Comment 69 for bug 1779205

As far as I can tell, this problem seem to impact stable/queens and master (Rocky) only. It does NOT seem to impact the older branches. My assessment was based on devstack with federation enabled. i.e.

  # only enable the services we care about
  disable_all_services
  enable_plugin keystone git://git.openstack.org/openstack/keystone.git stable/pike
  enable_service mysql rabbit keystone keystone-saml2-federation

  KEYSTONE_ENABLE_MOD_WSGI=True
  KEYSTONE_BRANCH=stable/pike

I setup K2K federtation with the same instance acting as both IdP and SP. btw,
keystone-saml2-federation does not support this configuration so I had do some manual work. Devstack was deployed in a vagrant so each branch was deployed in a
fresh vagrant. So far I tested the following branches:

newton-eol
stable/ocata
stable/pike
stable/queens
master

Here's what I found.

1. The problem does NOT impact the federated tokens. Using a federated token, /v3/OS-FEDERATION/projects API correctly return the 'federated_project' in the 'federated_domain' only. This is true for ALL the branches.

2. Using a local user token (i.e. demo/demo), /v3/OS-FEDERATION/projects API will return ALL the projects for all the domains in stable/queens and master only, regardless of user's group membership. stable/pike and older branches are NOT impacted. With those branches, user will get an HTTP 500 Internal Server Error from the API and something similar to this in the keystone logs.

  Aug 1 11:18:27 ubuntu <email address hidden>[19553]: ERROR keystone.common.wsgi #033[01;35m#033[00m File "/opt/stack/keystone/keystone/federation/controllers.py", line 472, in list_projects_for_user
  Aug 1 11:18:27 ubuntu <email address hidden>[19553]: ERROR keystone.common.wsgi #033[01;35m#033[00m request.auth_context['group_ids'])
  Aug 1 11:18:27 ubuntu <email address hidden>[19553]: ERROR keystone.common.wsgi #033[01;35m#033[00mKeyError: 'group_ids'