I'm attaching a patch for rocky even though it has reached EM to help distros that need to support older releases.
To mitigate this bug for older branches, I recommend disabling 'oauth1' as an authentication method by removing it from the comma-separated list in the [auth]/methods config option in keystone.conf. Alternatively, although the default policy rules for these actions are already very restrictive, you can further restrict them by disabling them completely with policy rules such as:
I'm attaching a patch for rocky even though it has reached EM to help distros that need to support older releases.
To mitigate this bug for older branches, I recommend disabling 'oauth1' as an authentication method by removing it from the comma-separated list in the [auth]/methods config option in keystone.conf. Alternatively, although the default policy rules for these actions are already very restrictive, you can further restrict them by disabling them completely with policy rules such as:
"identity: create_ consumer" : "!" update_ consumer" : "!" authorize_ request_ token": "!"
"identity:
"identity: