Originally posted on Github: https://github.com/k-orc/openstack-resource-controller/issues/596

Problem description
Bug:
I am using Application Credentials created with access_rules like the following to read the networks and tokens:
[

{ "service": "identity", "path": "/v3/auth/tokens", "method": "GET" }

,

{ "service": "identity", "path": "/v3/**", "method": "HEAD" }

,

{ "service": "identity", "path": "/v3/**", "method": "GET" }

,

{ "service": "identity", "path": "/v3/**", "method": "POST"}

,

{ "service": "identity", "path": "/v3/**", "method": "PUT"}

,

{ "service": "identity", "path": "/v3/**", "method": "DELETE" }

,

{ "service": "network", "path": "/v2.0/**", "method": "GET" }

,

{ "service": "network", "path": "/v2.0/**", "method": "POST" }

,

{ "service": "network", "path": "/v2.0/**", "method": "HEAD" }

,

{ "service": "project", "path": "/v3/**", "method": "POST" }

,

{ "service": "project", "path": "/v3/**", "method": "GET" }

,

{ "service": "project", "path": "/v3/**", "method": "HEAD" }

]

Used k-orc resource:
apiVersion: openstack.k-orc.cloud/v1alpha1
kind: Network
metadata:
name: external-network
spec:
cloudCredentialsRef:
cloudName: openstack
secretName: osp-clouds-yaml
managementPolicy: unmanaged
import:
id: 3ba5d3c0-d158-4c9b-ac8a-c98208fcad3b

Fails with error:
Expected HTTP response code [200 203] when accessing [GET https://xxxxxxxxxxxxxxxx:13000/v3/auth/tokens], but got 404 instead: {"error":{"code":404,"message":"Failed to validate token","title":"Not Found"}}

Note:
CLI Command tested with same credentials and works fine.

Openstack Logs:
2025-12-10 11:06:29.408 434 ERROR keystone.token.provider [req-425ecb51-998b-4409-a92d-b3413955fe77 6ad01e8a65814602dc9ad4bd6049ec5906a7250107cf5bbc6e44eb93f70779fb f02f5809f01746108a3c93c607066f49 - 738eb0399cf8480e889d66ecbace25ea default] Attempted to use application credential access rules with a middleware that does not understand them. You must upgrade keystonemiddleware on all services that accept application credentials as an authentication method.: None: None

Error from openstack keystone function:
def _validate_token_access_rules(self, token, access_rules_support=None):
if token.application_credential_id:
app_cred_api = PROVIDERS.application_credential_api
app_cred = app_cred_api.get_application_credential(
token.application_credential_id)
if (app_cred.get('access_rules') is not None and
(not access_rules_support or
(float(access_rules_support) < ACCESS_RULES_MIN_VERSION))):
LOG.exception('Attempted to use application credential'
' access rules with a middleware that does not'
' understand them. You must upgrade'
' keystonemiddleware on all services that'
' accept application credentials as an'
' authentication method.')
raise exception.TokenNotFound(_('Failed to validate token'))

My Test cloud credentials:
{
"clouds": {
"openstack": {
"auth":

{ "application_credential_id": "xxxxxxxxxxxxxx", "application_credential_secret": "xxxxxxxxxxxxxxxxx", "auth_url": "https://xxxxxxxxxxxxxxxxxx:13000" }

,
"auth_type": "v3applicationcredential",
"identity_api_version": 3,
"interface": "public",
"region_name": "xxxxxxxxxxx"
}
}
}

ORC version
v2.2.0 + v2.3.0
Additional information
The above works only with "Unrestricted Credentials"
Relevant log output
From K-orc resource status:

Expected HTTP response code [200 203] when accessing [GET https://xxxxxxxxxxxxxxxxxx:13000/v3/auth/tokens], but got 404 instead: {"error":{"code":404,"message":"Failed to validate token","title":"Not Found"}}

From Openstack Keystone:

2025-12-10 11:06:29.408 434 ERROR keystone.token.provider [req-425ecb51-998b-4409-a92d-b3413955fe77 6ad01e8a65814602dc9ad4bd6049ec5906a7250107cf5bbc6e44eb93f70779fb f02f5809f01746108a3c93c607066f49 - 738eb0399cf8480e889d66ecbace25ea default] Attempted to use application credential access rules with a middleware that does not understand them. You must upgrade keystonemiddleware on all services that accept application credentials as an authentication method.: None: None