Comment 10 for bug 1525214

Alex, I believe you are right and the problem is in the clock skew (based on logs you provided the host with keystone-api is more than 1 minute behind) and keystone does the following checks of tokens in cryptography:

https://github.com/pyca/cryptography/blob/master/src/cryptography/fernet.py#L94-L95

Max clock skew allowed is 60 seconds:

https://github.com/pyca/cryptography/blob/master/src/cryptography/fernet.py#L26

Thus, tokens from the future are considered to be invalid.

QA team, could you please make sure we sync time in the test?