Hi keystone folks, I have had a chance to take a look to this below patch for allowing the expired token and it was merged in Octaka: https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html In our project, we also have problem with token expiration when running mistral workflow. I have a concern that if this patch works as it does, does it mean that the token now will live forever ("forever" seems so sloppy, but it seems like the token is no longer expired). In this case, it seems not good for security purpose. Br, Tuan/Nokia -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170403/a10ef54e/attachment.html>