Comment 2 for bug 1243336

This is partially due to how the auth_token middleware works. Right now the auth_token middleware is only aware of 3 status codes:

1) 200 - Validated Token, everything is ok
2) 404 - Invalid X-Subject-Token (or token in the URI for v2), token is expired or otherwise bad
3) 401 - Invalid X-Auth-token, we need a new "admin" token to validate tokens against keystone

In the current setup, 404 is the "correct" response to an invalid X-SUBJECT-TOKEN which is the case in this scenario. If we want to add in better responses, auth_token middleware needs to be made aware of the new HTTP responses as well (and before we start using them in keystone server)