diff -Nru python-keystonemiddleware-10.1.0/debian/changelog python-keystonemiddleware-10.1.0/debian/changelog
--- python-keystonemiddleware-10.1.0/debian/changelog	2022-09-14 03:33:31.000000000 -0300
+++ python-keystonemiddleware-10.1.0/debian/changelog	2023-08-14 18:09:51.000000000 -0300
@@ -1,3 +1,10 @@
+python-keystonemiddleware (10.1.0-0ubuntu1~cloud1) jammy-zed; urgency=medium
+
+  * d/p/bug1987355.patch: Remove cache invalidation when using expired token
+    (LP: #1987355) 
+
+ -- Jorge Merlino <jorge.merlino@canonical.com>  Mon, 14 Aug 2023 18:09:51 -0300
+
 python-keystonemiddleware (10.1.0-0ubuntu1~cloud0) jammy-zed; urgency=medium
 
   * New upstream release for the Ubuntu Cloud Archive.
diff -Nru python-keystonemiddleware-10.1.0/debian/patches/bug1987355.patch python-keystonemiddleware-10.1.0/debian/patches/bug1987355.patch
--- python-keystonemiddleware-10.1.0/debian/patches/bug1987355.patch	1969-12-31 21:00:00.000000000 -0300
+++ python-keystonemiddleware-10.1.0/debian/patches/bug1987355.patch	2023-08-14 18:09:37.000000000 -0300
@@ -0,0 +1,90 @@
+From e05466c5f439cd05482f109e6eb97a50ba156698 Mon Sep 17 00:00:00 2001
+From: Jorge Merlino <jorge.merlino@canonical.com>
+Date: Wed, 5 Oct 2022 14:41:06 -0300
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1987355
+Origin: upstream, https://opendev.org/openstack/keystonemiddleware/commit/e05466c5f439cd05482f109e6eb97a50ba156698
+Subject: [PATCH] Remove cache invalidation when using expired token
+
+This can create a race condition for long running services that reuse
+their token (eg. Kubernetes Cinder CSI plugin) in this case for
+example:
+
+1 [user] Asks nova to attach a volume to a server
+2 ...the user's token expires
+3 [user] Asks cinder if the volume has been attached
+4 [nova] Asks cinder to attach the volume
+
+In step 3 the token is marked as invalid in the cache and step 4 fails
+even if allow_expired is true
+
+Closes-Bug: #1987355
+Change-Id: Ice8e34440a5fe1baa370646ed70b5e085c4af70e
+---
+ keystonemiddleware/auth_token/__init__.py     |  6 ------
+ .../auth_token/test_auth_token_middleware.py  | 19 -------------------
+ 2 files changed, 25 deletions(-)
+
+diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py
+index 0feed6f..ddb2ddc 100644
+--- a/keystonemiddleware/auth_token/__init__.py
++++ b/keystonemiddleware/auth_token/__init__.py
+@@ -245,7 +245,6 @@ from keystonemiddleware.i18n import _
+ 
+ 
+ _LOG = logging.getLogger(__name__)
+-_CACHE_INVALID_INDICATOR = 'invalid'
+ oslo_cache.configure(cfg.CONF)
+ 
+ AUTH_TOKEN_OPTS = [
+@@ -736,10 +735,6 @@ class AuthProtocol(BaseAuthProtocol):
+             cached = self._token_cache.get(token)
+ 
+             if cached:
+-                if cached == _CACHE_INVALID_INDICATOR:
+-                    self.log.debug('Cached token is marked unauthorized')
+-                    raise ksm_exceptions.InvalidToken()
+-
+                 # NOTE(jamielennox): Cached values used to be stored as a tuple
+                 # of data and expiry time. They no longer are but we have to
+                 # allow some time to transition the old format so if it's a
+@@ -769,7 +764,6 @@ class AuthProtocol(BaseAuthProtocol):
+                 'The Keystone service is temporarily unavailable.')
+         except ksm_exceptions.InvalidToken:
+             self.log.debug('Token validation failure.', exc_info=True)
+-            self._token_cache.set(token, _CACHE_INVALID_INDICATOR)
+             self.log.warning('Authorization failed for token')
+             raise
+         except ksa_exceptions.EndpointNotFound:
+diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
+index 1abe322..564cdc5 100644
+--- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
++++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
+@@ -595,25 +595,6 @@ class CommonAuthTokenMiddlewareTest(object):
+         token = 'invalid-token'
+         self.call_middleware(headers={'X-Auth-Token': token},
+                              expected_status=401)
+-        self.assertEqual(auth_token._CACHE_INVALID_INDICATOR,
+-                         self._get_cached_token(token))
+-
+-    def test_memcache_hit_invalid_token(self):
+-        token = 'invalid-token'
+-        invalid_uri = '%s/v3/tokens/invalid-token' % BASE_URI
+-        self.requests_mock.get(invalid_uri, status_code=404)
+-
+-        # Call once to cache token's invalid state; verify it cached as such
+-        self.call_middleware(headers={'X-Auth-Token': token},
+-                             expected_status=401)
+-        self.assertEqual(auth_token._CACHE_INVALID_INDICATOR,
+-                         self._get_cached_token(token))
+-
+-        # Call again for a cache hit; verify it detected as cached and invalid
+-        self.call_middleware(headers={'X-Auth-Token': token},
+-                             expected_status=401)
+-        self.assertIn('Cached token is marked unauthorized',
+-                      self.logger.output)
+ 
+     def test_memcache_set_expired(self, extra_conf={}, extra_environ={}):
+         token_cache_time = 10
+-- 
+2.34.1
+
diff -Nru python-keystonemiddleware-10.1.0/debian/patches/series python-keystonemiddleware-10.1.0/debian/patches/series
--- python-keystonemiddleware-10.1.0/debian/patches/series	2022-09-13 12:23:58.000000000 -0300
+++ python-keystonemiddleware-10.1.0/debian/patches/series	2023-08-14 18:09:37.000000000 -0300
@@ -1,2 +1,3 @@
 no-intersphinx.patch
 drop-sphinxcontrib.rsvgconverter.patch
+bug1987355.patch