Rescope in V3 for invalid/expired token should return unauthorized (returns 404 currently)

In v2 rescope, invalid and expired token case returns Unauthorized (401) error which is correct. So above issue needs to be addressed in V3 only.

Related code: https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L151

This is partially due to how the auth_token middleware works. Right now the auth_token middleware is only aware of 3 status codes:

1) 200 - Validated Token, everything is ok
2) 404 - Invalid X-Subject-Token (or token in the URI for v2), token is expired or otherwise bad
3) 401 - Invalid X-Auth-token, we need a new "admin" token to validate tokens against keystone

In the current setup, 404 is the "correct" response to an invalid X-SUBJECT-TOKEN which is the case in this scenario. If we want to add in better responses, auth_token middleware needs to be made aware of the new HTTP responses as well (and before we start using them in keystone server)

Perhaps 403 is the correct response for "invalid" x-subject-tokens.

Reference to current code that would need to be fixed in keystoneclient https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1104

This has been previously discussed, and 404 is the preferred status code for an invalid subject token, which must be distinguished from an invalid X-Auth-Token. An invalid/revoked/expired X-Subject-Token CANNOT be "considered similar to providing incorrect username or password" -- the requestor is authenticated by the X-Auth-Token, not by the X-Subject-Token. I don't think there's any room to change status codes here.