)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b61924745676b3d5ea5d121221124db19f614d19","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"52a2acf5_0c6c2580","updated":"2026-05-25 17:30:56.000000000","message":"I think valid token definition should be different for service token.","commit_id":"c4269fe0a028e9fe49d6b2f4218d217e9710c6ed"}],"keystonemiddleware/auth_token/__init__.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b61924745676b3d5ea5d121221124db19f614d19","unresolved":true,"context_lines":[{"line_number":383,"context_line":""},{"line_number":384,"context_line":"                if self._service_token_roles_required:"},{"line_number":385,"context_line":"                    if not role_check_passed:"},{"line_number":386,"context_line":"                        # The token was validated by keystone so authentication"},{"line_number":387,"context_line":"                        # succeeded, but it lacks the required authorization."},{"line_number":388,"context_line":"                        # Mark it so the rejection logic returns 403 rather"},{"line_number":389,"context_line":"                        # than 401."},{"line_number":390,"context_line":"                        request._service_token_auth_failed \u003d True"},{"line_number":391,"context_line":"                        request.service_token_valid \u003d False"},{"line_number":392,"context_line":"                        self.log.info(\u0027The service token did not have the \u0027"},{"line_number":393,"context_line":"                                      \u0027required roles\u0027)"}],"source_content_type":"text/x-python","patch_set":1,"id":"61d1fb10_b001e4cf","line":390,"range":{"start_line":386,"start_character":21,"end_line":390,"end_character":65},"updated":"2026-05-25 17:30:56.000000000","message":"I have a different view of *a valid service token*. A token (even if it is valid) should not be considered a *valid service token* until it has the required role. Here, token validity refers to whether it is a service token, rather than whether it is a valid token.\n\nI added a detailed comment in https://bugs.launchpad.net/keystonemiddleware/+bug/2153561/comments/2, but to summarize my concern here:\n\nWhat if a user sends the same user token in the service token header and gets 403, which is an implementation leak, and asks users to keep trying some other roles to qualify as \u0027service token\u0027 and extend their user token expiry. This can lead to a security issue. That is why this tempest test was written to ensure service token validity is not compromised.\n- https://github.com/openstack/tempest/blob/2381404f65c55d1fd7514efdb9c086c480fbd89a/tempest/scenario/test_server_volume_attachment.py#L119","commit_id":"c4269fe0a028e9fe49d6b2f4218d217e9710c6ed"}]}