12-16 14:33:19.000000000","message":"I\u0027m not speaking about my behalf though, personally, I don\u0027t mind using Gerrit and OpenDev.\n\nThe other contributors that helped bring this back to live will just stop contributing, and in that case we go from a few contributors to.. only one that is pushing this code here...\n\nIn addition, even if they were to \"come to terms\" with this change, now they are no longer able to be maintainers/\"cores\" of their _own_ project.  It means that something they built and had direction of is no longer in their direction..\n\nIn addition, I think the Keystone team is super behind in review work, this adds more to their plate for something that potentially they have no primary interest in maintaining.  There are many examples of Keystone work that is pushed upstream that fixes bugs that\u0027s just left open.\n\nIt\u0027s nice that everyone is hustling to get the work of this merged in, but keystoneauth remains under keystone which is a smaller core team and that seems to be even struggling..\n\nAt this point, we\u0027re a week into a fairly influential change and a lot of discussions and we haven\u0027t even had a peek from any Keystone cores.","commit_id":"19a8e8cf3bacd14ee59bc1252d023c7fb8df177a"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"66ec65eec9aa34d9c025782a2711e5b1b38a865b","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b4fdc38e_b2a0e0fb","in_reply_to":"840405ef_34d04157","updated":"2025-12-15 17:14:34.000000000","message":"Also, since server distro maintainers don\u0027t backport new features, the wait time is roughly the same whether it\u0027s for the next release of the distro containing the new keystoneauth version that has your dependency vendored into it or the next release of the distro containing the new keystoneauth-websso dependency packaged. If this is about upstreaming changes you\u0027ve made to custom downstream keystoneauth packages you\u0027re deploying, why not just create a custom package for keystoneauth-websso while you\u0027re at it?\n\nVendored dependencies further raise a concern for the VMT, as the project is now on the hook for tracking, backporting and announcing fixes in keystoneauth-websso. We already don\u0027t have the tools and bandwidth to do this for all the vendored Javascript dependencies in Horizon and Skyline, and I don\u0027t want to make this problem even worse.","commit_id":"19a8e8cf3bacd14ee59bc1252d023c7fb8df177a"},{"author":{"_account_id":1004,"name":"Mohammed Naser","email":"mnaser@vexxhost.com","username":"mnaser"},"change_message_id":"3fb830233c107127aa69895b4ae7171736f0d694","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"840405ef_34d04157","in_reply_to":"876dba1b_f6c33a00","updated":"2025-12-13 18:13:25.000000000","message":"The argument that \"adding a dependency doesn\u0027t work when you\u0027re using distro provided packages\" is a packaging concern that should be solved at the packaging layer, not by vendoring code upstream:\n\n1. Distros can package keystoneauth-websso: If Ubuntu/RHEL want this functionality, they can create a python3-keystoneauth-websso package, just as they do for hundreds of other Python packages.  If this is really the issue, we\u0027ll happily do it.\n2. Vendoring doesn\u0027t eliminate dependencies: This proposed change still requires `platformdirs` and `webob`. If distros need to package those anyway, they can package `keystoneauth-websso` too.\n3. This is the established pattern: OpenStack has many optional plugins distributed as separate packages.  This allows independent release cycles and simpler maintenance.\n4. Maintenance burden: Vendoring this code means any bug fixes or improvements we make to keystoneauth-websso would need to be separately backported to keystoneauth, creating duplicated effort and potential drift.\n\nThe active maintainers of this functionality specifically chose to keep it as a separate project to enable faster iteration outside the OpenStack release cycle. \n\nVendoring it against the wishes of the people who wrote and maintain it seems counterproductive when the technical solution (adding it as a requirement or letting distros package it) already exists.","commit_id":"19a8e8cf3bacd14ee59bc1252d023c7fb8df177a"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"36539228_ba930dbc","in_reply_to":"b4fdc38e_b2a0e0fb","updated":"2025-12-16 12:28:35.000000000","message":"\u003e if it\u0027s to make it easier, just add it as a dependency to requirements.txt and job done\n\nYeah, speaking with my SDK hat on, I have a *very* strong preference *against* this. It wholly inverts the dependency chain: ksa-websso is a plugin of ksa, not the other way around. Not to mention the security concerns that fungi points out.\n\n\u003e Vendoring doesn\u0027t eliminate dependencies: This proposed change still requires `platformdirs` and `webob`. If distros need to package those anyway, they can package `keystoneauth-websso` too.\n\nI agree, we shouldn\u0027t have these here. I\u0027ve left comments to that effect. Easily fixed thankfully.\n\n\u003e The active maintainers of this functionality specifically chose to keep it as a separate project to enable faster iteration outside the OpenStack release cycle. \n\nWith the utmost of respect, 104 commits - 40 of which are dependabot-proposed bumps - doesn\u0027t suggest there is a need to rapidly iterate. And as noted earlier, nothing stops iteration out-of-tree and the plugin library we use here (stevedore) explicitly supports this (though I would hope this is not necessary).\n\nWhile I can sympathise with your concerns around keystone iteration, I don\u0027t believe the same can be said of SDK deliverables and we are working to move ksa from the former to the latter, so this should be a non-issue over time. However, you won\u0027t know if you don\u0027t try, and it doesn\u0027t appear you ever tried here? Certainly not in recent years.","commit_id":"19a8e8cf3bacd14ee59bc1252d023c7fb8df177a"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"db0c8520b2b9d91ba2d198aa7375d9dac5030687","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b528bcc9_00ef9947","in_reply_to":"d73fefd0_b64f4bcc","updated":"2026-01-29 12:46:35.000000000","message":"FYI this projects is under OpenStackSDK governance now.","commit_id":"19a8e8cf3bacd14ee59bc1252d023c7fb8df177a"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"4854fb9d421852992883da86610b6fe4e78ff4b1","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"876dba1b_f6c33a00","in_reply_to":"dc46c510_2a90392e","updated":"2025-12-13 17:46:23.000000000","message":"So nothing is preventing you from continuing to use the out of tree module. The point here was to get this included for distros like Ubuntu and RHEL which are not packaging extra modules and getting them to do so is harder.","commit_id":"19a8e8cf3bacd14ee59bc1252d023c7fb8df177a"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"0a48edc0_5374f5a1","updated":"2025-12-16 12:28:35.000000000","message":"-1 is for my review comments. I broadly *agree* with this move.\n\nI think the amount of comments and improvement I have suggested inline (on top of the work cardoe has already done here) speaks volumes to the benefits of peer review and working with upstream","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":38674,"name":"Ed Timmons","display_name":"Ed","email":"ed@delsurf.com","username":"delsurf"},"change_message_id":"773b38136695bde8d0c60adbba4a7ed31cd8d4a6","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"95808b5f_f4acc182","updated":"2025-12-12 14:14:03.000000000","message":"As one of the developers of keystoneauth-websso, I’m not supportive of this change.\n\nWe built this as a separate GitHub project so we could iterate quickly and keep contributions simple. Pulling it into keystoneauth forces maintainers into Gerrit, slows development to Keystone’s review pace, and ties updates to OpenStack release cycles — all things we intentionally avoided.\n\nIf the goal is easier consumption, adding it to requirements.txt would accomplish that without vendoring the entire codebase or shifting unnecessary maintenance overhead onto the original authors.","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":1004,"name":"Mohammed Naser","email":"mnaser@vexxhost.com","username":"mnaser"},"change_message_id":"634805477c364ad3daaa1a6c3244509b4280eb6a","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"4f4b04f2_eac6cec8","updated":"2025-12-16 14:33:19.000000000","message":"Thanks for the comments and the activity @stephenfin@redhat.com","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":34348,"name":"Jeremy Lee","email":"jeremy.lee1664@gmail.com","username":"jeremy.lee"},"change_message_id":"ad2ca1b717a495000bf573b179829ea231d95f38","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"3083b3fe_8386ec9e","updated":"2025-12-12 15:03:06.000000000","message":"We discussed this at length and specifically went with GitHub as our source of truth for the reasons already articulated by Ed and Mohammed, requirements.txt is the way to go.","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"4854fb9d421852992883da86610b6fe4e78ff4b1","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"c172cdf5_fc4cdbc6","in_reply_to":"3083b3fe_8386ec9e","updated":"2025-12-13 17:46:23.000000000","message":"Again, you can continue to use the GitHub repo as out of tree. This isn\u0027t replacing your code base. It\u0027s a slightly different implementation.","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":1004,"name":"Mohammed Naser","email":"mnaser@vexxhost.com","username":"mnaser"},"change_message_id":"3fb830233c107127aa69895b4ae7171736f0d694","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e155717d_c59d92bd","in_reply_to":"884f9cac_3e0feb79","updated":"2025-12-13 18:13:25.000000000","message":"Because this will clobber the `v3websso` `auth_type`.  It\u0027s also just the principle that you\u0027ve taken something that people have worked on building and improving elsewhere, only to take it away from them and force them to use our tooling.\n\nWe struggle getting new contributors, now when people innovate and improve around OpenStack, we\u0027re going to instead punish them by taking their work and bringing it off the platform that they used to innovate?  Come on.","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"4854fb9d421852992883da86610b6fe4e78ff4b1","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"884f9cac_3e0feb79","in_reply_to":"95808b5f_f4acc182","updated":"2025-12-13 17:46:23.000000000","message":"Adding it to requirements.txt doesn\u0027t work when you\u0027re using distro provided packages.\n\nI don\u0027t understand the hesitancy against this. If you don\u0027t want to use the in-tree version then continue to use the out of tree version.","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":1004,"name":"Mohammed Naser","email":"mnaser@vexxhost.com","username":"mnaser"},"change_message_id":"3fb830233c107127aa69895b4ae7171736f0d694","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"bf2b97fe_8806b680","in_reply_to":"c172cdf5_fc4cdbc6","updated":"2025-12-13 18:13:25.000000000","message":"I\u0027ve done a detailed side-by-side comparison of this proposed code with keystoneauth-websso, and I must respectfully disagree with the characterization that this is a different implementation.\n\nThe implementations are structurally and algorithmically identical:\n\n- Same `_ClientCallbackServer` with same 60-second timeout\n- Same `_ClientCallbackHandler` with identical HTML responses\n- Same `_wait_for_token()` helper\n- Same `federated_token_url` construction pattern\n- Same cache ID generation using the exact same regex: `\"os-\" + re.sub(\"[^A-Za-z0-9-]+\", \"-\", ...)`\n- Same token expiration checking logic\n- Same file permissions (0o600)\n- Same default port (9990)\n\nThe differences are cosmetic: swapping `multipart` for `webob` (functionally equivalent), adding type hints, renaming methods with underscore prefixes, and using f-strings instead of % formatting.\n\nThe original 2016 copyright headers from Spanish National Research Council / INDIGO-DataCloud have been reduced to a comment attribution, which raises questions about proper derivative work acknowledgment under Apache 2.0.","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":1004,"name":"Mohammed Naser","email":"mnaser@vexxhost.com","username":"mnaser"},"change_message_id":"634805477c364ad3daaa1a6c3244509b4280eb6a","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"480ff3be_5c0fd1cf","in_reply_to":"c76aa908_44447f3a","updated":"2025-12-16 14:33:19.000000000","message":"I think developing ksa-websso in parallel would just lead the folks on it to move on because it\u0027ll cause even more confusion for the users (why is this feature not working? oh wait, it\u0027s vendored, no, download this other thing, etc).","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"c76aa908_44447f3a","in_reply_to":"e155717d_c59d92bd","updated":"2025-12-16 12:28:35.000000000","message":"I have no horse in this race, but I\u0027d like to clarify a few things:\n\n\u003e Because this will clobber the `v3websso` `auth_type`.\n\nThis is a non-issue. We use stevedore to load plugins. stevedore has provide hooking mechanisms to modify the behavior of existing plugins pretty much since its inception. In addition, the most recent releases also provide [conflict resolution functionality](https://opendev.org/openstack/stevedore/commit/bf0b6d14a55321586077c9b3b9b7bdb971ea4a06). It would be trivial (1 line) to configure ksa to prefer the variant of this plugin provided by keystoneauth-websso if that\u0027s something you want.\n\n\u003e We struggle getting new contributors, now when people innovate and improve around OpenStack, we\u0027re going to instead punish them by taking their work and bringing it off the platform that they used to innovate? Come on.\n\nAgain, there is no reason ksa-websso can\u0027t continue to be developed in parallel, while the claim of someone having their work taken makes no sense: the Apache license explicitly allows for this once attribution is given, which I see in both the commit message and the files.","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"}],"doc/source/index.rst":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":15,"context_line":"   using-sessions"},{"line_number":16,"context_line":"   authentication-plugins"},{"line_number":17,"context_line":"   plugin-options"},{"line_number":18,"context_line":"   v3websso"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"   extras"},{"line_number":21,"context_line":"   migrating"}],"source_content_type":"text/x-rst","patch_set":3,"id":"52b8e736_54902b71","line":18,"updated":"2025-12-16 12:28:35.000000000","message":"Per my comment on the next page\n\n```suggestion\n   plugins\n```","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"}],"doc/source/v3websso.rst":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"V3 Web SSO OpenID Connect Plugin"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"f1bd0545_dc6a4591","line":1,"updated":"2025-12-16 12:28:35.000000000","message":"Can you place this in a `plugins` directory? That will allow us to provide equivalent docs for other plugins (particularly OIDC ones) in time.\n\nYou\u0027ll also want to create an `index.rst` file and use a glob to list all files in the directory.","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"}],"keystoneauth1/identity/v3/websso.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":28,"context_line":"from http.server import HTTPServer"},{"line_number":29,"context_line":"import json"},{"line_number":30,"context_line":"from pathlib import Path"},{"line_number":31,"context_line":"import re"},{"line_number":32,"context_line":"from typing import Any"},{"line_number":33,"context_line":"from typing import cast"},{"line_number":34,"context_line":"import webbrowser"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"from webob import Request"}],"source_content_type":"text/x-python","patch_set":3,"id":"bc3c8dcd_db717519","line":33,"range":{"start_line":31,"start_character":9,"end_line":33,"end_character":23},"updated":"2025-12-16 12:28:35.000000000","message":"While I have moved towards using direct imports from `typing` recently, the type hints in ksa pre-date that move. Can you replace this with `import typing as ty` for now so that it\u0027s consistent with the rest of the code base. We can bulk change this later.\n\nDitto for other object imports, btw.","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":66,"context_line":""},{"line_number":67,"context_line":"        Authentication may fail and we could get stuck here forever, so this"},{"line_number":68,"context_line":"        method sets up a sane timeout."},{"line_number":69,"context_line":"        \"\"\""},{"line_number":70,"context_line":"        # NOTE: cannot call super here, as HTTPServer does not have"},{"line_number":71,"context_line":"        # object as an ancestor in some Python versions"},{"line_number":72,"context_line":"        HTTPServer.server_bind(self)"},{"line_number":73,"context_line":"        self.socket.settimeout(60)"},{"line_number":74,"context_line":""},{"line_number":75,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"5248c496_90a27e30","line":72,"range":{"start_line":69,"start_character":11,"end_line":72,"end_character":36},"updated":"2025-12-16 12:28:35.000000000","message":"This hasn\u0027t been true since Python 3.0\n\n\n\n```suggestion\n        \"\"\"\n        super().server_bind()\n```","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":91,"context_line":"        from the completed mod_auth_openidc session."},{"line_number":92,"context_line":"        \"\"\""},{"line_number":93,"context_line":"        if self.headers:"},{"line_number":94,"context_line":"            environ \u003d {"},{"line_number":95,"context_line":"                \"REQUEST_METHOD\": \"POST\","},{"line_number":96,"context_line":"                \"CONTENT_LENGTH\": self.headers[\"Content-Length\"],"},{"line_number":97,"context_line":"                \"CONTENT_TYPE\": self.headers[\"Content-Type\"],"},{"line_number":98,"context_line":"                \"wsgi.input\": self.rfile,"},{"line_number":99,"context_line":"            }"},{"line_number":100,"context_line":"            request \u003d Request(environ)"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"            self.send_response(200)"},{"line_number":103,"context_line":"            self.send_header(\"Content-type\", \"text/html\")"}],"source_content_type":"text/x-python","patch_set":3,"id":"266a4967_81d0abf2","line":100,"range":{"start_line":94,"start_character":0,"end_line":100,"end_character":38},"updated":"2025-12-16 12:28:35.000000000","message":"So we\u0027re just using this to pull and parse the body of the `POST` request, right? If so, webob is overkill for this. Let\u0027s just use `urllib.parse` from stdlib.\n\n```suggestion\n            content_length \u003d int(self.headers[\u0027Content-Length\u0027])\n            body \u003d self.rfile.read(content_length).decode(\u0027utf-8\u0027)\n            params \u003d urllib.parse.parse_qs(body)\n```","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":103,"context_line":"            self.send_header(\"Content-type\", \"text/html\")"},{"line_number":104,"context_line":"            self.end_headers()"},{"line_number":105,"context_line":"            self.wfile.write("},{"line_number":106,"context_line":"                b\"\u003chtml\u003e\u003chead\u003e\u003ctitle\u003eAuthentication Status OK\u003c/title\u003e\""},{"line_number":107,"context_line":"                b\"\u003cscript\u003ewindow.close()\u003c/script\u003e\u003c/head\u003e\""},{"line_number":108,"context_line":"                b\"\u003cbody\u003e\u003cp\u003eThe authentication flow has been completed.\u003c/p\u003e\""},{"line_number":109,"context_line":"                b\"\u003cp\u003eYou can close this window.\u003c/p\u003e\""}],"source_content_type":"text/x-python","patch_set":3,"id":"968a9c22_d1d80dfa","line":106,"updated":"2025-12-16 12:28:35.000000000","message":"err, don\u0027t we need `\u003c!doctype html\u003e` for this to be valid HTML?","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":120,"context_line":"            self.send_header(\"Content-type\", \"text/html\")"},{"line_number":121,"context_line":"            self.end_headers()"},{"line_number":122,"context_line":"            self.wfile.write("},{"line_number":123,"context_line":"                b\"\u003chtml\u003e\u003chead\u003e\u003ctitle\u003eAuthentication Status Failed\u003c/title\u003e\u003c/head\u003e\""},{"line_number":124,"context_line":"                b\"\u003cbody\u003e\u003cp\u003eThe authentication flow failed.\u003c/p\u003e\""},{"line_number":125,"context_line":"                b\"\u003cp\u003eYou can close this window.\u003c/p\u003e\""},{"line_number":126,"context_line":"                b\"\u003c/body\u003e\u003c/html\u003e\""}],"source_content_type":"text/x-python","patch_set":3,"id":"b9586113_796eb9a9","line":123,"in_reply_to":"36efb08b_253021f6","updated":"2025-12-16 12:28:35.000000000","message":"You can `noqa: E501` this line. Or, better, move `\u003chead\u003e...\u003c/head\u003e` to its own line.\n\nAlso, same comment as above re `\u003c!doctype html\u003e` tag","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":134,"context_line":"                          be redirected. This normally is localhost. This"},{"line_number":135,"context_line":"                          indicates the hostname where the callback http"},{"line_number":136,"context_line":"                          server will listen."},{"line_number":137,"context_line":"    :type redirect_host: str"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"    :param redirect_port: The port where the authorization request will"},{"line_number":140,"context_line":"                          be redirected. This indicates the port where the"}],"source_content_type":"text/x-python","patch_set":3,"id":"d3370927_66e45b3d","line":137,"updated":"2025-12-16 12:28:35.000000000","message":"You don\u0027t need these: we have type hints","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":142,"context_line":"    :type redirect_port: int"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    :returns: The authentication token"},{"line_number":145,"context_line":"    :rtype: str"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"    :raises _MissingTokenError: If token could not be obtained"},{"line_number":148,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":3,"id":"a8ca2df6_841c6ee0","line":145,"updated":"2025-12-16 12:28:35.000000000","message":"Also not needed","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":144,"context_line":"    :returns: The authentication token"},{"line_number":145,"context_line":"    :rtype: str"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"    :raises _MissingTokenError: If token could not be obtained"},{"line_number":148,"context_line":"    \"\"\""},{"line_number":149,"context_line":"    server_address \u003d (redirect_host, redirect_port)"},{"line_number":150,"context_line":"    try:"}],"source_content_type":"text/x-python","patch_set":3,"id":"30d528d2_86bf4ff6","line":147,"updated":"2025-12-16 12:28:35.000000000","message":"This can raise `OSError` too?","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":161,"context_line":"    httpd.handle_request()"},{"line_number":162,"context_line":"    httpd.server_close()"},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"    if httpd.token:"},{"line_number":165,"context_line":"        return httpd.token"},{"line_number":166,"context_line":"    else:"},{"line_number":167,"context_line":"        raise _MissingTokenError()"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"class WebSSOOpenIDConnect(federation.FederationBaseAuth):"}],"source_content_type":"text/x-python","patch_set":3,"id":"6486be28_8452ee0f","line":167,"range":{"start_line":164,"start_character":0,"end_line":167,"end_character":34},"updated":"2025-12-16 12:28:35.000000000","message":"nit: Could you invert this to make the error path the conditional one?\n\n```suggestion\n    if not httpd.token:\n        raise _MissingTokenError()\n        \n    return httpd.token\n```","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":205,"context_line":"                                  will authenticate against. This parameter"},{"line_number":206,"context_line":"                                  will be used to build a dynamic URL used to"},{"line_number":207,"context_line":"                                  obtain unscoped OpenStack token."},{"line_number":208,"context_line":"        :type identity_provider: str"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"        :param protocol: Name of the protocol the client will authenticate"},{"line_number":211,"context_line":"                         against."}],"source_content_type":"text/x-python","patch_set":3,"id":"d104c702_e1248412","line":208,"updated":"2025-12-16 12:28:35.000000000","message":"As above, we don\u0027t need these (or the `rtype`)","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":242,"context_line":"            include_catalog\u003dinclude_catalog,"},{"line_number":243,"context_line":"        )"},{"line_number":244,"context_line":"        if cache_path:"},{"line_number":245,"context_line":"            self.cache_path \u003d Path(cache_path)"},{"line_number":246,"context_line":"        else:"},{"line_number":247,"context_line":"            # Use platform-specific cache directory"},{"line_number":248,"context_line":"            import platformdirs"},{"line_number":249,"context_line":""},{"line_number":250,"context_line":"            self.cache_path \u003d Path(platformdirs.user_cache_dir(\u0027keystone\u0027))"},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"        self.redirect_host \u003d redirect_host"},{"line_number":253,"context_line":"        self.redirect_port \u003d int(redirect_port)"},{"line_number":254,"context_line":"        self.redirect_uri \u003d ("}],"source_content_type":"text/x-python","patch_set":3,"id":"0505ec13_1a529d3a","line":251,"range":{"start_line":245,"start_character":46,"end_line":251,"end_character":1},"updated":"2025-12-16 12:28:35.000000000","message":"err, can we do this at the application level instead (by insisting on the `cache_path` argument? ksa is not currently in the business of maintaining filesystem-based caches and I don\u0027t believe it should be.\n\n(This assumes the cache is needed and is not simply an optimization, in which case we could simply remove the `else` block here)","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":252,"context_line":"        self.redirect_host \u003d redirect_host"},{"line_number":253,"context_line":"        self.redirect_port \u003d int(redirect_port)"},{"line_number":254,"context_line":"        self.redirect_uri \u003d ("},{"line_number":255,"context_line":"            f\"http://{self.redirect_host}:{self.redirect_port}/auth/websso/\""},{"line_number":256,"context_line":"        )"},{"line_number":257,"context_line":""},{"line_number":258,"context_line":"    @property"}],"source_content_type":"text/x-python","patch_set":3,"id":"e969c35b_2a69a70f","line":255,"updated":"2025-12-16 12:28:35.000000000","message":"I\u0027m guessing this RFC-specified and doesn\u0027t need to be configurable?","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"}],"keystoneauth1/loading/_plugins/identity/v3.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":613,"context_line":"            ["},{"line_number":614,"context_line":"                loading.Opt("},{"line_number":615,"context_line":"                    \u0027redirect-host\u0027,"},{"line_number":616,"context_line":"                    default\u003d\u0027localhost\u0027,"},{"line_number":617,"context_line":"                    help\u003d\u0027Hostname where the callback server will listen. \u0027"},{"line_number":618,"context_line":"                    \u0027Default is localhost.\u0027,"},{"line_number":619,"context_line":"                ),"},{"line_number":620,"context_line":"                loading.Opt("},{"line_number":621,"context_line":"                    \u0027redirect-port\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"7fbafc81_736ff2a9","line":618,"range":{"start_line":616,"start_character":40,"end_line":618,"end_character":44},"updated":"2025-12-16 12:28:35.000000000","message":"nit:\n\n```suggestion\n                    default\u003d\u0027localhost\u0027,\n                    help\u003d(\n                        \u0027Hostname where the callback server will listen. \u0027\n                        \u0027Default is localhost.\u0027\n                    ),\n```\n\nand below. It\u0027s a pity ruff can\u0027t do this for us...","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"}],"releasenotes/notes/v3websso-added-fcf0cda3069229f9.yaml":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[{"line_number":7,"context_line":"    authenticate with their Identity Provider and capturing the resulting"},{"line_number":8,"context_line":"    token via a local callback server."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"    Based on the keystoneauth-websso plugin originally developed by:"},{"line_number":11,"context_line":"    - Spanish National Research Council"},{"line_number":12,"context_line":"    - INDIGO-DataCloud"},{"line_number":13,"context_line":"    - VEXXHOST (https://github.com/vexxhost/keystoneauth-websso)"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"65c7b9ef_85049546","line":10,"updated":"2025-12-16 12:28:35.000000000","message":"You need a newline before an enumerated list in rST otherwise this renders as a single paragraph.\n\n```suggestion\n    Based on the keystoneauth-websso plugin originally developed by:\n\n```","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"}],"requirements.txt":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0cb209e63eff0068328a24fb5d6640c1a5284542","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"8c614bef_097624a3","line":22,"range":{"start_line":20,"start_character":0,"end_line":22,"end_character":1},"updated":"2025-12-16 12:28:35.000000000","message":"I noted this inline but we shouldn\u0027t need either of these.","commit_id":"5dc9100d956903dbf84ebf7c1331643b09d6149d"}]}