Comment 5 for bug 1690203

I dug into the keystoneauth code today, and I don't think this is actually a defect after all. The Token auth plugin appears to be designed, like the other auth plugins, to get you a token with the scope that you ask for. This makes sense when you consider that it's possible to use a token with one scope to request a new token with a different scope. So if you don't specify a project_id (or other scope) when constructing keystoneauth1.identity.v3.Token, it's not surprising that you get an unscoped auth.