Comment 3 for bug 1813336

I think this is more about tokenless authentication than about external vs mapped X.509 authentication. We allow setting scope with tokenless auth:

https://opendev.org/openstack/keystone/src/commit/71a1fb0437cdb5949d808ba82e36f4586ec7794d/keystone/common/tokenless_auth.py#L48

but I don't see why it should work differently than setting scope for a token request, and if it does need to be different then the requirement to pass the scope in the request body should be relaxed.