diff --git a/lib/puppet/provider/trove.rb b/lib/puppet/provider/trove.rb
index 4a53bbad..96132c46 100644
--- a/lib/puppet/provider/trove.rb
+++ b/lib/puppet/provider/trove.rb
@@ -26,8 +26,7 @@ class Puppet::Provider::Trove < Puppet::Provider
   end
 
   def self.get_trove_credentials
-    auth_keys = ['auth_host', 'auth_port', 'auth_protocol',
-                 'admin_tenant_name', 'admin_user', 'admin_password']
+    auth_keys = ['auth_uri', 'project_name', 'username', 'password']
     conf = trove_conf
     if conf and conf['keystone_authtoken'] and
         auth_keys.all?{|k| !conf['keystone_authtoken'][k].nil?}
@@ -44,15 +43,6 @@ correctly configured.")
     self.class.trove_credentials
   end
 
-  def self.auth_endpoint
-    @auth_endpoint ||= get_auth_endpoint
-  end
-
-  def self.get_auth_endpoint
-    q = trove_credentials
-    "#{q['auth_protocol']}://#{q['auth_host']}:#{q['auth_port']}/v2.0/"
-  end
-
   def self.trove_conf
     return @trove_conf if @trove_conf
     @trove_conf = Puppet::Util::IniConfig::File.new
@@ -63,10 +53,10 @@ correctly configured.")
   def self.auth_trove(*args)
     q = trove_credentials
     authenv = {
-      :OS_AUTH_URL    => self.auth_endpoint,
-      :OS_USERNAME    => q['admin_user'],
-      :OS_TENANT_NAME => q['admin_tenant_name'],
-      :OS_PASSWORD    => q['admin_password']
+      :OS_AUTH_URL    => q['auth_uri'],
+      :OS_USERNAME    => q['username'],
+      :OS_PROJECT_NAME => q['project_name'],
+      :OS_PASSWORD    => q['password']
     }
     begin
       withenv authenv do
diff --git a/manifests/api.pp b/manifests/api.pp
index 2cfd560d..26964cfb 100644
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -29,9 +29,6 @@
 #   (optional) Whether the trove api package will be installed
 #   Defaults to 'present'
 #
-# [*keystone_password*]
-#   (required) Password used to authentication.
-#
 # [*debug*]
 #   (optional) Rather to log the trove api service at debug level.
 #   Defaults to undef
@@ -74,23 +71,6 @@
 #   (optional) Number of trove API worker processes to start
 #   Default: $::processorcount
 #
-# [*auth_uri*]
-#   (Optional) Complete public Identity API endpoint.
-#   Defaults to false.
-#
-# [*identity_uri*]
-#   (Optional) Complete admin Identity API endpoint.
-#   This should specify the unversioned root endpoint.
-#   Defaults to false.
-#
-# [*keystone_tenant*]
-#   (optional) Tenant to authenticate to.
-#   Defaults to services.
-#
-# [*keystone_user*]
-#   (optional) User to authenticate as with keystone.
-#   Defaults to 'trove'.
-#
 # [*enabled*]
 #   (optional) Whether to enable services.
 #   Defaults to true.
@@ -132,66 +112,72 @@
 #   (optional) Default rate limit of mgmt post request.
 #   Defaults to 200.
 #
+# [*auth_strategy*]
+#   (optional) The strategy to use for authentication.
+#   Defaults to 'keystone'
+#
 # == DEPRECATED PARAMETERS
 #
-# [*auth_host*]
-#   (optional) DEPRECATED: Use identity_uri instead.
-#   Host running auth service.
-#   Defaults to '127.0.0.1.
+# [*keystone_tenant*]
+#   (optional) Deprecated. Use trove::keystone::authtoken::project_name instead.
+#   Defaults to undef.
 #
-# [*auth_port*]
-#   (optional) DEPRECATED: Use identity_uri instead.
-#   Port to use for auth service on auth_host.
-#   Defaults to '35357'.
+# [*keystone_user*]
+#   (optional) Deprecated. Use trove::keystone::authtoken::username instead.
+#   Defaults to undef.
 #
-# [*auth_protocol*]
-#   (optional) DEPRECATED: Use identity_uri instead.
-#   Protocol to use for auth.
-#   Defaults to 'http'.
+# [*keystone_password*]
+#   (optional) Deprecated. Use trove::keystone::authtoken::password instead.
+#   Defaults to undef.
 #
-# [*auth_url*]
-#   (optional) DEPRECATED: Use auth_uri instead.
-#   Authentication URL.
-#   Defaults to 'http://localhost:5000/v2.0'.
+# [*identity_uri*]
+#   (optional) Deprecated. Use trove::keystone::authtoken::auth_url instead.
+#   Defaults to undef.
+#
+# [*auth_uri*]
+#   (Optional) Deprecated. Use trove::keystone::authtoken::auth_uri instead.
+#   Defaults to undef.
 #
 # [*verbose*]
 #   (optional) Deprecated. Rather to log the trove api service at verbose level.
 #   Defaults to undef
 #
+# [*auth_url*]
+#   (optional) Deprecated. Use trove::keystone::authtoken::auth_url instead.
+#   Defaults to undef
+#
 class trove::api(
-  $keystone_password,
-  $debug                        = undef,
-  $log_file                     = undef,
-  $log_dir                      = undef,
-  $use_syslog                   = undef,
-  $use_stderr                   = undef,
-  $log_facility                 = undef,
-  $bind_host                    = '0.0.0.0',
-  $bind_port                    = '8779',
-  $backlog                      = '4096',
-  $workers                      = $::processorcount,
-  $auth_uri                     = false,
-  $identity_uri                 = false,
-  $keystone_tenant              = 'services',
-  $keystone_user                = 'trove',
-  $enabled                      = true,
-  $purge_config                 = false,
-  $cert_file                    = false,
-  $key_file                     = false,
-  $ca_file                      = false,
-  $http_get_rate                = 200,
-  $http_post_rate               = 200,
-  $http_put_rate                = 200,
-  $http_delete_rate             = 200,
-  $http_mgmt_post_rate          = 200,
-  $manage_service               = true,
-  $ensure_package               = 'present',
+  $debug                          = undef,
+  $log_file                       = undef,
+  $log_dir                        = undef,
+  $use_syslog                     = undef,
+  $use_stderr                     = undef,
+  $log_facility                   = undef,
+  $bind_host                      = '0.0.0.0',
+  $bind_port                      = '8779',
+  $backlog                        = '4096',
+  $workers                        = $::processorcount,
+  $enabled                        = true,
+  $purge_config                   = false,
+  $cert_file                      = false,
+  $key_file                       = false,
+  $ca_file                        = false,
+  $http_get_rate                  = 200,
+  $http_post_rate                 = 200,
+  $http_put_rate                  = 200,
+  $http_delete_rate               = 200,
+  $http_mgmt_post_rate            = 200,
+  $manage_service                 = true,
+  $ensure_package                 = 'present',
+  $auth_strategy                  = 'keystone',
   # DEPRECATED PARAMETERS
-  $auth_host                    = '127.0.0.1',
-  $auth_url                     = 'http://localhost:5000/v2.0',
-  $auth_port                    = '35357',
-  $auth_protocol                = 'http',
-  $verbose                      = undef,
+  $keystone_password              = undef,
+  $keystone_tenant                = undef,
+  $keystone_user                  = undef,
+  $identity_uri                   = undef,
+  $auth_uri                       = undef,
+  $verbose                        = undef,
+  $auth_url                       = undef,
 ) inherits trove {
 
   include ::trove::deps
@@ -200,10 +186,34 @@ class trove::api(
   include ::trove::logging
   include ::trove::params
 
+  if $keystone_password {
+    warning('keystone_password is deprecated, use trove::keystone::authtoken::password instead.')
+  }
+
+  if $keystone_tenant {
+    warning('keystone_password is deprecated, use trove::keystone::authtoken::project_name instead.')
+  }
+
+  if $keystone_user {
+    warning('keystone_password is deprecated, use trove::keystone::authtoken::username instead.')
+  }
+
+  if $identity_uri {
+    warning('keystone_password is deprecated, use trove::keystone::authtoken::auth_url instead.')
+  }
+
+  if $auth_uri {
+    warning('keystone_password is deprecated, use trove::keystone::authtoken::auth_uri instead.')
+  }
+
   if $verbose {
     warning('verbose is deprecated, has no effect and will be removed after Newton cycle.')
   }
 
+  if $auth_url {
+    warning('auth_url is deprecated, use trove::keystone::authtoken::auth_url instead.')
+  }
+
   # basic service config
   trove_config {
     'DEFAULT/bind_host':                    value => $bind_host;
@@ -220,71 +230,12 @@ class trove::api(
     control_exchange => $::trove::control_exchange
   }
 
-  if $identity_uri {
-    trove_config { 'keystone_authtoken/identity_uri': value => $identity_uri; }
-  } else {
-    trove_config { 'keystone_authtoken/identity_uri': ensure => absent; }
-  }
+  if $auth_strategy == 'keystone' {
+    include ::trove::keystone::authtoken
 
-  if $auth_uri {
     trove_config {
-      'DEFAULT/trove_auth_url'      : value => $auth_uri;
-      'keystone_authtoken/auth_uri' : value => $auth_uri;
+      'DEFAULT/trove_auth_url' : value => pick($auth_uri,$::trove::keystone::authtoken::auth_uri);
     }
-  } else {
-    if $auth_url {
-      warning('The auth_url parameter is deprecated. Please use auth_uri instead.')
-      trove_config {
-        'DEFAULT/trove_auth_url'      : value => $auth_url;
-        'keystone_authtoken/auth_uri' : value => $auth_url;
-      }
-    } else {
-      $auth_uri_real = "${auth_protocol}://${auth_host}:5000/v2.0"
-      warning('In a next release, auth_uri will be default to version-less keystone endpoint.')
-      trove_config {
-        'DEFAULT/trove_auth_url'      : value => $auth_uri_real;
-        'keystone_authtoken/auth_uri' : value => $auth_uri_real;
-      }
-    }
-  }
-
-
-  # if both auth_uri and identity_uri are set we skip these deprecated settings entirely
-  if !$auth_uri or !$identity_uri {
-
-    if $auth_host {
-      warning('The auth_host parameter is deprecated. Please use auth_uri and identity_uri instead.')
-      trove_config { 'keystone_authtoken/auth_host': value => $auth_host; }
-    } else {
-      trove_config { 'keystone_authtoken/auth_host': ensure => absent; }
-    }
-
-    if $auth_port {
-      warning('The auth_port parameter is deprecated. Please use auth_uri and identity_uri instead.')
-      trove_config { 'keystone_authtoken/auth_port': value => $auth_port; }
-    } else {
-      trove_config { 'keystone_authtoken/auth_port': ensure => absent; }
-    }
-
-    if $auth_protocol {
-      warning('The auth_protocol parameter is deprecated. Please use auth_uri and identity_uri instead.')
-      trove_config { 'keystone_authtoken/auth_protocol': value => $auth_protocol; }
-    } else {
-      trove_config { 'keystone_authtoken/auth_protocol': ensure => absent; }
-    }
-
-  } else {
-    trove_config {
-      'keystone_authtoken/auth_host'         : ensure => absent;
-      'keystone_authtoken/auth_port'         : ensure => absent;
-      'keystone_authtoken/auth_protocol'     : ensure => absent;
-    }
-  }
-
-  trove_config {
-    'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
-    'keystone_authtoken/admin_user':        value => $keystone_user;
-    'keystone_authtoken/admin_password':    value => $keystone_password, secret => true;
   }
 
   # SSL Options
diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
new file mode 100644
index 00000000..eabbafff
--- /dev/null
+++ b/manifests/keystone/authtoken.pp
@@ -0,0 +1,279 @@
+# class: trove::keystone::authtoken
+#
+# Configure the keystone_authtoken section in the configuration file
+#
+# === Parameters
+#
+# [*username*]
+#   (Optional) The name of the service user
+#   Defaults to 'trove'
+#
+# [*password*]
+#   (Optional) Password to create for the service user
+#   Defaults to $::os_service_default
+#
+# [*auth_url*]
+#   (Optional) The URL to use for authentication.
+#   Defaults to 'http://localhost:35357'
+#
+# [*project_name*]
+#   (Optional) Service project name
+#   Defaults to 'services'
+#
+# [*user_domain_name*]
+#   (Optional) Name of domain for $username
+#   Defaults to $::os_service_default
+#
+# [*project_domain_name*]
+#   (Optional) Name of domain for $project_name
+#   Defaults to $::os_service_default
+#
+# [*insecure*]
+#   (Optional) If true, explicitly allow TLS without checking server cert
+#   against any certificate authorities.  WARNING: not recommended.  Use with
+#   caution.
+#   Defaults to $:os_service_default
+#
+# [*auth_section*]
+#   (Optional) Config Section from which to load plugin specific options
+#   Defaults to $::os_service_default.
+#
+# [*auth_type*]
+#   (Optional) Authentication type to load
+#   Defaults to 'password'
+#
+# [*auth_uri*]
+#   (Optional) Complete public Identity API endpoint.
+#   Defaults to 'http://localhost:5000'.
+#
+# [*auth_version*]
+#   (Optional) API version of the admin Identity API endpoint.
+#   Defaults to $::os_service_default.
+#
+# [*cache*]
+#   (Optional) Env key for the swift cache.
+#   Defaults to $::os_service_default.
+#
+# [*cafile*]
+#   (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#   connections.
+#   Defaults to $::os_service_default.
+#
+# [*certfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $::os_service_default.
+#
+# [*check_revocations_for_cached*]
+#   (Optional) If true, the revocation list will be checked for cached tokens.
+#   This requires that PKI tokens are configured on the identity server.
+#   boolean value.
+#   Defaults to $::os_service_default.
+#
+# [*delay_auth_decision*]
+#   (Optional) Do not handle authorization requests within the middleware, but
+#   delegate the authorization decision to downstream WSGI components. Boolean
+#   value
+#   Defaults to $::os_service_default.
+#
+# [*enforce_token_bind*]
+#   (Optional) Used to control the use and type of token binding. Can be set
+#   to: "disabled" to not check token binding. "permissive" (default) to
+#   validate binding information if the bind type is of a form known to the
+#   server and ignore it if not. "strict" like "permissive" but if the bind
+#   type is unknown the token will be rejected. "required" any form of token
+#   binding is needed to be allowed. Finally the name of a binding method that
+#   must be present in tokens. String value.
+#   Defaults to $::os_service_default.
+#
+# [*hash_algorithms*]
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+#   single algorithm or multiple. The algorithms are those supported by Python
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
+#   the preferred one first for performance. The result of the first hash will
+#   be stored in the cache. This will typically be set to multiple values only
+#   while migrating from a less secure algorithm to a more secure one. Once all
+#   the old tokens are expired this option should be set to a single value for
+#   better performance. List value.
+#   Defaults to $::os_service_default.
+#
+# [*http_connect_timeout*]
+#   (Optional) Request timeout value for communicating with Identity API
+#   server.
+#   Defaults to $::os_service_default.
+#
+# [*http_request_max_retries*]
+#   (Optional) How many times are we trying to reconnect when communicating
+#   with Identity API Server. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*include_service_catalog*]
+#   (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+#   middleware will not ask for service catalog on token validation and will
+#   not
+#   set the X-Service-Catalog header. Boolean value.
+#   Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_conn_get_timeout*]
+#   (Optional) Number of seconds that an operation will wait to get a memcached
+#   client connection from the pool. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_dead_retry*]
+#   (Optional) Number of seconds memcached server is considered dead before it
+#   is tried again. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_maxsize*]
+#   (Optional) Maximum total number of open connections to every memcached
+#   server. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_socket_timeout*]
+#   (Optional) Number of seconds a connection to memcached is held unused in
+#   the
+#   pool before it is closed. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_unused_timeout*]
+#   (Optional) Number of seconds a connection to memcached is held unused in
+#   the
+#   pool before it is closed. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_secret_key*]
+#   (Optional, mandatory if memcache_security_strategy is defined) This string
+#   is used for key derivation.
+#   Defaults to $::os_service_default.
+#
+# [*memcache_security_strategy*]
+#   (Optional) If defined, indicate whether token data should be authenticated
+#   or
+#   authenticated and encrypted. If MAC, token data is authenticated (with
+#   HMAC)
+#   in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+#   cache. If the value is not one of these options or empty, auth_token will
+#   raise an exception on initialization.
+#   Defaults to $::os_service_default.
+#
+# [*memcache_use_advanced_pool*]
+#   (Optional)  Use the advanced (eventlet safe) memcached client pool. The
+#   advanced pool will only work under python 2.x Boolean value
+#   Defaults to $::os_service_default.
+#
+# [*memcached_servers*]
+#   (Optional) Optionally specify a list of memcached server(s) to use for
+#   caching. If left undefined, tokens will instead be cached in-process.
+#   Defaults to $::os_service_default.
+#
+# [*region_name*]
+#   (Optional) The region in which the identity server can be found.
+#   Defaults to $::os_service_default.
+#
+# [*revocation_cache_time*]
+#   (Optional) Determines the frequency at which the list of revoked tokens is
+#   retrieved from the Identity service (in seconds). A high number of
+#   revocation events combined with a low cache duration may significantly
+#   reduce performance. Only valid for PKI tokens. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*signing_dir*]
+#   (Optional) Directory used to cache files related to PKI tokens.
+#   Defaults to $::os_service_default.
+#
+# [*token_cache_time*]
+#   (Optional) In order to prevent excessive effort spent validating tokens,
+#   the middleware caches previously-seen tokens for a configurable duration
+#   (in seconds). Set to -1 to disable caching completely. Integer value
+#   Defaults to $::os_service_default.
+#
+class trove::keystone::authtoken(
+  $username                       = 'trove',
+  $password                       = $::os_service_default,
+  $auth_url                       = 'http://localhost:35357',
+  $project_name                   = 'services',
+  $user_domain_name               = $::os_service_default,
+  $project_domain_name            = $::os_service_default,
+  $insecure                       = $::os_service_default,
+  $auth_section                   = $::os_service_default,
+  $auth_type                      = 'password',
+  $auth_uri                       = 'http://localhost:5000',
+  $auth_version                   = $::os_service_default,
+  $cache                          = $::os_service_default,
+  $cafile                         = $::os_service_default,
+  $certfile                       = $::os_service_default,
+  $check_revocations_for_cached   = $::os_service_default,
+  $delay_auth_decision            = $::os_service_default,
+  $enforce_token_bind             = $::os_service_default,
+  $hash_algorithms                = $::os_service_default,
+  $http_connect_timeout           = $::os_service_default,
+  $http_request_max_retries       = $::os_service_default,
+  $include_service_catalog        = $::os_service_default,
+  $keyfile                        = $::os_service_default,
+  $memcache_pool_conn_get_timeout = $::os_service_default,
+  $memcache_pool_dead_retry       = $::os_service_default,
+  $memcache_pool_maxsize          = $::os_service_default,
+  $memcache_pool_socket_timeout   = $::os_service_default,
+  $memcache_pool_unused_timeout   = $::os_service_default,
+  $memcache_secret_key            = $::os_service_default,
+  $memcache_security_strategy     = $::os_service_default,
+  $memcache_use_advanced_pool     = $::os_service_default,
+  $memcached_servers              = $::os_service_default,
+  $region_name                    = $::os_service_default,
+  $revocation_cache_time          = $::os_service_default,
+  $signing_dir                    = $::os_service_default,
+  $token_cache_time               = $::os_service_default,
+) {
+
+  if is_service_default($password) and ! $::trove::api::keystone_password {
+    fail('Please set password for trove service user')
+  }
+
+  #NOTE(iurygregory): Use pick to keep backward compatibility
+  $username_real = pick($::trove::api::keystone_user,$username)
+  $password_real = pick($::trove::api::keystone_password,$password)
+  $project_name_real = pick($::trove::api::keystone_tenant,$project_name)
+  $auth_url_real = pick($::trove::api::identity_uri,$::trove::api::auth_url,$auth_url)
+  $auth_uri_real = pick($::trove::api::auth_uri,$auth_uri)
+
+  keystone::resource::authtoken { 'trove_config':
+      username                       => $username_real,
+      password                       => $password_real,
+      project_name                   => $project_name_real,
+      auth_url                       => $auth_url_real,
+      auth_uri                       => $auth_uri_real,
+      auth_version                   => $auth_version,
+      auth_type                      => $auth_type,
+      auth_section                   => $auth_section,
+      user_domain_name               => $user_domain_name,
+      project_domain_name            => $project_domain_name,
+      insecure                       => $insecure,
+      cache                          => $cache,
+      cafile                         => $cafile,
+      certfile                       => $certfile,
+      check_revocations_for_cached   => $check_revocations_for_cached,
+      delay_auth_decision            => $delay_auth_decision,
+      enforce_token_bind             => $enforce_token_bind,
+      hash_algorithms                => $hash_algorithms,
+      http_connect_timeout           => $http_connect_timeout,
+      http_request_max_retries       => $http_request_max_retries,
+      include_service_catalog        => $include_service_catalog,
+      keyfile                        => $keyfile,
+      memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout,
+      memcache_pool_dead_retry       => $memcache_pool_dead_retry,
+      memcache_pool_maxsize          => $memcache_pool_maxsize,
+      memcache_pool_socket_timeout   => $memcache_pool_socket_timeout,
+      memcache_secret_key            => $memcache_secret_key,
+      memcache_security_strategy     => $memcache_security_strategy,
+      memcache_use_advanced_pool     => $memcache_use_advanced_pool,
+      memcache_pool_unused_timeout   => $memcache_pool_unused_timeout,
+      memcached_servers              => $memcached_servers,
+      region_name                    => $region_name,
+      revocation_cache_time          => $revocation_cache_time,
+      signing_dir                    => $signing_dir,
+      token_cache_time               => $token_cache_time,
+    }
+}
diff --git a/releasenotes/notes/authtoken-bcb9cc0581080079.yaml b/releasenotes/notes/authtoken-bcb9cc0581080079.yaml
new file mode 100644
index 00000000..dee23acb
--- /dev/null
+++ b/releasenotes/notes/authtoken-bcb9cc0581080079.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - Configure keystonemiddleware in a consistent way with all options required
+    for Keystone v3.
+deprecations:
+  - trove::api::keystone_tenant is deprecated in favor of trove::keystone::authtoken::project_name.
+  - trove::api::keystone_user is deprecated in favor of trove::keystone::authtoken::username.
+  - trove::api::keystone_password is deprecated in favor of trove::keystone::authtoken::password.
+  - trove::api::identity_uri is deprecated in favor of trove::keystone::authtoken::auth_url.
+  - trove::api::auth is deprecated in favor of trove::keystone::authtoken::auth_uri.
diff --git a/spec/classes/trove_api_spec.rb b/spec/classes/trove_api_spec.rb
index 42f5cc1f..d3bd0b79 100644
--- a/spec/classes/trove_api_spec.rb
+++ b/spec/classes/trove_api_spec.rb
@@ -22,11 +22,11 @@ require 'spec_helper'
 describe 'trove::api' do
 
   let :params do
-    { :keystone_password     => 'passw0rd',
-      :identity_uri          => 'http://10.0.0.10:35357/',
-      :auth_uri              => 'http://10.0.0.10:5000/v2.0/',
-      :keystone_tenant       => '_services_',
-      :keystone_user         => 'trove',
+    { :keystone_password => 'passw0rd',
+      :identity_uri      => 'http://10.0.0.10:35357/',
+      :auth_uri          => 'http://10.0.0.10:5000/v2.0/',
+      :keystone_tenant   => '_services_',
+      :keystone_user     => 'trove',
     }
   end
 
@@ -69,10 +69,10 @@ describe 'trove::api' do
         is_expected.to contain_trove_config('DEFAULT/nova_proxy_admin_pass').with_value('verysecrete')
         is_expected.to contain_trove_config('DEFAULT/nova_proxy_admin_tenant_name').with_value('admin')
         is_expected.to contain_trove_config('keystone_authtoken/auth_uri').with_value('http://10.0.0.10:5000/v2.0/')
-        is_expected.to contain_trove_config('keystone_authtoken/identity_uri').with_value('http://10.0.0.10:35357/')
-        is_expected.to contain_trove_config('keystone_authtoken/admin_tenant_name').with_value('_services_')
-        is_expected.to contain_trove_config('keystone_authtoken/admin_user').with_value('trove')
-        is_expected.to contain_trove_config('keystone_authtoken/admin_password').with_value('passw0rd')
+        is_expected.to contain_trove_config('keystone_authtoken/auth_url').with_value('http://10.0.0.10:35357/')
+        is_expected.to contain_trove_config('keystone_authtoken/project_name').with_value('_services_')
+        is_expected.to contain_trove_config('keystone_authtoken/username').with_value('trove')
+        is_expected.to contain_trove_config('keystone_authtoken/password').with_value('passw0rd')
         is_expected.to contain_trove_config('DEFAULT/control_exchange').with_value('trove')
         is_expected.to contain_trove_config('DEFAULT/os_region_name').with_value('RegionOne')
         is_expected.to contain_trove_config('DEFAULT/nova_compute_service_type').with_value('compute')
@@ -99,27 +99,6 @@ describe 'trove::api' do
         is_expected.to contain_trove_config('ssl/ca_file').with_ensure('absent')
       end
 
-      context 'with deprecated parameters' do
-        let :deprecated_params do
-          {
-            :auth_host             => '10.0.0.10',
-            :auth_url              => 'http://10.0.0.10:5000/v2.0/',
-            :auth_port             => '35357',
-            :auth_protocol         => 'http',
-          }
-        end
-
-        let :expected_params do
-          params.merge(deprecated_params)
-        end
-
-        it 'should work with deprecated parameters' do
-          is_expected.to contain_trove_config('DEFAULT/trove_auth_url').with_value(expected_params[:auth_url])
-          is_expected.to contain_trove_config('keystone_authtoken/auth_uri').with_value(expected_params[:auth_url])
-          is_expected.to contain_trove_config('keystone_authtoken/identity_uri').with_value(expected_params[:auth_protocol] + "://" + expected_params[:auth_host] + ":" + expected_params[:auth_port] + "/")
-        end
-      end
-
       context 'with SSL enabled on API' do
       before :each do
         params.merge!(
diff --git a/spec/classes/trove_keystone_authtoken_spec.rb b/spec/classes/trove_keystone_authtoken_spec.rb
new file mode 100644
index 00000000..fc09ec5c
--- /dev/null
+++ b/spec/classes/trove_keystone_authtoken_spec.rb
@@ -0,0 +1,145 @@
+require 'spec_helper'
+
+describe 'trove::keystone::authtoken' do
+
+  let :params do
+    { :password => 'trove_password', }
+  end
+
+  shared_examples 'trove authtoken' do
+
+    context 'with default parameters' do
+
+      it 'configure keystone_authtoken' do
+        is_expected.to contain_trove_config('keystone_authtoken/username').with_value('trove')
+        is_expected.to contain_trove_config('keystone_authtoken/password').with_value('trove_password')
+        is_expected.to contain_trove_config('keystone_authtoken/auth_url').with_value('http://localhost:35357')
+        is_expected.to contain_trove_config('keystone_authtoken/project_name').with_value('services')
+        is_expected.to contain_trove_config('keystone_authtoken/user_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/insecure').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/auth_section').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/auth_type').with_value('password')
+        is_expected.to contain_trove_config('keystone_authtoken/auth_uri').with_value('http://localhost:5000')
+        is_expected.to contain_trove_config('keystone_authtoken/auth_version').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_pool_socket_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_secret_key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_security_strategy').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_use_advanced_pool').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/revocation_cache_time').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/signing_dir').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'when overriding parameters' do
+      before do
+        params.merge!({
+          :auth_uri                             => 'https://10.0.0.1:9999/',
+          :username                             => 'myuser',
+          :password                             => 'mypasswd',
+          :auth_url                             => 'http://:127.0.0.1:35357',
+          :project_name                         => 'service_project',
+          :user_domain_name                     => 'domainX',
+          :project_domain_name                  => 'domainX',
+          :insecure                             => false,
+          :auth_section                         => 'new_section',
+          :auth_type                            => 'password',
+          :auth_version                         => 'v3',
+          :cache                                => 'somevalue',
+          :cafile                               => '/opt/stack/data/cafile.pem',
+          :certfile                             => 'certfile.crt',
+          :check_revocations_for_cached         => false,
+          :delay_auth_decision                  => false,
+          :enforce_token_bind                   => 'permissive',
+          :hash_algorithms                      => 'md5',
+          :http_connect_timeout                 => '300',
+          :http_request_max_retries             => '3',
+          :include_service_catalog              => true,
+          :keyfile                              => 'keyfile',
+          :memcache_pool_conn_get_timeout       => '9',
+          :memcache_pool_dead_retry             => '302',
+          :memcache_pool_maxsize                => '11',
+          :memcache_pool_socket_timeout         => '2',
+          :memcache_pool_unused_timeout         => '61',
+          :memcache_secret_key                  => 'secret_key',
+          :memcache_security_strategy           => 'ENCRYPT',
+          :memcache_use_advanced_pool           => true,
+          :memcached_servers                    => ['memcached01:11211','memcached02:11211'],
+          :region_name                          => 'region2',
+          :revocation_cache_time                => '11',
+          :signing_dir                          => '/var/cache',
+          :token_cache_time                     => '301',
+        })
+      end
+
+      it 'configure keystone_authtoken' do
+        is_expected.to contain_trove_config('keystone_authtoken/auth_uri').with_value('https://10.0.0.1:9999/')
+        is_expected.to contain_trove_config('keystone_authtoken/username').with_value(params[:username])
+        is_expected.to contain_trove_config('keystone_authtoken/password').with_value(params[:password]).with_secret(true)
+        is_expected.to contain_trove_config('keystone_authtoken/auth_url').with_value(params[:auth_url])
+        is_expected.to contain_trove_config('keystone_authtoken/project_name').with_value(params[:project_name])
+        is_expected.to contain_trove_config('keystone_authtoken/user_domain_name').with_value(params[:user_domain_name])
+        is_expected.to contain_trove_config('keystone_authtoken/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_trove_config('keystone_authtoken/insecure').with_value(params[:insecure])
+        is_expected.to contain_trove_config('keystone_authtoken/auth_section').with_value(params[:auth_section])
+        is_expected.to contain_trove_config('keystone_authtoken/auth_type').with_value(params[:auth_type])
+        is_expected.to contain_trove_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
+        is_expected.to contain_trove_config('keystone_authtoken/cache').with_value(params[:cache])
+        is_expected.to contain_trove_config('keystone_authtoken/cafile').with_value(params[:cafile])
+        is_expected.to contain_trove_config('keystone_authtoken/certfile').with_value(params[:certfile])
+        is_expected.to contain_trove_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
+        is_expected.to contain_trove_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
+        is_expected.to contain_trove_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
+        is_expected.to contain_trove_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
+        is_expected.to contain_trove_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
+        is_expected.to contain_trove_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
+        is_expected.to contain_trove_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
+        is_expected.to contain_trove_config('keystone_authtoken/keyfile').with_value(params[:keyfile])
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value(params[:memcache_pool_conn_get_timeout])
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_pool_dead_retry').with_value(params[:memcache_pool_dead_retry])
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_pool_maxsize').with_value(params[:memcache_pool_maxsize])
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_pool_socket_timeout').with_value(params[:memcache_pool_socket_timeout])
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_pool_unused_timeout').with_value(params[:memcache_pool_unused_timeout])
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_secret_key').with_value(params[:memcache_secret_key])
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_security_strategy').with_value(params[:memcache_security_strategy])
+        is_expected.to contain_trove_config('keystone_authtoken/memcache_use_advanced_pool').with_value(params[:memcache_use_advanced_pool])
+        is_expected.to contain_trove_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
+        is_expected.to contain_trove_config('keystone_authtoken/region_name').with_value(params[:region_name])
+        is_expected.to contain_trove_config('keystone_authtoken/revocation_cache_time').with_value(params[:revocation_cache_time])
+        is_expected.to contain_trove_config('keystone_authtoken/signing_dir').with_value(params[:signing_dir])
+        is_expected.to contain_trove_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_configures 'trove authtoken'
+    end
+  end
+
+end