Comment 8 for bug 1347961

OK. I tried a test and I think this is legitimate and that tokens aren't getting expired.

To test this I modified the existing tempest test[1], to add a self.client.delete_token(token_id) right after the scoped token is revoked. This should revoke the unscoped token.

Then I changed the Keystone configuration so that it uses revocation events only, by setting revoke_by_id=false in keystone.conf

When running the test, the unscoped token IS NOT revoked. Looking at the debugger, after the revocations, the revocation event's self.revoke_map has ...'expires_at=2014-07-31 20:13:06'...

And the token data has 'expires_at': datetime.datetime(2014, 7, 31, 20, 13, 6, 126800). So is_revoked tries to match 'expires_at=2014-07-31 20:13:06.126800' against the revoke_map and it doesn't match because it's an exact match.

[1] http://git.openstack.org/cgit/openstack/tempest/tree/tempest/api/identity/admin/v3/test_tokens.py?id=973c6cd98e4b226bec2f1b40943afaa910e18047#n140

Essentially, revoking tokens individually doesn't work with mysql and revocation events.