This is partially due to how the auth_token middleware works. Right now the auth_token middleware is only aware of 3 status codes:
1) 200 - Validated Token, everything is ok
2) 404 - Invalid X-Subject-Token (or token in the URI for v2), token is expired or otherwise bad
3) 401 - Invalid X-Auth-token, we need a new "admin" token to validate tokens against keystone
In the current setup, 404 is the "correct" response to an invalid X-SUBJECT-TOKEN which is the case in this scenario. If we want to add in better responses, auth_token middleware needs to be made aware of the new HTTP responses as well (and before we start using them in keystone server)
This is partially due to how the auth_token middleware works. Right now the auth_token middleware is only aware of 3 status codes:
1) 200 - Validated Token, everything is ok
2) 404 - Invalid X-Subject-Token (or token in the URI for v2), token is expired or otherwise bad
3) 401 - Invalid X-Auth-token, we need a new "admin" token to validate tokens against keystone
In the current setup, 404 is the "correct" response to an invalid X-SUBJECT-TOKEN which is the case in this scenario. If we want to add in better responses, auth_token middleware needs to be made aware of the new HTTP responses as well (and before we start using them in keystone server)