OK, I have uploaded a different review (https://review.openstack.org/#/c/16230/) which uses an alternate approach: it places the verification response into the WSGI environment, in the "keystone.token_info" variable. This is substantially simpler than my original approach and allows me to get to the information I need… -- Kevin L. Mitchell <kevin.mitchell at rackspace.com>