)]}'
{"id":"openstack%2Fkeystone~990621","triplet_id":"openstack%2Fkeystone~stable%2F2025.1~Ic70d4756c121e3f096c372ee9b6f5314838e66de","project":"openstack/keystone","branch":"stable/2025.1","attention_set":{},"removed_from_attention_set":{"13252":{"account":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"last_update":"2026-05-29 17:35:19.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"Ic70d4756c121e3f096c372ee9b6f5314838e66de","subject":"Add audience mapper to devstack Keycloak client","status":"MERGED","created":"2026-05-29 09:56:17.000000000","updated":"2026-05-29 17:39:14.000000000","submitted":"2026-05-29 17:35:19.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"990621","cherry_pick_of_change":990618,"cherry_pick_of_patch_set":1,"meta_rev_id":"71d899ba5206f2a046a2bb802f158a88faee3a70","_number":990621,"virtual_id_number":990621,"owner":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:gate","value":2,"date":"2026-05-29 17:35:19.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"value":0,"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":2,"date":"2026-05-29 10:01:08.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"value":2,"date":"2026-05-29 15:13:53.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"value":1,"date":"2026-05-29 15:13:53.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"CC":[{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-05-29 09:56:17.000000000","updated_by":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"reviewer":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"state":"CC"},{"updated":"2026-05-29 10:01:08.000000000","updated_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"reviewer":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"state":"REVIEWER"},{"updated":"2026-05-29 11:06:00.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-05-29 15:13:53.000000000","updated_by":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"reviewer":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"state":"REVIEWER"}],"messages":[{"id":"5f4043feea134292702bbb31e32d2c82bb52f653","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"date":"2026-05-29 09:56:17.000000000","message":"Patch Set 1: Cherry Picked from branch stable/2025.2.","accounts_in_message":[],"_revision_number":1},{"id":"98d30c2f39513e39dc922755d4e0136d19ba40e7","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-29 10:01:08.000000000","message":"Patch Set 1: Code-Review+2","accounts_in_message":[],"_revision_number":1},{"id":"c7b3b9fba3bec92f3c2f80f2137737182b6ac765","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-29 11:06:00.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/274eb241b40d4ec8aa2bd6b46565ccf2\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/13324368e293419ab06520b68341703f : SUCCESS in 19m 05s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/3c6f73cc44c84dae979c18f763a111ed : SUCCESS in 6m 37s\n- openstack-tox-py39 https://zuul.opendev.org/t/openstack/build/fc70abbbec9d402abd171632bb91c3c1 : SUCCESS in 11m 47s\n- openstack-tox-py312 https://zuul.opendev.org/t/openstack/build/d0ccfbb144744b1aa14867e846a7dc09 : SUCCESS in 7m 33s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/f0b5359708424abeb0c60b975ba5ef3c : SUCCESS in 12m 58s\n- grenade https://zuul.opendev.org/t/openstack/build/7afd6202360245de965be14341eeec80 : SUCCESS in 58m 40s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/4946a02cde974494acc757ea54d253e3 : SUCCESS in 53m 17s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/eee0243040144eabb0247a3d1b468196 : SUCCESS in 11m 11s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/e1b39b4ced924204800bc7babc5306d1 : SUCCESS in 30m 47s\n- keystone-dsvm-py3-functional-fips https://zuul.opendev.org/t/openstack/build/105dd749755e48c6aa649d5b65651dd0 : FAILURE in 17m 00s (non-voting)\n- keystone-dsvm-py3-functional-federation-ubuntu-jammy https://zuul.opendev.org/t/openstack/build/843cd7cac47047a581f96b02130192ef : FAILURE in 13m 15s (non-voting)\n- keystone-dsvm-py3-functional-federation-ubuntu-jammy-k2k https://zuul.opendev.org/t/openstack/build/2d841c1fe499439a84ad0b7468422de9 : FAILURE in 27m 07s (non-voting)\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/0d0b0c735781467aa538823a16332477 : SUCCESS in 16m 47s (non-voting)\n- keystone-dsvm-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/c16dbae408a04be69050a1d79f4538a6 : SUCCESS in 36m 00s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/2676ab0471bf4867a560a688c94f6472 : SUCCESS in 1h 03m 03s\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/1fa9ec75a805422893199b2adf90a2ac : FAILURE in 7m 21s (non-voting)\n- keystone-dsvm-functional-oidc-federation https://zuul.opendev.org/t/openstack/build/638498523d14499088b1185d2d679e8a : SUCCESS in 24m 57s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"9aa32aec600c2a46b2e965c93f11a15901457190","author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"date":"2026-05-29 15:13:53.000000000","message":"Patch Set 1: Code-Review+2 Workflow+1","accounts_in_message":[],"_revision_number":1},{"id":"a0b0e462f94bc5cf1d8463e8fec89216b5175c7a","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-29 15:14:41.000000000","message":"Patch Set 1: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":1},{"id":"ef85e5a5c2736f0ab1557deb0ade76f8ef966497","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-29 17:35:19.000000000","message":"Patch Set 1: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/392fe16164874af387d4cfef00e36bfe\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/aff6aebbd30747658a403a79c68f694d : SUCCESS in 6m 41s\n- openstack-tox-py39 https://zuul.opendev.org/t/openstack/build/32992e80cadb4187842e59746f48abed : SUCCESS in 12m 25s\n- openstack-tox-py312 https://zuul.opendev.org/t/openstack/build/c72767eccce7467c9c1cb5ec3750f60a : SUCCESS in 12m 05s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/57ba4756662a4b49b3546e7610049f08 : SUCCESS in 12m 33s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/7e330f63f7b1419bac3fc05b026ae988 : SUCCESS in 13m 03s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/7cfd4020d11d4431a4c86f1fc045ac83 : SUCCESS in 30m 49s\n- keystone-dsvm-py3-functional-federation-ubuntu-jammy-k2k https://zuul.opendev.org/t/openstack/build/77c18ae4f09e4af19988b3e04b31e73e : FAILURE in 28m 06s (non-voting)\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/5bce541f5e61452f996216d6585e7759 : SUCCESS in 1h 49m 29s\n- grenade https://zuul.opendev.org/t/openstack/build/531f667acd244f0185c6579ead3d81f9 : SUCCESS in 55m 43s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/771b8c03c6ae411887d642511a8e0552 : SUCCESS in 52m 52s","accounts_in_message":[],"_revision_number":1},{"id":"7247c45e4ad3027088efe4d9ec00fe0a63302e75","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-29 17:35:19.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":1},{"id":"71d899ba5206f2a046a2bb802f158a88faee3a70","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-29 17:39:14.000000000","message":"Patch Set 1:\n\nBuild succeeded (promote pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/fb8584d428eb4d6e9bd85944e9b44947\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/1d375662a0344bbbb04e9580c0dfce82 : SUCCESS in 1m 06s","accounts_in_message":[],"_revision_number":1}],"current_revision_number":1,"current_revision":"3626fdaf0af3a664a7981eef9101df80db9b6c73","revisions":{"3626fdaf0af3a664a7981eef9101df80db9b6c73":{"kind":"REWORK","_number":1,"created":"2026-05-29 09:56:17.000000000","uploader":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"ref":"refs/changes/21/990621/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/21/990621/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/21/990621/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/21/990621/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/21/990621/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/21/990621/1"}}},"commit":{"parents":[{"commit":"53af4f758e84a617d7a8522ebaf79937a67c5e4b","subject":"Merge \"Enforce app cred project boundary on EC2 credential paths\" into stable/2025.1","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/53af4f758e84a617d7a8522ebaf79937a67c5e4b"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-05-21 20:19:22.000000000","tz":120},"committer":{"name":"Dr. Jens Harbott","email":"frickler@offenerstapel.de","date":"2026-05-29 09:56:17.000000000","tz":0},"subject":"Add audience mapper to devstack Keycloak client","message":"Add audience mapper to devstack Keycloak client\n\nKeycloak 26.6.2 fixed CVE-2026-37979 by requiring the authenticated\nclient at the OAuth2 token introspection endpoint to be listed in the\nintrospected token\u0027s \"aud\" claim. The devstack OIDC plugin uses the\n\"devstack\" client both to issue user access tokens (via Keycloak\u0027s\nROPC flow) and to introspect those same tokens (via Apache\nmod_auth_openidc\u0027s OIDCOAuthIntrospectionEndpoint).\n\nWithout an audience mapper, the access tokens issued by Keycloak do\nnot list \"devstack\" in \"aud\", so introspection returns\n{\"active\": false} and Apache responds with HTTP 401, breaking the\nkeystone-tempest-oidc-federation job.\n\nAdd an audience protocol mapper to the \"devstack\" client so that\n\"devstack\" is included in the access token\u0027s audience. This is\nupstream\u0027s recommended fix and lets us continue tracking\nquay.io/keycloak/keycloak:latest.\n\nAlso handle the 409 Conflict that Keycloak returns when the client or\nmapper already exists from a previous setup run, so the script is\nidempotent.\n\nGenerated-By: claude-opus-4-7 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: Ic70d4756c121e3f096c372ee9b6f5314838e66de\n(cherry picked from commit b698f56afd33aae53d6c0c665956e209eff02591)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/3626fdaf0af3a664a7981eef9101df80db9b6c73"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/3626fdaf0af3a664a7981eef9101df80db9b6c73"}]},"branch":"refs/heads/stable/2025.1","conflicts":{"ours":"53af4f758e84a617d7a8522ebaf79937a67c5e4b","theirs":"09f692e74d6606d73394092dfb3379f95f316ceb","contains_conflicts":false}}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}