We determined the above assertion to be incorrect in code review; I'm proposing a corresponding spec change: https://review.openstack.org/#/c/20137/
Instead, disabling a domain will still result in relevant token revocation, and service-side authentication will need to check both the user's domain and the authorized project's domain for a disabled state prior to allowing auth.
We determined the above assertion to be incorrect in code review; I'm proposing a corresponding spec change: https:/ /review. openstack. org/#/c/ 20137/
Instead, disabling a domain will still result in relevant token revocation, and service-side authentication will need to check both the user's domain and the authorized project's domain for a disabled state prior to allowing auth.