)]}'
{"id":"openstack%2Fkeystone~985923","triplet_id":"openstack%2Fkeystone~stable%2F2026.1~I9506557609ff7edaa6a961f356f9b8e19faaefc3","project":"openstack/keystone","branch":"stable/2026.1","attention_set":{},"removed_from_attention_set":{"27900":{"account":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"last_update":"2026-05-06 15:00:22.000000000","reason":"\u003cGERRIT_ACCOUNT_27900\u003e replied on the change","reason_account":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}},"37598":{"account":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"last_update":"2026-05-06 17:00:20.000000000","reason":"Change was submitted"},"14250":{"account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"last_update":"2026-05-06 17:00:20.000000000","reason":"Change was submitted"},"7414":{"account":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"last_update":"2026-05-06 17:00:20.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"I9506557609ff7edaa6a961f356f9b8e19faaefc3","subject":"Block app cred tokens from authorizing OAuth1 requests","status":"MERGED","created":"2026-04-23 07:50:01.000000000","updated":"2026-05-06 17:01:44.000000000","submitted":"2026-05-06 17:00:20.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":1,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"985923","cherry_pick_of_change":983656,"cherry_pick_of_patch_set":2,"meta_rev_id":"737273f27e9d5b2fa7eeaa2a8e6f55f06a4d272e","_number":985923,"virtual_id_number":985923,"owner":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"value":0,"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"tag":"autogenerated:zuul:gate","value":2,"date":"2026-05-06 17:00:20.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"all":[{"value":2,"date":"2026-05-06 15:00:22.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"all":[{"value":1,"date":"2026-05-06 15:00:22.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"reviewers":{"CC":[{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"}],"REVIEWER":[{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-04-23 07:50:01.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"state":"CC"},{"updated":"2026-04-23 09:40:54.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-04-24 10:48:53.000000000","updated_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"reviewer":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"state":"REVIEWER"},{"updated":"2026-04-24 14:02:52.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"state":"REVIEWER"},{"updated":"2026-04-24 14:02:52.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"state":"REVIEWER"}],"messages":[{"id":"b3aafcabc571cbe708be7a44e5b3f2794da85924","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"date":"2026-04-23 07:50:01.000000000","message":"Patch Set 1: Cherry Picked from branch master.","accounts_in_message":[],"_revision_number":1},{"id":"80593a166c0c39d5fa9f4d9569b1e698ed7f7a89","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"date":"2026-04-23 07:53:14.000000000","message":"Patch Set 2: Patch Set 1 was rebased","accounts_in_message":[],"_revision_number":2},{"id":"cb75c99523cfa6e71fde188ab19d4e10f947bfa1","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"date":"2026-04-23 07:54:13.000000000","message":"Patch Set 3: Patch Set 2 was rebased","accounts_in_message":[],"_revision_number":3},{"id":"646422ef1d60184b5a997451deec9da165133584","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-23 09:40:54.000000000","message":"Patch Set 3: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/658bb586bf464a1799589909ce96a002\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/fcc5e242709d45c1897adb9691b2ab58 : SUCCESS in 16m 43s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/c4d09e9b5fdc4dc5ac16a2495a1878a7 : SUCCESS in 5m 31s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/a6dc3846221a4aae8eecde441c833a64 : SUCCESS in 15m 03s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/67c649cf8c344d179fa741fe14525dd0 : SUCCESS in 10m 34s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/9a48ba5858314f20aafee57728af91f7 : SUCCESS in 7m 10s\n- grenade https://zuul.opendev.org/t/openstack/build/692bd29a39054e6c9b9767afb9e9a036 : SUCCESS in 1h 09m 13s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/cee2085414fd454db750b34dec050ae9 : SUCCESS in 1h 41m 46s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/f0d96820e82048c78e25d1d099ea4629 : SUCCESS in 19m 48s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/1892e7387e7f4c3dac30b96ba38de715 : SUCCESS in 29m 32s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/a26177349f4349fa906c9d3a795cdfd1 : FAILURE in 12m 51s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/423c9fb75bdb41418aeacbb3867a0d89 : FAILURE in 13m 26s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/8d790e49dc734ef4852bd5427324a2f8 : SUCCESS in 28m 06s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/06a340ae011c4160878b189ac9b802c3 : SUCCESS in 29m 03s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/7d4d58a286044bfeb474b83e839c1573 : SUCCESS in 38m 40s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/d47bd9f01e264aea818407dc44aad7fb : SUCCESS in 31m 44s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/0f44e64cd53340f6b8d7c4b939b4b86c : FAILURE in 40m 23s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/419991c8be074f5491ab714a65480662 : SUCCESS in 6m 53s (non-voting)","accounts_in_message":[],"_revision_number":3},{"id":"a3b35f64ca83c86a835de156b8b0aac895a1610b","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-04-24 10:48:53.000000000","message":"Patch Set 3: Code-Review+2","accounts_in_message":[],"_revision_number":3},{"id":"c574107e849bffa08878f3e7856534fd84a3865e","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-05-06 08:48:15.000000000","message":"Patch Set 3: Workflow+1","accounts_in_message":[],"_revision_number":3},{"id":"503fbd5e298e11cba01200d993e7608fab2d1490","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 08:49:07.000000000","message":"Patch Set 3: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":3},{"id":"ca95b83b2955c7a12eebdcb44d3c271d8f6bab73","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 10:53:15.000000000","message":"Patch Set 3: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/9c7e8639c19644929dec886bb1679a7e\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/5e4301bfccb741639e34f6e0e011e8ff : SUCCESS in 5m 04s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/1d39c1f9d9d14cee912b71c846e7232c : SUCCESS in 7m 17s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/2a89cfb990f949e2813944c7ee169d63 : SUCCESS in 12m 58s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/35e406afacaa4ca0b6014d47e5b2fb1d : SUCCESS in 13m 32s\n- grenade https://zuul.opendev.org/t/openstack/build/0726570432af4b368fba0f54369f41bd : SUCCESS in 1h 07m 02s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/2f54b71157284c169ebb878ff6107d2d : SUCCESS in 1h 50m 49s\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/80425aea860d413398a6cada9319883d : SUCCESS in 29m 52s\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/798a435b55824ba2bc50551cd1007f8f : SUCCESS in 23m 03s\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/e008db11baf342c083496dd8bc163450 : SUCCESS in 59m 20s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/6fc5d7137f524382ae7160a50dea7e57 : FAILURE in 27m 07s (non-voting)","accounts_in_message":[],"_revision_number":3},{"id":"be9d1742f8ce5fa84b254ce0bb6a16b8160b8d1b","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"date":"2026-05-06 14:45:12.000000000","message":"Patch Set 4: Patch Set 3 was rebased\n\nCopied Votes:\n* Code-Review+2 (copy condition: \"**changekind:TRIVIAL_REBASE** OR is:MIN\")\n\nOutdated Votes:\n* Verified+2 (copy condition: \"NEVER\")\n* Workflow+1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":4},{"id":"33f02775cd2a5a2bca0fabcf2d139ffd5270a27a","author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"date":"2026-05-06 14:45:47.000000000","message":"Patch Set 4:\n\n(1 comment)","accounts_in_message":[],"_revision_number":4},{"id":"420764e2eb9a1fddb39be55444e6bf99225d2e14","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-05-06 15:00:22.000000000","message":"Patch Set 4: Code-Review+2 Workflow+1","accounts_in_message":[],"_revision_number":4},{"id":"4c2f0131cb7cae51a47079323a883dcdcf9a9fa7","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 15:37:30.000000000","message":"Patch Set 4: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/08db0494237a4cf1a156ab8ccf3febd5\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/bca40306e91c47d9bc34d171a8bb98e0 : SUCCESS in 15m 54s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/fba613f592714e579f2f77123ceafec2 : SUCCESS in 3m 02s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/f1aca447dded4720aa4a0de46d84ddf4 : SUCCESS in 12m 12s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/7753aa2632f545c78fdd9ef1998ca801 : SUCCESS in 9m 52s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/43bad9881b264ef2b824172a93f23033 : SUCCESS in 13m 56s\n- grenade https://zuul.opendev.org/t/openstack/build/51a17bd6969746cd86d14bb70907a8a3 : SUCCESS in 29m 39s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/f5f58cd6e7b44211b25df95ca79833d2 : SUCCESS in 51m 01s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/6b803e71f4344f42871a88d188e06a3e : SUCCESS in 18m 32s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/1f1b2c6677d24fd48d42270f7db2e952 : SUCCESS in 30m 12s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/e6acce156d724e3981670c531fdb0d1d : FAILURE in 9m 48s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/c29f9942352a476bbc1eabbb08eafda3 : FAILURE in 13m 05s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/2615ae6621964d2b91906a3aa92fa104 : SUCCESS in 24m 25s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/3ef51255ebdc432686526da1f7d5910f : SUCCESS in 19m 08s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/85b35057ff994c85b353de33359a44ed : SUCCESS in 40m 39s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/81d2e76af6a449d783a9e30c8c5dc431 : SUCCESS in 39m 18s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/e0a9d103472d423188e96bc8464f8b22 : FAILURE in 25m 16s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/af6570e50e1f4281bfec84247b429f5b : SUCCESS in 5m 20s (non-voting)","accounts_in_message":[],"_revision_number":4},{"id":"431620fcecca9f3e05151551e3d4c5aee3bc3a4d","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 15:38:24.000000000","message":"Patch Set 4: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":4},{"id":"eb147f9cd47d9bb9a873d38de83ac5d6e60e530a","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 17:00:20.000000000","message":"Patch Set 4: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/ee04cc817b654282937500b4d1169e0d\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/3cf7689de5594d48bed74654b12c59c5 : SUCCESS in 4m 45s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/fbf43a71dd89434c95354cfe5673c243 : SUCCESS in 13m 02s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/6d8825b9b4884096a197b9a255a4bfff : SUCCESS in 8m 08s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/e4975ad4c1734d7ca58e98431a2e6a1b : SUCCESS in 15m 41s\n- grenade https://zuul.opendev.org/t/openstack/build/1274d90638f543a588d7f3d5a52fec84 : SUCCESS in 50m 01s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/2e9929a4130e40459a2ccc5eaeda9556 : SUCCESS in 1h 21m 07s\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/fb5cf6ed90cd4f4d84f1027350ba8e84 : SUCCESS in 32m 23s\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/81d0f436b7a445d898f0a9a04873114c : SUCCESS in 19m 05s\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/e38fe5e51a7547b4bb706cbfba58f386 : SUCCESS in 1h 00m 50s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/10fc541673d94631b6a0d95577e5e7f8 : FAILURE in 43m 29s (non-voting)","accounts_in_message":[],"_revision_number":4},{"id":"0ed76300458ca20cffe30396ca02aaa42104df35","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 17:00:20.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":4},{"id":"737273f27e9d5b2fa7eeaa2a8e6f55f06a4d272e","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 17:01:44.000000000","message":"Patch Set 4:\n\nBuild succeeded (promote pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/92b60baf61dc4279999c03ce6de25660\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/9a8187b563ea455fa638547675ba1127 : SUCCESS in 1m 06s","accounts_in_message":[],"_revision_number":4}],"current_revision_number":4,"current_revision":"635914a6a8a9fb3b172fc15528608df2d091036b","revisions":{"03f496dcd4373144de375b47722cf18a4c7edd48":{"kind":"REWORK","_number":1,"created":"2026-04-23 07:50:01.000000000","uploader":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"ref":"refs/changes/23/985923/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/23/985923/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/23/985923/1"}}},"commit":{"parents":[{"commit":"5d5ae3aea3b90fd7fa4eaf3d3b918418db138b2e","subject":"Prevent unauthorized EC2 credential creation and deletion","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/5d5ae3aea3b90fd7fa4eaf3d3b918418db138b2e"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-07 21:55:23.000000000","tz":120},"committer":{"name":"Ivan Anfimov","email":"lazekteam@gmail.com","date":"2026-04-23 07:50:01.000000000","tz":0},"subject":"Block app cred tokens from authorizing OAuth1 requests","message":"Block app cred tokens from authorizing OAuth1 requests\n\nThe OAuth1 authorize endpoint checked is_delegated_auth to block\ntrust-scoped and OAuth-scoped tokens from authorizing request\ntokens, but application credential tokens were not covered by\nthis check. A restricted application credential could authorize\na request token with any role the user actually holds, producing\nan access token that yields an unrestricted Keystone token with\nroles beyond the application credential\u0027s restricted set.\n\nAdd an explicit check for application credential tokens on the\nOAuth1 authorize endpoint, consistent with how trust-scoped and\nOAuth-scoped tokens are already blocked.\n\nRelated-Bug: #2142138\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: I9506557609ff7edaa6a961f356f9b8e19faaefc3\n(cherry picked from commit 29246c5fd8d1dafbe6cc8cec4c57faf5590cd44e)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/03f496dcd4373144de375b47722cf18a4c7edd48"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/03f496dcd4373144de375b47722cf18a4c7edd48"}]},"branch":"refs/heads/stable/2026.1","conflicts":{"ours":"5d5ae3aea3b90fd7fa4eaf3d3b918418db138b2e","theirs":"29246c5fd8d1dafbe6cc8cec4c57faf5590cd44e","contains_conflicts":false}},"c42fcb6921097f03e208446ec9f722b1a58049e9":{"kind":"TRIVIAL_REBASE","_number":2,"created":"2026-04-23 07:53:14.000000000","uploader":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"ref":"refs/changes/23/985923/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/23/985923/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/23/985923/2"}}},"commit":{"parents":[{"commit":"8e1cba068e13cd340b3551645dc817cab10b0aa3","subject":"Add tests for restricted app cred guard","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/8e1cba068e13cd340b3551645dc817cab10b0aa3"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-07 21:55:23.000000000","tz":120},"committer":{"name":"Ivan Anfimov","email":"lazekteam@gmail.com","date":"2026-04-23 07:53:14.000000000","tz":0},"subject":"Block app cred tokens from authorizing OAuth1 requests","message":"Block app cred tokens from authorizing OAuth1 requests\n\nThe OAuth1 authorize endpoint checked is_delegated_auth to block\ntrust-scoped and OAuth-scoped tokens from authorizing request\ntokens, but application credential tokens were not covered by\nthis check. A restricted application credential could authorize\na request token with any role the user actually holds, producing\nan access token that yields an unrestricted Keystone token with\nroles beyond the application credential\u0027s restricted set.\n\nAdd an explicit check for application credential tokens on the\nOAuth1 authorize endpoint, consistent with how trust-scoped and\nOAuth-scoped tokens are already blocked.\n\nRelated-Bug: #2142138\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: I9506557609ff7edaa6a961f356f9b8e19faaefc3\n(cherry picked from commit 29246c5fd8d1dafbe6cc8cec4c57faf5590cd44e)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/c42fcb6921097f03e208446ec9f722b1a58049e9"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/c42fcb6921097f03e208446ec9f722b1a58049e9"}]},"branch":"refs/heads/stable/2026.1","description":"Rebase","conflicts":{"ours":"03f496dcd4373144de375b47722cf18a4c7edd48","theirs":"8e1cba068e13cd340b3551645dc817cab10b0aa3","contains_conflicts":false}},"cf4da08b977e2c857892a284f7a57bebcba076ad":{"kind":"TRIVIAL_REBASE","_number":3,"created":"2026-04-23 07:54:13.000000000","uploader":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"ref":"refs/changes/23/985923/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/23/985923/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/23/985923/3"}}},"commit":{"parents":[{"commit":"ee1e8be2b132f5d8a782af303ebb27d0ec86ccdf","subject":"Block restricted app creds from creating EC2 credentials via /credentials","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/ee1e8be2b132f5d8a782af303ebb27d0ec86ccdf"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-07 21:55:23.000000000","tz":120},"committer":{"name":"Ivan Anfimov","email":"lazekteam@gmail.com","date":"2026-04-23 07:54:13.000000000","tz":0},"subject":"Block app cred tokens from authorizing OAuth1 requests","message":"Block app cred tokens from authorizing OAuth1 requests\n\nThe OAuth1 authorize endpoint checked is_delegated_auth to block\ntrust-scoped and OAuth-scoped tokens from authorizing request\ntokens, but application credential tokens were not covered by\nthis check. A restricted application credential could authorize\na request token with any role the user actually holds, producing\nan access token that yields an unrestricted Keystone token with\nroles beyond the application credential\u0027s restricted set.\n\nAdd an explicit check for application credential tokens on the\nOAuth1 authorize endpoint, consistent with how trust-scoped and\nOAuth-scoped tokens are already blocked.\n\nRelated-Bug: #2142138\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: I9506557609ff7edaa6a961f356f9b8e19faaefc3\n(cherry picked from commit 29246c5fd8d1dafbe6cc8cec4c57faf5590cd44e)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/cf4da08b977e2c857892a284f7a57bebcba076ad"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/cf4da08b977e2c857892a284f7a57bebcba076ad"}]},"branch":"refs/heads/stable/2026.1","description":"Rebase","conflicts":{"ours":"c42fcb6921097f03e208446ec9f722b1a58049e9","theirs":"ee1e8be2b132f5d8a782af303ebb27d0ec86ccdf","contains_conflicts":false}},"635914a6a8a9fb3b172fc15528608df2d091036b":{"kind":"TRIVIAL_REBASE","_number":4,"created":"2026-05-06 14:45:12.000000000","uploader":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"ref":"refs/changes/23/985923/4","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/23/985923/4","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/23/985923/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/23/985923/4"}}},"commit":{"parents":[{"commit":"a97e9295e9f999d6e573acd64e6ea0c2735e512a","subject":"Merge \"Enforce app cred project boundary on EC2 credential paths\" into stable/2026.1","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/a97e9295e9f999d6e573acd64e6ea0c2735e512a"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-07 21:55:23.000000000","tz":120},"committer":{"name":"Ivan Anfimov","email":"lazekteam@gmail.com","date":"2026-05-06 14:45:12.000000000","tz":0},"subject":"Block app cred tokens from authorizing OAuth1 requests","message":"Block app cred tokens from authorizing OAuth1 requests\n\nThe OAuth1 authorize endpoint checked is_delegated_auth to block\ntrust-scoped and OAuth-scoped tokens from authorizing request\ntokens, but application credential tokens were not covered by\nthis check. A restricted application credential could authorize\na request token with any role the user actually holds, producing\nan access token that yields an unrestricted Keystone token with\nroles beyond the application credential\u0027s restricted set.\n\nAdd an explicit check for application credential tokens on the\nOAuth1 authorize endpoint, consistent with how trust-scoped and\nOAuth-scoped tokens are already blocked.\n\nRelated-Bug: #2142138\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: I9506557609ff7edaa6a961f356f9b8e19faaefc3\n(cherry picked from commit 29246c5fd8d1dafbe6cc8cec4c57faf5590cd44e)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/635914a6a8a9fb3b172fc15528608df2d091036b"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/635914a6a8a9fb3b172fc15528608df2d091036b"}]},"branch":"refs/heads/stable/2026.1","description":"Rebase","conflicts":{"ours":"cf4da08b977e2c857892a284f7a57bebcba076ad","theirs":"a97e9295e9f999d6e573acd64e6ea0c2735e512a","contains_conflicts":false}}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}