Hello All, I'm trying to get a test idp setup going via this document: https://docs.openstack.org/kolla-ansible/latest/contributor/setup-identity-p... and everything seems to be configured correctly however I am getting a 403 when I try to use the openstack CLI to test. # openstack token issue You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-be79246b-ccc1-4fbd-ba3f-fa98b9cae7ba) # openstack user show customer01 You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-4e385968-796e-44a0-8003-351188c202ba) In the keystone log I see a traceback with handle_unscoped_token and apply_mapping_filter (full output here: https://pastebin.com/xZ2qeCPW ) so maybe I'm missing something with permissions? I have the attribute mapping exactly as it is in the documentation, and im getting this when replicate the POST to userinfo with the bearer token; {"sub":"$UUID","email_verified":true,"name":"CustomerFirst CustomerLast","preferred_username":"customer01","given_name":"CustomerFirst","openstack-default-project":"customers","openstack-user-domain":"cloud.ld","family_name":"CustomerLast","email":"customer01@example.com"} I also checked keycloak and the user event log shows green authentications. Both domain and project exist in identity as well # openstack domain list | grep cloud.ld | $UUID | cloud.ld | True | | # openstack project list | grep customers | $UUID | customers | I'm using these exports for the client export OS_AUTH_URL=http://$KEYSTONE_IP:5000/v3 export OS_PROJECT_NAME="customers" export OS_PROJECT_DOMAIN_NAME="cloud.ld" export OS_USERNAME="customer01" export OS_PASSWORD="$USER_PASSWORD" export OS_INTERFACE=public export OS_IDENTITY_API_VERSION=3 export OS_CACERT=/etc/ssl/certs/ca-certificates.crt export OS_AUTH_TYPE=v3oidcpassword export OS_CLIENT_ID=Keystone export OS_CLIENT_SECRET=$SECRET_ALTHOUGH_DOESNT_MATTER export OS_IDENTITY_PROVIDER=cloud.ld export OS_PROTOCOL=openid export OS_ACCESS_TOKEN_ENDPOINT=https://$KEYCLOAK_IP:8443/realms/cloud.ld/protocol/openid-connect/token Is there anything I might be missing here? Thanks for any help!