after a lot of debbuging it was an issue with multidomain support being enabled.
when it is enabled, the api.keystoneclient overrides the user token with a domain token.
the user token has project scope, but the domain token does not; and thus application credential will (always?) fail
after a lot of debbuging it was an issue with multidomain support being enabled.
when it is enabled, the api.keystoneclient overrides the user token with a domain token.
the user token has project scope, but the domain token does not; and thus application credential will (always?) fail