--- keystone/token/providers/common.py.orig	2017-03-01 21:09:57.221278528 +0000
+++ keystone/token/providers/common.py	2017-03-01 21:09:51.134244716 +0000
@@ -315,11 +315,15 @@
         if not (admin_project_name and admin_project_domain_name):
             return  # admin project not enabled
 
-        project = token_data['project']
-
-        token_data['is_admin_project'] = (
-            project['name'] == admin_project_name and
-            project['domain']['name'] == admin_project_domain_name)
+        # Since 'is_admin_project' only supported for project scoped tokens,
+        # return False if not project scoped
+        if 'project' in token_data:
+            project = token_data['project']
+            token_data['is_admin_project'] = (
+                project['name'] == admin_project_name and
+                project['domain']['name'] == admin_project_domain_name)
+        else:
+            token_data['is_admin_project'] = False
 
     def _get_roles_for_user(self, user_id, domain_id, project_id):
         roles = []
@@ -576,8 +580,7 @@
             token_data['bind'] = bind
 
         self._populate_scope(token_data, domain_id, project_id)
-        if token_data.get('project'):
-            self._populate_is_admin_project(token_data)
+        self._populate_is_admin_project(token_data)
         self._populate_user(token_data, user_id, trust)
         self._populate_roles(token_data, user_id, domain_id, project_id, trust,
                              access_token)