It turns out that Keystone already supports handling PKI-signed tokens via the MD5 hash but only for the SQL token backend. The work to add it to the KVS token backend will be tracked here: https://bugs.launchpad.net/keystone/+bug/1073272
Once that's in there, then Horizon can switch to using the MD5 of the token instead of the full token.
It turns out that Keystone already supports handling PKI-signed tokens via the MD5 hash but only for the SQL token backend. The work to add it to the KVS token backend will be tracked here: https:/ /bugs.launchpad .net/keystone/ +bug/1073272
Once that's in there, then Horizon can switch to using the MD5 of the token instead of the full token.