Ask Your Question

Revision history [back]

Haneef Ali is correct in that you can get a scoped token from an unscoped token. You could do it by calling

openstack_auth.backend.KeystoneBackend().authenticate(token=unscoped_token)

Unfortunately, it won't work for you in this case, because the unscoped token is being invalidated along with the scoped tokens, at least with my version of keystone. See: /keystone/token/provider.py:_delete_user_tokens_callback

As a result, trying this call just 401's on the call to Keystone. I've validated that this is the problem by revalidating the token (update the valid column back to 1 in the unscoped_token's record), and then calling authenticate, which then succeeds.

I think Keystone would need to be altered such that the unscoped tokens were not invalidated.