Comment 12 for bug 1840288

Discussed in IRC[0] - conclusion is this is a Valid bug but there is no reasonable attack vector (the data could be used in determining whom to attempt to gain access to, but does not provide any means of direct attack). The data is *NOT* intended to be public but is not really explicitly private/privileged either. The API Contract and current behavior is an acceptable (as long as it is documented in this bug) behavior to leave.

This may still warrant an OSSN outlining that the data is available but there is minimal or no risk.

[0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2019-08-16.log.html#t2019-08-16T21:36:28