Comment 16 for bug 861854

Ziad was able to find a solution that preserves backwards compatibility.

Solution adds the following call in an extension:

GET v2.0/OS-KSVALIDATE/token/validate
     Passing in a header with X-Subject-Token (ex: T1000)
     Also passing in the X-Auth-Token (service token)

In the background this maps to v2.0/tokens/T1000

This has the benefit of not changing or breaking the core API. It's backwards compatible. In the middleware now, you can query the server to see if it supports the OS-KSVALIDATE extension and use this more secure call instead of the core call.

You can make this call with any of the token core APIs

Ex:
GET v2.0/OS-KSVALIDATE/token/endpoints maps to GET v2.0/tokens/{tokendID}/endpoints

Notes on the solution:

Maybe need option to disable core v2.0/tokens (503?)

Logging also needed with message to indicate to devops to use OS-KSVALIDATE extension call.

Documentation changes may also help make devops aware.

May also need VARY header (X-SUBJECT-TOKEN, X-AUTH-TOKEN)