Obviously the caller already have the credentials of the two users so we are not compromising anything. Keystone basically pick and choose the user based on the order in this case. Keystone's auth protocol was designed to handle multi-factor and multi-roundtrip authentications and there was no expectation that all auth methods will yield a user_id. It is up to the plugins themselves to agree on a user_id.
Obviously the caller already have the credentials of the two users so we are not compromising anything. Keystone basically pick and choose the user based on the order in this case. Keystone's auth protocol was designed to handle multi-factor and multi-roundtrip authentications and there was no expectation that all auth methods will yield a user_id. It is up to the plugins themselves to agree on a user_id.