Comment 2 for bug 1331790

If you're using memcache you should be able to invalidate tokens. That bug is a bug and not expected behavior. The issue is the way that keystone stores the revocation list when using memcache -- it tries to store the entire list and eventually it gets too long for memache.

Token revocations work fine with other backends. Also, we're working on revocation events which is an alternative implementation that might not have this problem.

Revoking tokens should be documented as part of the API. Applications expect it for security reasons.