diff --git a/keystonemiddleware/auth_token.py b/keystonemiddleware/auth_token.py
index ce604020..f06a7c4b 100644
--- a/keystonemiddleware/auth_token.py
+++ b/keystonemiddleware/auth_token.py
@@ -424,6 +424,27 @@ def _safe_quote(s):
     return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s
 
 
+def _conf_values_type_convert(conf):
+    """Convert conf values into correct type."""
+    if not conf:
+        return {}
+    opts = {}
+    opt_types = dict((o.dest, o.type) for o in _OPTS)
+    for k, v in six.iteritems(conf):
+        try:
+            if v is None:
+                opts[k] = v
+            else:
+                opts[k] = opt_types[k](v)
+        except KeyError:
+            opts[k] = v
+        except ValueError as e:
+            raise ConfigurationError(
+                'Unable to convert the value of %s option into correct '
+                'type: %s' % (k, e))
+    return opts
+
+
 class InvalidUserToken(Exception):
     pass
 
@@ -459,7 +480,10 @@ class AuthProtocol(object):
     def __init__(self, app, conf):
         self._LOG = logging.getLogger(conf.get('log_name', __name__))
         self._LOG.info('Starting keystone auth_token middleware')
-        self._conf = conf
+        # NOTE(wanghong): If options are set in paste file, all the option
+        # values passed into conf are string type. So, we should convert the
+        # conf value into correct type.
+        self._conf = _conf_values_type_convert(conf)
         self._app = app
 
         # delay_auth_decision means we still allow unauthenticated requests
diff --git a/keystonemiddleware/tests/test_auth_token_middleware.py b/keystonemiddleware/tests/test_auth_token_middleware.py
index e2dff21c..bb1c0a51 100644
--- a/keystonemiddleware/tests/test_auth_token_middleware.py
+++ b/keystonemiddleware/tests/test_auth_token_middleware.py
@@ -531,6 +531,29 @@ class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
         self.assertEqual(middleware._token_revocation_list_cache_timeout,
                          datetime.timedelta(seconds=24))
 
+    def test_conf_values_type_convert(self):
+        conf = {
+            'revocation_cache_time': '24',
+            'identity_uri': 'https://keystone.example.com:1234',
+            'include_service_catalog': '0',
+            'nonexsit_option': '0',
+        }
+
+        middleware = auth_token.AuthProtocol(self.fake_app, conf)
+        self.assertEqual(datetime.timedelta(seconds=24),
+                         middleware._token_revocation_list_cache_timeout)
+        self.assertEqual(False, middleware._include_service_catalog)
+        self.assertEqual('https://keystone.example.com:1234',
+                         middleware._identity_uri)
+        self.assertEqual('0', middleware._conf['nonexsit_option'])
+
+    def test_conf_values_type_convert_with_wrong_value(self):
+        conf = {
+            'include_service_catalog': '123',
+        }
+        self.assertRaises(auth_token.ConfigurationError,
+                          auth_token.AuthProtocol, self.fake_app, conf)
+
 
 class CommonAuthTokenMiddlewareTest(object):
     """These tests are run once using v2 tokens and again using v3 tokens."""