Alex, I believe you are right and the problem is in the clock skew (based on logs you provided the host with keystone-api is more than 1 minute behind) and keystone does the following checks of tokens in cryptography:
https://github.com/pyca/cryptography/blob/master/src/cryptography/fernet.py#L94-L95
Max clock skew allowed is 60 seconds:
https://github.com/pyca/cryptography/blob/master/src/cryptography/fernet.py#L26
Thus, tokens from the future are considered to be invalid.
QA team, could you please make sure we sync time in the test?
Alex, I believe you are right and the problem is in the clock skew (based on logs you provided the host with keystone-api is more than 1 minute behind) and keystone does the following checks of tokens in cryptography:
https:/ /github. com/pyca/ cryptography/ blob/master/ src/cryptograph y/fernet. py#L94- L95
Max clock skew allowed is 60 seconds:
https:/ /github. com/pyca/ cryptography/ blob/master/ src/cryptograph y/fernet. py#L26
Thus, tokens from the future are considered to be invalid.
QA team, could you please make sure we sync time in the test?