Index: keystone-2012.1+stable~20120824-a16a0ab9/keystone/identity/core.py
===================================================================
--- keystone-2012.1+stable~20120824-a16a0ab9.orig/keystone/identity/core.py	2013-05-07 14:18:04.000000000 -0500
+++ keystone-2012.1+stable~20120824-a16a0ab9/keystone/identity/core.py	2013-05-07 14:18:04.000000000 -0500
@@ -427,6 +427,14 @@
             raise exception.UserNotFound(user_id=user_id)
 
         self.identity_api.delete_user(context, user_id)
+        try:
+            for token_id in self.token_api.list_tokens(context, user_id):
+                self.token_api.delete_token(context, token_id)
+        except exception.NotImplemented:
+            # The users status has been changed but tokens remain valid for
+            # backends that can't list tokens for users
+            LOG.warning('User %s status has changed, but existing tokens '
+                        'remain valid' % user_id)
 
     def set_user_enabled(self, context, user_id, user):
         return self.update_user(context, user_id, user)
Index: keystone-2012.1+stable~20120824-a16a0ab9/tests/test_keystoneclient.py
===================================================================
--- keystone-2012.1+stable~20120824-a16a0ab9.orig/tests/test_keystoneclient.py	2013-05-07 14:18:04.000000000 -0500
+++ keystone-2012.1+stable~20120824-a16a0ab9/tests/test_keystoneclient.py	2013-05-07 14:18:04.000000000 -0500
@@ -370,6 +370,30 @@
                           self.get_client,
                           self.user_foo)
 
+    def test_delete_user_invalidates_token(self):
+        from keystoneclient import exceptions as client_exceptions
+
+        admin_client = self.get_client(admin=True)
+        client = self.get_client(admin=False)
+
+        username = uuid.uuid4().hex
+        password = uuid.uuid4().hex
+        user_id = admin_client.users.create(
+            name=username, password=password, email=uuid.uuid4().hex).id
+
+        token_id = client.tokens.authenticate(
+            username=username, password=password).id
+
+        # token should be usable before the user is deleted
+        client.tokens.authenticate(token=token_id)
+
+        admin_client.users.delete(user=user_id)
+
+        # authenticate with a token should not work after the user is deleted
+        self.assertRaises(client_exceptions.Unauthorized,
+                          client.tokens.authenticate,
+                          token=token_id)
+
     def test_token_expiry_maintained(self):
         foo_client = self.get_client(self.user_foo)
         orig_token = foo_client.service_catalog.catalog['token']