Comment 13 for bug 1878438

Ah, sorry, I just read Kristi's reply in my (duplicate) bug report after posting the above:
https://bugs.launchpad.net/keystone/+bug/1886607

"What the the openstackclient is trying to do, is authenticate using the token to fetch another token. This appears to break for tokens that have been fetched using application credentials (and would be of limited usability anyway)

You can avoid the reathentication step of the openstackclient by specifying --os-endpoint to directly provide the url of the service you're trying to issue commands to.

For example:
unset OS_AUTH_TYPE
openstack --os-token $TOKEN --os-endpoint http://localhost/identity/v3 project list --verbose"

Maybe I've misunderstood-- if I generate a token using application credentials and then re-use that token, does the openstack client use that token to generate *another* token in the background? If this is the case, then our use case described above isn't doing anything productive and we need to re-work.