)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":6799,"name":"Nicholas Kuechler","email":"nkuechler@gmail.com","username":"nicholaskuechler"},"change_message_id":"d0cdd05acca695f1b023a4a179153764d825166e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a1acb56d_43d74886","updated":"2026-01-30 22:31:40.000000000","message":"Makes sense to me.","commit_id":"634d16530fdc08059285c46ef9e8778043eda346"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"7483ccc4ab5d1f063cf322444780d7d508df90da","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"518ce5c8_47d8fe5c","updated":"2026-01-30 22:29:27.000000000","message":"Would like to have this backported to stable/2025.2","commit_id":"634d16530fdc08059285c46ef9e8778043eda346"}],"keystone/tests/unit/token/test_fernet_provider.py":[{"author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"change_message_id":"36790271e0528d9aea4000f41102f7cbf5e28411","unresolved":true,"context_lines":[{"line_number":108,"context_line":"        )"},{"line_number":109,"context_line":"        self.assertNotIn(expected_output, self.logging.output)"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"    def test_no_crash_on_undefined_federated_tokens(self):"},{"line_number":112,"context_line":"        token \u003d token_model.TokenModel()"},{"line_number":113,"context_line":"        token.user_id \u003d \u00270123456789abcdef0123456789abcdef0123456789abcdef\u0027"},{"line_number":114,"context_line":"        token.project_id \u003d \u00270123456789abcdef0123456789abcdef0123456789abcdef\u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"29d5e34e_2af176e2","line":111,"updated":"2026-02-05 12:50:49.000000000","message":"The test passes for me without the change to the code.","commit_id":"61c0c4a1bb002da42febb990f929f6113e56394b"},{"author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"change_message_id":"826b37e72e5a5473123635c8cfdee5d0899a2c9f","unresolved":true,"context_lines":[{"line_number":108,"context_line":"        )"},{"line_number":109,"context_line":"        self.assertNotIn(expected_output, self.logging.output)"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"    def test_no_crash_on_undefined_federated_tokens(self):"},{"line_number":112,"context_line":"        token \u003d token_model.TokenModel()"},{"line_number":113,"context_line":"        token.user_id \u003d \u00270123456789abcdef0123456789abcdef0123456789abcdef\u0027"},{"line_number":114,"context_line":"        token.project_id \u003d \u00270123456789abcdef0123456789abcdef0123456789abcdef\u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"820295d0_b0db7691","line":111,"in_reply_to":"29d5e34e_2af176e2","updated":"2026-02-17 10:34:33.000000000","message":"Looking at the code I think it would make sense to try setting system scope into the token. The same could be actually with the trust, but then much more data should be set.","commit_id":"61c0c4a1bb002da42febb990f929f6113e56394b"}],"keystone/token/providers/fernet/core.py":[{"author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"change_message_id":"6521da9b60a46a53a95dbeeb6b97251f6af0fe66","unresolved":true,"context_lines":[{"line_number":57,"context_line":"                return tf.FederatedProjectScopedPayload"},{"line_number":58,"context_line":"            elif token.domain_scoped:"},{"line_number":59,"context_line":"                return tf.FederatedDomainScopedPayload"},{"line_number":60,"context_line":"            else:"},{"line_number":61,"context_line":"                return tf.FederatedUnscopedPayload"},{"line_number":62,"context_line":"        elif token.application_credential_id:"},{"line_number":63,"context_line":"            return tf.ApplicationCredentialScopedPayload"}],"source_content_type":"text/x-python","patch_set":2,"id":"26eeca5c_a46e252a","line":60,"updated":"2026-02-05 11:09:47.000000000","message":"I don\u0027t understand this. The payload of the token is neither federation-project-, nor federation-domain-scoped, nor federation-unscoped. What is the type then? Can it also be federation-system-scoped?\n\nThe scope type should not fallback to FederatedUnscopedPayload in this case. It should be clearly determined what type of scope it is.","commit_id":"61c0c4a1bb002da42febb990f929f6113e56394b"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"b11742a471a4267d1527647f7dc0499d56ac91a0","unresolved":true,"context_lines":[{"line_number":57,"context_line":"                return tf.FederatedProjectScopedPayload"},{"line_number":58,"context_line":"            elif token.domain_scoped:"},{"line_number":59,"context_line":"                return tf.FederatedDomainScopedPayload"},{"line_number":60,"context_line":"            else:"},{"line_number":61,"context_line":"                return tf.FederatedUnscopedPayload"},{"line_number":62,"context_line":"        elif token.application_credential_id:"},{"line_number":63,"context_line":"            return tf.ApplicationCredentialScopedPayload"}],"source_content_type":"text/x-python","patch_set":2,"id":"bbcb23f0_d4944c44","line":60,"in_reply_to":"26eeca5c_a46e252a","updated":"2026-02-05 11:36:28.000000000","message":"Tell me what kind of token it is then? Whatever skyline is doing causes the code to come out of that handled else case and crash keystone. The fallback case in the Un-federated is to say unscoped so I made this match.\n\nThe function is unsound as it is as it must return a non-None type yet it is returning None.","commit_id":"61c0c4a1bb002da42febb990f929f6113e56394b"},{"author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"change_message_id":"826b37e72e5a5473123635c8cfdee5d0899a2c9f","unresolved":true,"context_lines":[{"line_number":57,"context_line":"                return tf.FederatedProjectScopedPayload"},{"line_number":58,"context_line":"            elif token.domain_scoped:"},{"line_number":59,"context_line":"                return tf.FederatedDomainScopedPayload"},{"line_number":60,"context_line":"            else:"},{"line_number":61,"context_line":"                return tf.FederatedUnscopedPayload"},{"line_number":62,"context_line":"        elif token.application_credential_id:"},{"line_number":63,"context_line":"            return tf.ApplicationCredentialScopedPayload"}],"source_content_type":"text/x-python","patch_set":2,"id":"c0d4dc7b_e4343b50","line":60,"in_reply_to":"40679484_88914853","updated":"2026-02-17 10:34:33.000000000","message":"I absolutely agree with this change. The code is buggy on many places and potentially allows having `is_federated` flag without anything else to match properly. From the federation logic pov the token can be only project, domain or unscoped. From the token_model code pov it is enough to have an empty project_id (\"\" instead of none) to be considered as a project scoped (the same for domain, system, trust). Failed condition hints the token could be matching system or trust scope validation. But that makes on sense and should be prohibited.\nSomehow the \"user\" has been able to authenticate already passing the scope information and we are here now in the identification of which token payload type we are going to apply, for federated login it can be either project, domain or unscoped.\nIt would be good to debug this situation deeper, but it is only going to be possible with direct code changes exposing internal data what we can\u0027t have normally due to the security constraints.","commit_id":"61c0c4a1bb002da42febb990f929f6113e56394b"},{"author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"change_message_id":"94c2ae3317389a8883406fc8d1e215c9380f7c99","unresolved":true,"context_lines":[{"line_number":57,"context_line":"                return tf.FederatedProjectScopedPayload"},{"line_number":58,"context_line":"            elif token.domain_scoped:"},{"line_number":59,"context_line":"                return tf.FederatedDomainScopedPayload"},{"line_number":60,"context_line":"            else:"},{"line_number":61,"context_line":"                return tf.FederatedUnscopedPayload"},{"line_number":62,"context_line":"        elif token.application_credential_id:"},{"line_number":63,"context_line":"            return tf.ApplicationCredentialScopedPayload"}],"source_content_type":"text/x-python","patch_set":2,"id":"8814990f_0056e99a","line":60,"in_reply_to":"5b8081f4_c7c0ceaa","updated":"2026-02-18 15:49:01.000000000","message":"are you able to modify the keystone (just print/log the full token content as it is here) and feed the skyline on it so that we can see what exactly is being passed into this function? Otherwise the keystone debug log from the beginning of the authentication could be helpful (I doubt, but ...). Can you also try to capture the payload that the skyline is passing? Actually I would be expecting that mod_auth_oidc is taking care of the auth itself, but maybe the mapping is somehow \"wrong\". Can you attach your mapping as well?\n\nI agree that we are trying to fix one of the last lines of defense while the real problem is most likely somewhere else.\n\nUpdate: I think this discussion should be going in the bug report and not the change, but than the context is missing.","commit_id":"61c0c4a1bb002da42febb990f929f6113e56394b"},{"author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"change_message_id":"36790271e0528d9aea4000f41102f7cbf5e28411","unresolved":true,"context_lines":[{"line_number":57,"context_line":"                return tf.FederatedProjectScopedPayload"},{"line_number":58,"context_line":"            elif token.domain_scoped:"},{"line_number":59,"context_line":"                return tf.FederatedDomainScopedPayload"},{"line_number":60,"context_line":"            else:"},{"line_number":61,"context_line":"                return tf.FederatedUnscopedPayload"},{"line_number":62,"context_line":"        elif token.application_credential_id:"},{"line_number":63,"context_line":"            return tf.ApplicationCredentialScopedPayload"}],"source_content_type":"text/x-python","patch_set":2,"id":"40679484_88914853","line":60,"in_reply_to":"bbcb23f0_d4944c44","updated":"2026-02-05 12:50:49.000000000","message":"Sorry, i don\u0027t know what kind of token it is. The bugreport doesn\u0027t offer any insight into it. And the test creates project-scoped federated token, not an unscoped token.\n\nHow was the token obtained? What are the exact steps to reproduce the problem? This needs to be listed in the bugreport. After that, the test needs to reflect these steps too.","commit_id":"61c0c4a1bb002da42febb990f929f6113e56394b"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"595c64642e556c01d44db515248b798b71697a18","unresolved":true,"context_lines":[{"line_number":57,"context_line":"                return tf.FederatedProjectScopedPayload"},{"line_number":58,"context_line":"            elif token.domain_scoped:"},{"line_number":59,"context_line":"                return tf.FederatedDomainScopedPayload"},{"line_number":60,"context_line":"            else:"},{"line_number":61,"context_line":"                return tf.FederatedUnscopedPayload"},{"line_number":62,"context_line":"        elif token.application_credential_id:"},{"line_number":63,"context_line":"            return tf.ApplicationCredentialScopedPayload"}],"source_content_type":"text/x-python","patch_set":2,"id":"5b8081f4_c7c0ceaa","line":60,"in_reply_to":"c0d4dc7b_e4343b50","updated":"2026-02-18 15:27:14.000000000","message":"I\u0027m happy to make any updates needed. I just don\u0027t know how to proceed. I\u0027m not really sure how but skyline makes keystone crash with regularity.","commit_id":"61c0c4a1bb002da42febb990f929f6113e56394b"}]}