Currently the Undercloud services (keystone api and the like) only listen on the provisioning network. It would be nice if there was a way to configure the undercloud to also listen on the external / public network, so that you could connect to keystone or other services externally without requiring that the provisioning network is routable from the external network.
So you are probably using instack or comparable to set up the undercloud. That is not a supported component yet. It is not a Keystone issue at any point, though. From the supported project standpoiint, the Keystone server, and the rest of the undercloud will listen on whatever interfaces are provided by the physical machine.