The keystone server doesn't send the tdata hash in the revocation list, only the full token hash, so that would be a change to keystone. Then auth_token middleware would have to change to hash the tdata and check that, too. If we were going to do that, then maybe it would be easier to switch to revocation by audit IDs instead.
I'll try implementing the extra field checks in auth_token. Shouldn't be too difficult.
And I agree that we should have a fix for stable branches since they're supported.
The keystone server doesn't send the tdata hash in the revocation list, only the full token hash, so that would be a change to keystone. Then auth_token middleware would have to change to hash the tdata and check that, too. If we were going to do that, then maybe it would be easier to switch to revocation by audit IDs instead.
I'll try implementing the extra field checks in auth_token. Shouldn't be too difficult.
And I agree that we should have a fix for stable branches since they're supported.