Comment 11 for bug 1649333

It sounds like the fix should be that either Aodh always triggers the trust creation, or that Aodh validates the trust it is given. I think both are acceptabled.

To validate the trust, Aodh should immediately activate the trust (use it to get a token) and in the token requests response, check the value of the trustor, confirming it matches the expected user.

Blindly accepting any Trust ID this way is certainly an error.