Description of token configuration options

Configuration option = Default value	Description
[token]
bind =	(ListOpt) External auth mechanisms that should add bind information to token, e.g., kerberos,x509.
cache_time = None	(IntOpt) Time to cache tokens (in seconds). This has no effect unless global and token caching are enabled.
caching = True	(BoolOpt) Toggle for token system caching. This has no effect unless global caching is enabled.
driver = keystone.token.persistence.backends.sql.Token	(StrOpt) Token persistence backend driver.
enforce_token_bind = permissive	(StrOpt) Enforcement policy on tokens presented to Keystone with bind information. One of disabled, permissive, strict, required or a specifically required bind mode, e.g., kerberos or x509 to require binding to that authentication.
expiration = 3600	(IntOpt) Amount of time a token should remain valid (in seconds).
hash_algorithm = md5	(StrOpt) The hash algorithm to use for PKI tokens. This can be set to any algorithm that hashlib supports. WARNING: Before changing this value, the auth_token middleware must be configured with the hash_algorithms, otherwise token revocation will not be processed correctly.
provider = None	(StrOpt) Controls the token construction, validation, and revocation operations. Core providers are "keystone.token.providers.[pkiz|pki|uuid].Provider". The default provider is uuid.
revocation_cache_time = 3600	(IntOpt) Time to cache the revocation list and the revocation events if revoke extension is enabled (in seconds). This has no effect unless global and token caching are enabled.
revoke_by_id = True	(BoolOpt) Revoke token by token identifier. Setting revoke_by_id to true enables various forms of enumerating tokens, e.g. `list tokens for user`. These enumerations are processed to determine the list of tokens to revoke. Only disable if you are switching to using the Revoke extension with a backend other than KVS, which stores events in memory.