diff --git a/keystoneclient/auth/identity/__init__.py b/keystoneclient/auth/identity/__init__.py
index e69de29bb..d2aca8f9d 100644
--- a/keystoneclient/auth/identity/__init__.py
+++ b/keystoneclient/auth/identity/__init__.py
@@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from keystoneclient.auth.identity import base
+from keystoneclient.auth.identity import generic
+from keystoneclient.auth.identity import v2
+from keystoneclient.auth.identity import v3
+
+
+BaseIdentityPlugin = base.BaseIdentityPlugin
+
+V2Password = v2.Password
+V2Token = v2.Token
+
+V3Password = v3.Password
+V3Token = v3.Token
+
+Password = generic.Password
+Token = generic.Token
+
+
+__all__ = ['BaseIdentityPlugin',
+           'Password',
+           'Token',
+           'V2Password',
+           'V2Token',
+           'V3Password',
+           'V3Token']
diff --git a/keystoneclient/auth/identity/generic/base.py b/keystoneclient/auth/identity/generic/base.py
index 6d1550e03..7e148d2cb 100644
--- a/keystoneclient/auth/identity/generic/base.py
+++ b/keystoneclient/auth/identity/generic/base.py
@@ -17,8 +17,8 @@ from oslo_config import cfg
 import six
 import six.moves.urllib.parse as urlparse
 
+from keystoneclient import _discover
 from keystoneclient.auth.identity import base
-from keystoneclient import discover
 from keystoneclient import exceptions
 from keystoneclient.i18n import _, _LW
 
@@ -148,7 +148,7 @@ class BaseGenericPlugin(base.BaseIdentityPlugin):
             for data in disc_data:
                 version = data['version']
 
-                if (discover.version_match((2,), version) and
+                if (_discover.version_match((2,), version) and
                         self._has_domain_scope):
                     # NOTE(jamielennox): if there are domain parameters there
                     # is no point even trying against v2 APIs.
diff --git a/keystoneclient/auth/identity/generic/password.py b/keystoneclient/auth/identity/generic/password.py
index 36f8f505f..6790fe22c 100644
--- a/keystoneclient/auth/identity/generic/password.py
+++ b/keystoneclient/auth/identity/generic/password.py
@@ -14,10 +14,10 @@ import logging
 
 from oslo_config import cfg
 
+from keystoneclient import _discover
 from keystoneclient.auth.identity.generic import base
 from keystoneclient.auth.identity import v2
 from keystoneclient.auth.identity import v3
-from keystoneclient import discover
 from keystoneclient import utils
 
 LOG = logging.getLogger(__name__)
@@ -57,7 +57,7 @@ class Password(base.BaseGenericPlugin):
         self._user_domain_name = user_domain_name
 
     def create_plugin(self, session, version, url, raw_status=None):
-        if discover.version_match((2,), version):
+        if _discover.version_match((2,), version):
             if self._user_domain_id or self._user_domain_name:
                 # If you specify any domain parameters it won't work so quit.
                 return None
@@ -68,7 +68,7 @@ class Password(base.BaseGenericPlugin):
                                password=self._password,
                                **self._v2_params)
 
-        elif discover.version_match((3,), version):
+        elif _discover.version_match((3,), version):
             return v3.Password(auth_url=url,
                                user_id=self._user_id,
                                username=self._username,
diff --git a/keystoneclient/auth/identity/generic/token.py b/keystoneclient/auth/identity/generic/token.py
index 36df821ec..0fbacf042 100644
--- a/keystoneclient/auth/identity/generic/token.py
+++ b/keystoneclient/auth/identity/generic/token.py
@@ -14,10 +14,10 @@ import logging
 
 from oslo_config import cfg
 
+from keystoneclient import _discover
 from keystoneclient.auth.identity.generic import base
 from keystoneclient.auth.identity import v2
 from keystoneclient.auth.identity import v3
-from keystoneclient import discover
 
 LOG = logging.getLogger(__name__)
 
@@ -39,10 +39,10 @@ class Token(base.BaseGenericPlugin):
         self._token = token
 
     def create_plugin(self, session, version, url, raw_status=None):
-        if discover.version_match((2,), version):
+        if _discover.version_match((2,), version):
             return v2.Token(url, self._token, **self._v2_params)
 
-        elif discover.version_match((3,), version):
+        elif _discover.version_match((3,), version):
             return v3.Token(url, self._token, **self._v3_params)
 
     @classmethod
diff --git a/keystoneclient/tests/auth/test_identity_common.py b/keystoneclient/tests/auth/test_identity_common.py
index 9aea54820..e5b2528e7 100644
--- a/keystoneclient/tests/auth/test_identity_common.py
+++ b/keystoneclient/tests/auth/test_identity_common.py
@@ -19,8 +19,7 @@ import six
 
 from keystoneclient import access
 from keystoneclient.auth import base
-from keystoneclient.auth.identity import v2
-from keystoneclient.auth.identity import v3
+from keystoneclient.auth import identity
 from keystoneclient import fixture
 from keystoneclient import session
 from keystoneclient.tests import utils
@@ -268,7 +267,7 @@ class V3(CommonIdentityTests, utils.TestCase):
         kwargs.setdefault('auth_url', self.TEST_URL)
         kwargs.setdefault('username', self.TEST_USER)
         kwargs.setdefault('password', self.TEST_PASS)
-        return v3.Password(**kwargs)
+        return identity.V3Password(**kwargs)
 
 
 class V2(CommonIdentityTests, utils.TestCase):
@@ -281,7 +280,7 @@ class V2(CommonIdentityTests, utils.TestCase):
         kwargs.setdefault('auth_url', self.TEST_URL)
         kwargs.setdefault('username', self.TEST_USER)
         kwargs.setdefault('password', self.TEST_PASS)
-        return v2.Password(**kwargs)
+        return identity.V2Password(**kwargs)
 
     def get_auth_data(self, **kwargs):
         token = fixture.V2Token(**kwargs)
@@ -331,9 +330,9 @@ class CatalogHackTests(utils.TestCase):
                       base_url=self.V2_URL,
                       json=token)
 
-        v2_auth = v2.Password(self.V2_URL,
-                              username=uuid.uuid4().hex,
-                              password=uuid.uuid4().hex)
+        v2_auth = identity.V2Password(self.V2_URL,
+                                      username=uuid.uuid4().hex,
+                                      password=uuid.uuid4().hex)
 
         sess = session.Session(auth=v2_auth)
 
@@ -357,9 +356,9 @@ class CatalogHackTests(utils.TestCase):
 
         self.stub_url('GET', [], base_url=self.BASE_URL, status_code=404)
 
-        v2_auth = v2.Password(self.V2_URL,
-                              username=uuid.uuid4().hex,
-                              password=uuid.uuid4().hex)
+        v2_auth = identity.V2Password(self.V2_URL,
+                                      username=uuid.uuid4().hex,
+                                      password=uuid.uuid4().hex)
 
         sess = session.Session(auth=v2_auth)