Ask Your Question

Revision history [back]

Haneef Ali is correct in that you can get a scoped token from an unscoped token. You could do it by calling


Unfortunately, it won't work for you in this case, because the unscoped token is being invalidated along with the scoped tokens, at least with my version of keystone. See: /keystone/token/

As a result, trying this call just 401's on the call to Keystone. I've validated that this is the problem by revalidating the token (update the valid column back to 1 in the unscoped_token's record), and then calling authenticate, which then succeeds.

I think Keystone would need to be altered such that the unscoped tokens were not invalidated.