diff --git a/etc/nova/nova.conf.sample b/etc/nova/nova.conf.sample
index 2088a2ace7ef..d62e5d37174f 100644
--- a/etc/nova/nova.conf.sample
+++ b/etc/nova/nova.conf.sample
@@ -3355,3 +3355,36 @@
 #keymap=en-us
 
 
+[keystone_authtoken]
+
+#
+# Options defined in keystoneclient's authtoken middleware
+#
+
+# Host providing the admin Identity API endpoint
+auth_host = 127.0.0.1
+
+# Port of the admin Identity API endpoint
+auth_port = 35357
+
+# Protocol of the admin Identity API endpoint
+auth_protocol = http
+
+# Keystone service account tenant name to validate user tokens
+admin_tenant_name = %SERVICE_TENANT_NAME%
+
+# Keystone account username
+admin_user = %SERVICE_USER%
+
+# Keystone account password
+admin_password = %SERVICE_PASSWORD%
+
+# Directory used to cache files related to PKI tokens
+# signing_dir is configurable, but the default behavior of the authtoken
+# middleware should be sufficient.  It will create a temporary directory
+# in the home directory for the user the nova process is running as.
+#signing_dir = /var/lib/nova/keystone-signing
+
+# API version of the admin Identity API endpoint
+# Workaround for https://bugs.launchpad.net/nova/+bug/1154809
+auth_version = v2.0
diff --git a/tools/config/generate_sample.sh b/tools/config/generate_sample.sh
index 807883e1f2ac..5787bc9d4fba 100755
--- a/tools/config/generate_sample.sh
+++ b/tools/config/generate_sample.sh
@@ -85,3 +85,8 @@ OS_VARS=$(set | sed -n '/^OS_/s/=[^=]*$//gp' | xargs)
 MODULEPATH=nova.openstack.common.config.generator
 OUTPUTFILE=$OUTPUTDIR/$PACKAGENAME.conf.sample
 python -m $MODULEPATH $FILES > $OUTPUTFILE
+
+# Hook to allow projects to specify custom config file snippets
+for CONCAT_FILE in $BASEDIR/tools/config/*.conf.sample; do
+    cat $CONCAT_FILE >> $OUTPUTFILE
+done
diff --git a/tools/config/keystone_authtoken.conf.sample b/tools/config/keystone_authtoken.conf.sample
new file mode 100644
index 000000000000..b8388647d5e9
--- /dev/null
+++ b/tools/config/keystone_authtoken.conf.sample
@@ -0,0 +1,33 @@
+[keystone_authtoken]
+
+#
+# Options defined in keystoneclient's authtoken middleware
+#
+
+# Host providing the admin Identity API endpoint
+auth_host = 127.0.0.1
+
+# Port of the admin Identity API endpoint
+auth_port = 35357
+
+# Protocol of the admin Identity API endpoint
+auth_protocol = http
+
+# Keystone service account tenant name to validate user tokens
+admin_tenant_name = %SERVICE_TENANT_NAME%
+
+# Keystone account username
+admin_user = %SERVICE_USER%
+
+# Keystone account password
+admin_password = %SERVICE_PASSWORD%
+
+# Directory used to cache files related to PKI tokens
+# signing_dir is configurable, but the default behavior of the authtoken
+# middleware should be sufficient.  It will create a temporary directory
+# in the home directory for the user the nova process is running as.
+#signing_dir = /var/lib/nova/keystone-signing
+
+# API version of the admin Identity API endpoint
+# Workaround for https://bugs.launchpad.net/nova/+bug/1154809
+auth_version = v2.0