User with admin role in one domain and role member in another domain, usually works as admin but cannot generate a token using role member

Sorry, I couldn't finish this patch since not familiar with V3 API.

I created a new user "user1" in "domain1" with "admin" role. Then created a new domain "domain2" and assigned role "Member" to "user1" on "domain2". I tried following combinations to repo :
1. Request token by specifying authenticate domain "domain1" in "identity", also passing domain2 as scope. It worked fine!
2. Request token by specifying authenticate domain "domain2" in "identity", also passing domain2 as scope. This one Failed!
3. Request token not specifying domain in "identity", also passing domain2 as scope. This one Failed!

I went through the implementation, user only belongs to one domain though user's roles can be assigned to multiple domains. Authentication has to be against the domain specified when creating this user. So I think this behavior makes sense and is by design.
Please reopen it if you this is different from what you saw.

Thanks,
Xuhui

As a user gets a role in a member demesne where it does not belong and can not authenticate this domain. This is not wrong? In my thinking, or the user should not get a role in multiple domains, since it can only authenticate  into your domain in which it was created, or should be able to authenticate in all domains he is associated.

My 2 cents:
Internally each user and domain combination is uniquely identified and both have to be provided when doing authentication. If domain is not provided, it defaults to Default. Identical usernames can be created for different domains. So this may end up with same usernames created for different domains have different access roles into each other. This leaves the interpretation of the actually meaning, if they are the same user or not, to the underlying driver implementation and configuration.

I agree with Raildo. Since it's possible to add a role to a user in any domain, it should be possible to the user to get a token for each domain which he/she is related. In fact, the following scenario works:

1. Create a user
2. Create two domains (d1 and d2)
3. Add the admin role to the user in both domains
4. Get a domain scoped token for both domains

The problem seems to be just with the different roles.

My steps:

create Domain-A
create Domain-B

create User-A belonging to Domain-A

add role admin to User-A on Domain-A
add role Member to User-A on Domain-B

get domain scoped token for User-A on Domain-A # got admin role
get domain scoped token for User-A on Domain-B # got Member role

There is a script attached that can be used to verify that behaviour. Extract it and run ./test-token.sh with DevStack running.
To see the results:
$ grep roles token-domain-Domain-A | ./jq .token.roles[]
{
  "name": "admin",
  "id": "156da3605a224afbb74ef8b23ff7ea83"
}
$ grep roles token-domain-Domain-B | ./jq .token.roles[]
{
  "name": "Member",
  "id": "963af680e4f74f8aaa42f58cadd71337"
}