diff --git a/heat/common/heat_keystoneclient.py b/heat/common/heat_keystoneclient.py
index 30be87208d..d1ba906c6d 100644
--- a/heat/common/heat_keystoneclient.py
+++ b/heat/common/heat_keystoneclient.py
@@ -322,23 +322,13 @@ class KeystoneClientV3(object):
         # catalog (the token is expected to be used inside an instance
         # where a specific endpoint will be specified, and user-data
         # space is limited..)
-        # Note we do this directly via a post as there's currently
-        # no way to get a nocatalog token via keystoneclient
-        token_url = "%s/auth/tokens?nocatalog" % self.v3_endpoint
-        headers = {'Accept': 'application/json'}
-        if self._stack_domain_id:
-            domain = {'id': self._stack_domain_id}
-        else:
-            domain = {'name': self.stack_domain_name}
-        body = {'auth': {'scope':
-                         {'project': {'id': project_id}},
-                         'identity': {'password': {'user': {
-                             'domain': domain,
-                             'password': password, 'id': user_id}},
-                             'methods': ['password']}}}
-        t = self.session.post(token_url, headers=headers,
-                              json=body, authenticated=False)
-        return t.headers['X-Subject-Token']
+        auth = kc_auth_v3.Password(auth_url=self.v3_endpoint,
+                                   user_id=user_id,
+                                   password=password,
+                                   project_id=project_id,
+                                   include_catalog=False)
+
+        return auth.get_token(self.session)
 
     def create_stack_domain_user(self, username, project_id, password=None):
         """Create a domain user defined as part of a stack.
diff --git a/heat/tests/test_heatclient.py b/heat/tests/test_heatclient.py
index 358f4884c5..e66b589e2f 100644
--- a/heat/tests/test_heatclient.py
+++ b/heat/tests/test_heatclient.py
@@ -1339,23 +1339,26 @@ class KeystoneClientTest(common.HeatTestCase):
 
     def test_stack_domain_user_token(self):
         """Test stack_domain_user_token function."""
-        dummysession = self.m.CreateMockAnything()
-        dummyresp = self.m.CreateMockAnything()
-        dummyresp.headers = {'X-Subject-Token': 'dummytoken'}
-        dummysession.post('http://server.test:5000/v3/auth/tokens?nocatalog',
-                          authenticated=False,
-                          headers={'Accept': 'application/json'},
-                          json=mox.IgnoreArg()).AndReturn(dummyresp)
-        self.m.StubOutWithMock(ks_session, 'Session')
-        ks_session.Session.construct(mox.IsA(dict)).AndReturn(dummysession)
+        dum_tok = 'dummytoken'
+        mock_ks_auth = self.m.CreateMockAnything()
+        mock_ks_auth.get_token(mox.IsA(ks_session.Session)).AndReturn(dum_tok)
+
+        m = ks_auth_v3.Password(auth_url='http://server.test:5000/v3',
+                                password='apassw',
+                                project_id='aproject',
+                                user_id='duser',
+                                include_catalog=False)
+        m.AndReturn(mock_ks_auth)
+
         self.m.ReplayAll()
 
         ctx = utils.dummy_context()
         ctx.trust_id = None
         heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
-        token = heat_ks_client.stack_domain_user_token(
-            user_id='duser', project_id='aproject', password='apassw')
-        self.assertEqual('dummytoken', token)
+        token = heat_ks_client.stack_domain_user_token(user_id='duser',
+                                                       project_id='aproject',
+                                                       password='apassw')
+        self.assertEqual(dum_tok, token)
 
     def test_stack_domain_user_token_err_nodomain(self):
         """Test stack_domain_user_token error path."""