root@4d4627c10662:/etc/keystone# curl -k -H "X-Auth-Token:ADMIN" -H "X-Subject-Token:$d" http://localhost:35357/v3/auth/tokens | python -mjson.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 292 100 292 0 0 154 0 0:00:01 0:00:01 --:--:-- 154
{
"token": {
"audit_ids": [
"c5zfY85bTrm_q8pAy2hk-A"
],
"expires_at": "2015-03-14T20:44:40Z",
"extras": {},
"issued_at": "2015-03-10T16:44:40Z",
"methods": [
"password",
"token"
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "ad89796c89e7422bb8b9f1bbf9d84bf6",
"name": "admin"
}
}
}
root@4d4627c10662:/etc/keystone#
Support for domain scoped tokens was added in https:/ /github. com/openstack/ keystone/ commit/ 622b51e096dd87e 117e1e941719695 6131edfb1a
The above looks like an unscoped token; if you were expecting a domain-scoped token, the above patch should change the validation result.