change_password_upon_first_use does not work with Horizon deployed by Kolla-ansible

Hey,

As a disclaimer: most of the configuration is default, parameters related to endpoints are default.

With following option set in Keystone:

[security_compliance]
change_password_upon_first_use = True

Horizon redirects correctly to "Change password" screen, but it doesn't work.

From logs, it seems like the POST query is executed against http://HERE_IP:5000/users/a5e3b6a416234807a870897e88a3c365/password

2024-07-15 21:45:10.166568 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): HERE_IP:5000
2024-07-15 21:45:10.178351 DEBUG:urllib3.connectionpool:http://HERE_IP:5000 "POST /users/a5e3b6a416234807a870897e88a3c365/password HTTP/1.1" 404 207
2024-07-15 21:45:10.178875 DEBUG:keystoneauth.session:Request returned failure status: 404
2024-07-15 21:45:10.179095 Unable to update password due to exception: Not Found (HTTP 404) (Request-ID: req-de6cf206-d160-41e3-81d2-14fde17d301a)

Manually checked endpoint with GET query, and it wasn't found:
# curl http://HERE_IP:5000/users/a5e3b6a416234807a870897e88a3c365/password
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

But /v3 endpoint exist:
# curl http://HERE_IP:5000/v3/users/a5e3b6a416234807a870897e88a3c365/password
{"message": "The method is not allowed for the requested URL."}

So password change POST query should be executed against /v3 API.

With Horizon configuration overwritten, it works just fine:
OPENSTACK_KEYSTONE_URL = "http://HERE_IP:5000/v3"

I'm not sure here if Horizon should be reconfigured, or Keystone API endpoint should include /v3 in path.

Thank you,
Franciszek