If the token is not valid, has expired, isn't scoped for the correct user/privileges, then Keystone raises a validation error. (reference: https://github.com/openstack/keystone/blob/master/keystone/tests/test_auth.py)
I don't think there's a difference if the token is scoped incorrectly (which is the closest meaning to "Does the token allow service usage") in the exception raised. So you might just have one diamond there.
If the token is not valid, has expired, isn't scoped for the correct user/privileges, then Keystone raises a validation error. (reference: https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ tests/test_ auth.py)
I don't think there's a difference if the token is scoped incorrectly (which is the closest meaning to "Does the token allow service usage") in the exception raised. So you might just have one diamond there.