when keystonemiddleware.auth_token.AuthProtocol.validate_token gets an unexpected Exception, it marks the token invalid in its cache with a store_invalid call [0].
except Exception:
self._LOG.debug('Token validation failure.', exc_info=True)
if token_id:
self._token_cache.store_invalid(token_id)
self._LOG.warn(_LW('Authorization failed for token'))
raise exc.InvalidToken(_('Token authorization failed'))
The token may or may not actually be invalid. An error getting the revocation list, for example, could (and did, it appears, in my case) lead to this. Once marked invalid in the cache, future attempts to use the token will fail until/unless the cache is reinitialized.
[0] https://github.com/openstack/keystonemiddleware/blob/ba68a74e65ad893e4beeb45b984b2514e60cbdea/keystonemiddleware/auth_token/__init__.py#L840-L845
I hit this with Kilo, but it looks like Liberty has the same issue.