diff --git a/keystone/common/controller.py b/keystone/common/controller.py
index bf0dfcb6c0..8672525f6e 100644
--- a/keystone/common/controller.py
+++ b/keystone/common/controller.py
@@ -728,6 +728,8 @@ class V3Controller(wsgi.Application):
 
         if token_ref.domain_scoped:
             return token_ref.domain_id
+        elif token_ref.project_scoped:
+            return token_ref.project_domain_id
         else:
             LOG.warning(
                 _LW('No domain information specified as part of list request'))
diff --git a/keystone/tests/unit/test_v3_identity.py b/keystone/tests/unit/test_v3_identity.py
index 4b8fe72c76..97342b3047 100644
--- a/keystone/tests/unit/test_v3_identity.py
+++ b/keystone/tests/unit/test_v3_identity.py
@@ -236,26 +236,42 @@ class IdentityTestCase(test_v3.RestfulTestCase):
         self.config_fixture.config(group='identity',
                                    domain_specific_drivers_enabled=True)
 
-        # Create a user with a role on the domain so we can get a
-        # domain scoped token
+        # Create a new domain with a new project and user
         domain = unit.new_domain_ref()
         self.resource_api.create_domain(domain['id'], domain)
+
+        project = unit.new_project_ref(domain_id=domain['id'])
+        self.resource_api.create_project(project['id'], project)
+
         user = unit.create_user(self.identity_api, domain_id=domain['id'])
+
+        # Create both project and domain role grants for the user so we
+        # can get both project and domain scoped tokens
         self.assignment_api.create_grant(
             role_id=self.role_id, user_id=user['id'],
             domain_id=domain['id'])
+        self.assignment_api.create_grant(
+            role_id=self.role_id, user_id=user['id'],
+            project_id=project['id'])
 
-        ref = unit.new_user_ref(domain_id=domain['id'])
-        ref_nd = ref.copy()
-        ref_nd.pop('domain_id')
-        auth = self.build_authentication_request(
+        dom_auth = self.build_authentication_request(
             user_id=user['id'],
             password=user['password'],
             domain_id=domain['id'])
+        project_auth = self.build_authentication_request(
+            user_id=user['id'],
+            password=user['password'],
+            project_id=project['id'])
 
         # First try using a domain scoped token
         resource_url = '/users'
-        r = self.get(resource_url, auth=auth)
+        r = self.get(resource_url, auth=dom_auth)
+        self.assertValidUserListResponse(r, ref=user,
+                                         resource_url=resource_url)
+
+        # Now try using a project scoped token
+        resource_url = '/users'
+        r = self.get(resource_url, auth=project_auth)
         self.assertValidUserListResponse(r, ref=user,
                                          resource_url=resource_url)
 
@@ -266,10 +282,6 @@ class IdentityTestCase(test_v3.RestfulTestCase):
         self.assertValidUserListResponse(r, ref=user,
                                          resource_url=resource_url)
 
-        # Now try the same thing without a domain token or filter,
-        # which should fail
-        r = self.get('/users', expected_status=exception.Unauthorized.code)
-
     def test_list_users_no_default_project(self):
         """Call ``GET /users`` making sure no default_project_id."""
         user = unit.new_user_ref(self.domain_id)