Comment 4 for bug 1420987

I have been looking into this. The problem from our end is that the GET v2.0/tokens/{token id} endpoint (used to validate tokens, see http://developer.openstack.org/api-ref-identity-v2.html#admin-tokens) does not return the service catalog, so when the Heat API validates the token sent to it by the heatclient, it doesn't get a service catalog back. Whatever data the API gets back from validating the token is sent to the engine. The new auth_plugin in the engine expects this data to have the service catalog.

There is a mismatch between what the V2 API documentation says (linked above) and what is actually in the code. It can be seen here that upon validating a V2 token, the service catalog is returned: http://developer.openstack.org/api-ref-identity-v2.html#admin-tokens. I have reproduced this behavior using a devstack instance as well.

It seems that the best fix for this is to update the V2 documentation and add the service catalog to that endpoint on our end (i.e. not an OpenStack code problem).