diff --git a/README.md b/README.md
index 35e80623c..c845cd3fa 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ scenario](#All-In-One).
 | ssl        |     yes     |      yes    |      yes    |      no      |
 | ipv6       |   centos7   |    centos7  |    centos7  |      no      |
 | keystone   |      X      |       X     |       X     |       X      |
+| tokens     |    uuid     |     uuid    |    fernet   |     uuid     |
 | glance     |     rbd     |     swift   |     file    |     file     |
 | nova       |     rbd     |       X     |       X     |       X      |
 | neutron    |     ovs     |      ovs    | linuxbridge |      ovs     |
diff --git a/fixtures/scenario003.pp b/fixtures/scenario003.pp
index 08a659b2e..30ddc0f0e 100644
--- a/fixtures/scenario003.pp
+++ b/fixtures/scenario003.pp
@@ -38,7 +38,9 @@ class { '::openstack_integration::config':
 include ::openstack_integration::cacert
 include ::openstack_integration::rabbitmq
 include ::openstack_integration::mysql
-include ::openstack_integration::keystone
+class { '::openstack_integration::keystone':
+  token_provider => 'fernet',
+}
 include ::openstack_integration::glance
 class { '::openstack_integration::neutron':
   driver => 'linuxbridge',
diff --git a/manifests/keystone.pp b/manifests/keystone.pp
index 2a268ca39..4a4164ba2 100644
--- a/manifests/keystone.pp
+++ b/manifests/keystone.pp
@@ -11,9 +11,14 @@
 #   and the associated configuration in keystone.conf is set up right.
 #   Defaults to false
 #
+# [*token_provider*]
+#   (optional) Define the token provider to use.
+#   Default to 'uuid'.
+#
 class openstack_integration::keystone (
   $default_domain      = undef,
   $using_domain_config = false,
+  $token_provider      = 'uuid',
 ) {
 
   include ::openstack_integration::config
@@ -27,6 +32,12 @@ class openstack_integration::keystone (
     Exec['update-ca-certificates'] ~> Service['httpd']
   }
 
+  if $token_provider == 'fernet' {
+    $enable_fernet_setup = true
+  } else {
+    $enable_fernet_setup = false
+  }
+
   class { '::keystone::client': }
   class { '::keystone::cron::token_flush': }
   class { '::keystone::db::mysql':
@@ -45,6 +56,8 @@ class openstack_integration::keystone (
     public_bind_host    => $::openstack_integration::config::host,
     admin_bind_host     => $::openstack_integration::config::host,
     manage_policyrcd    => true,
+    token_provider      => $token_provider,
+    enable_fernet_setup => $enable_fernet_setup,
   }
   include ::apache
   class { '::keystone::wsgi::apache':