Comment 3 for bug 1872755

> a token request using the EC2 credential does not have trust information in it, see attached example.

This sounds insecure. What is the purpose of the "trust_id" attribute if it is not considered? Looks like it is another security flaw. I suppose a proper solution would be to add a scope field for all possible SUB auth methods, and consider this field when a new openstack token is generated during authorization:
* trust scope
* oauth1 scope
* application credential scope
* etc.

Thoughts?