diff --git a/keystone/tests/unit/test_auth.py b/keystone/tests/unit/test_auth.py
index b09d9acaee..6f44b31650 100644
--- a/keystone/tests/unit/test_auth.py
+++ b/keystone/tests/unit/test_auth.py
@@ -33,6 +33,7 @@ from keystone import exception
 from keystone.models import token_model
 from keystone.tests import unit
 from keystone.tests.unit import default_fixtures
+from keystone.tests.unit import ksfixtures
 from keystone.tests.unit.ksfixtures import database
 from keystone import token
 from keystone.token import provider
@@ -671,6 +672,27 @@ class AuthWithToken(AuthTest):
                               token_id=token_2_id)
 
 
+class FernetAuthWithToken(AuthWithToken):
+    def config_overrides(self):
+        super(FernetAuthWithToken, self).config_overrides()
+        self.config_fixture.config(group='token', provider='fernet')
+        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
+
+    def test_token_auth_with_binding(self):
+        self.config_fixture.config(group='token', bind=['kerberos'])
+        body_dict = _build_user_auth()
+        self.assertRaises(exception.NotImplemented,
+                          self.controller.authenticate,
+                          self.context_with_remote_user,
+                          body_dict)
+
+    def test_revoke_with_no_audit_info(self):
+        self.skipTest('Fernet with v2.0 and revocation is broken')
+
+    def test_deleting_role_revokes_token(self):
+        self.skipTest('Fernet with v2.0 and revocation is broken')
+
+
 class AuthWithPasswordCredentials(AuthTest):
     def test_auth_invalid_user(self):
         """Verify exception is raised if invalid user."""
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
index f610fc4cae..6eeb23ecd7 100644
--- a/keystone/token/controllers.py
+++ b/keystone/token/controllers.py
@@ -180,7 +180,8 @@ class Auth(controller.V2Controller):
         try:
             token_model_ref = token_model.KeystoneToken(
                 token_id=old_token,
-                token_data=self.token_provider_api.validate_token(old_token))
+                token_data=self.token_provider_api.validate_v2_token(old_token)
+            )
         except exception.NotFound as e:
             raise exception.Unauthorized(e)
 
diff --git a/keystone/token/providers/fernet/core.py b/keystone/token/providers/fernet/core.py
index 8042aab95f..ff6fe9cc78 100644
--- a/keystone/token/providers/fernet/core.py
+++ b/keystone/token/providers/fernet/core.py
@@ -15,7 +15,6 @@ from oslo_config import cfg
 from keystone.common import dependency
 from keystone.common import utils as ks_utils
 from keystone.federation import constants as federation_constants
-from keystone.token import provider
 from keystone.token.providers import common
 from keystone.token.providers.fernet import token_formatters as tf
 
@@ -145,12 +144,8 @@ class Provider(common.BaseProvider):
         expires_at = token_data['access']['token']['expires']
         audit_ids = token_data['access']['token'].get('audit_ids')
         methods = ['password']
-        if audit_ids:
-            parent_audit_id = token_data['access']['token'].get(
-                'parent_audit_id')
-            audit_ids = provider.audit_info(parent_audit_id)
-            if parent_audit_id:
-                methods.append('token')
+        if len(audit_ids) > 1:
+            methods.append('token')
         project_id = token_data['access']['token'].get('tenant', {}).get('id')
         domain_id = None
         trust_id = None