I've done some more digging today, and got a handle on what is happening.
Webob exposes a synthesized req.params field - of both the query string and request body (POST) variables.
Any 'POST'ed request body variables (e.g. from heat-config-notify for OS::Heat::SoftwareDeployment resources) will interfere negatively with the signature calculation, resulting in an incorrect signature calculation - which keystone will reject.
The attached patch (that replaces the previous patch) only uses the query string parameters for calculating the signature.
I've done some more digging today, and got a handle on what is happening.
Webob exposes a synthesized req.params field - of both the query string and request body (POST) variables.
Any 'POST'ed request body variables (e.g. from heat-config-notify for OS::Heat: :SoftwareDeploy ment resources) will interfere negatively with the signature calculation, resulting in an incorrect signature calculation - which keystone will reject.
The attached patch (that replaces the previous patch) only uses the query string parameters for calculating the signature.