This particular issue has a simple solution and I proposed a fix to keystone client - https://review.openstack.org/#/c/78241/ With such fix we won't have to choose between cache efficiency and security for the cost of some additional computation -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1287301 Title: Keystone client token cache doesn't respect revoked tokens Status in OpenStack Security Advisories: Invalid Status in Python client library for Keystone: In Progress Bug description: If we'll enable caching for keystoneclient tokens we'll be able to use tokens that are already revoked if they are present in cache: https://github.com/openstack/python- keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831 To manage notifications about this bug go to: https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions