Comment 4 for bug 1193221

Deleting tokens is not the same as revoking them in the case of PKI.

In the case of UUID tokens, deleting tokens from keystone results in online validation failure, which is the behavior I think you're looking for. If that's the case, considering switching keystone.conf token_format to 'UUID'.

In the case of PKI tokens, they can be validated client-side (in the nova pipeline) without reaching out to keystone (where you're actually deleting token records... an action that has no consequence other than losing audit capabilities for PKI). Revoked PKI tokens are published in the token revocation list, which is periodically pulled by auth_token and results in otherwise valid (not expired) tokens being denied. For example, revoking a role from a user results in that user's otherwise valid tokens being revoked.

To explicitly revoke a specific token (regardless of PKI or UUID), use the API rather than modifying the database directly, e.g. DELETE /v2.0/tokens/{token_id}