Comment 11 for bug 1873290

Updated to add the distinction between the two tokens:

Title: OAuth1 request token authorize silently ignores roles parameter
Reporter: kay
Products: Keystone
Affects: <15.0.1, ==16.0.0

Description:
kay reported a vulnerability in Keystone's OAuth1 Token API. Previously the list of roles provided for an OAuth1 access token were ignored, so when an access token was used to request a keystone token, the keystone token would contain every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.