A feature has been added to bind a token to a kerberos token. This has been added to circumvent the following scenario:
The current security model involves bearer tokens. This means, if you hold the token, then you are the specified user and have all the privileges associated with it.
If another user were to acquire that token, they too become that user with all those privileges.
Binding a token means that a user must have both a token and the associated cryptographic identity (in this case kerberos ticket) for the token to be valid.
Tokens can be optionally bound to a Kerberos ticket.
An article on token binding and configuration can be found here: https://github.com/openstack/keystone/blob/master/doc/source/configuration.rst#token-binding