> What happens if the method list is omitted, but e.g. password data is provided?
I would expect a 400 Bad Request, as I expect "methods" to be a required object in the request. However, it doesn't appear to be documented that way. And yes, it's completely redundant with the methods that are actually presented.
> What happens if two methods result in different outcomes?
I'm not sure this is defined at the API level (this is arguably a concern for the implementation?) but I would expect a 401.
> Do the methods have to be tried in order and then 'first success returns'?
Again, I don't think this is defined at the API level, but in this case, I think it should be. All authentication methods should be validated and fail fast.
> I think supporting multiple methods in one call is going to be incredibly difficult to get right.
Agree!
> What is the motivation here? Is this supposed to support multi-factor auth?
Yes, "methods" is explicitly intended to support multi-factor authentication.
In terms of a "bug," I'm marking this as 'wishlist' but it should be relatively high priority work to clearly define these behaviors.
I completely agree. The best existing documentation that I'm aware of is here (see the "methods" attribute):
https:/ /github. com/openstack/ identity- api/blob/ master/ openstack- identity- api/v3/ src/markdown/ identity- api-v3. md#tokens
> What happens if the method list is omitted, but e.g. password data is provided?
I would expect a 400 Bad Request, as I expect "methods" to be a required object in the request. However, it doesn't appear to be documented that way. And yes, it's completely redundant with the methods that are actually presented.
> What happens if two methods result in different outcomes?
I'm not sure this is defined at the API level (this is arguably a concern for the implementation?) but I would expect a 401.
> Do the methods have to be tried in order and then 'first success returns'?
Again, I don't think this is defined at the API level, but in this case, I think it should be. All authentication methods should be validated and fail fast.
> I think supporting multiple methods in one call is going to be incredibly difficult to get right.
Agree!
> What is the motivation here? Is this supposed to support multi-factor auth?
Yes, "methods" is explicitly intended to support multi-factor authentication.
In terms of a "bug," I'm marking this as 'wishlist' but it should be relatively high priority work to clearly define these behaviors.