Comment 4 for bug 1703369

I don't know that I'd consider this a vulnerability in any release, but I guess you could say that since we ignore "identity:get_identity_providers" in keystone policy.json, someone who changes that value will think they've restricted that API when they have not actually done so. But the default that would have taken effect was admin (for any release), so the only way you could be trying to restrict more than that is to disable it entirely. And someone customizing policy should test that their changes are working, so I don't expect anybody is in this boat today.