Description of token configuration options

Configuration option = Default value	Description
[token]
allow_rescope_scoped_token = True	(BoolOpt) Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false prevents a user from exchanging a scoped token for any other token.
bind =	(ListOpt) External auth mechanisms that should add bind information to token, e.g., kerberos,x509.
cache_time = None	(IntOpt) Time to cache tokens (in seconds). This has no effect unless global and token caching are enabled.
caching = True	(BoolOpt) Toggle for token system caching. This has no effect unless global caching is enabled.
driver = sql	(StrOpt) Entrypoint for the token persistence backend driver in the keystone.token.persistence namespace. Supplied drivers are kvs, memcache, memcache_pool, and sql.
enforce_token_bind = permissive	(StrOpt) Enforcement policy on tokens presented to Keystone with bind information. One of disabled, permissive, strict, required or a specifically required bind mode, e.g., kerberos or x509 to require binding to that authentication.
expiration = 3600	(IntOpt) Amount of time a token should remain valid (in seconds).
hash_algorithm = md5	(StrOpt) The hash algorithm to use for PKI tokens. This can be set to any algorithm that hashlib supports. WARNING: Before changing this value, the auth_token middleware must be configured with the hash_algorithms, otherwise token revocation will not be processed correctly.
provider = uuid	(StrOpt) Controls the token construction, validation, and revocation operations. Entrypoint in the keystone.token.provider namespace. Core providers are [fernet|pkiz|pki|uuid].
revoke_by_id = True	(BoolOpt) Revoke token by token identifier. Setting revoke_by_id to true enables various forms of enumerating tokens, e.g. `list tokens for user`. These enumerations are processed to determine the list of tokens to revoke. Only disable if you are switching to using the Revoke extension with a backend other than KVS, which stores events in memory.