Comment 4 for bug 1689468

I had trouble reproducing this right away, I was seeing this:

$ curl -1 -k -X GET http://$OPENSTACK/identity/v3/projects -H "X-Auth-Token: $TOKEN" -H "Accept: application/json"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

Devstack runs keystone under apache and I guess apache just doesn't accept malformed headers, as this happens with the default vhost too:

$ curl -1 -k -X GET http://$OPENSTACK -H "X-Header-I-Just-Made-Up: $TOKEN"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
$ curl -1 -k -X GET http://$OPENSTACK -H "X-Header-I-Just-Made-Up: $(echo $TOKEN | tr -d '\r')"
<the whole default index.html from apache>

If neutron-server was also run behind apache it probably would not have accepted the token. So this makes me wonder if keystone should really be trying to work around malformed tokens like this, when other webservers would consider it invalid?