Skip to content

Fix Trust Mark Delegation validation to handle optional exp claim #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
andreassolberg wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix Trust Mark Delegation validation to handle optional exp claim #3

andreassolberg wants to merge 1 commit into from

Conversation

@andreassolberg
Copy link
Contributor

@andreassolberg andreassolberg commented Jan 3, 2026

Summary

Fix validation step 7 for Trust Mark Delegation to correctly handle the optional exp claim.

Problem

The exp claim is defined as OPTIONAL in the Trust Mark Delegation JWT claims (Section 7.2.1):

exp: OPTIONAL. Number. Time when this delegation stops being valid. [...] If not present, it means that the delegation does not expire.

However, validation step 7 unconditionally required checking the exp claim:

The current time MUST be before the time represented by the exp (expiration) Claim in the delegation...

This is inconsistent - if exp is optional and "delegation does not expire" when absent, then the validation should only apply when exp is present.

Changes

Make validation step 7 conditional:

<!-- Before -->
<t>The current time MUST be before the time represented by the exp (expiration) 
Claim in the delegation (possibly allowing for some small leeway to account 
for clock skew).</t>

<!-- After -->
<t>If the <spanx style="verb">exp</spanx> (expiration) Claim is present in 
the delegation, the current time MUST be before the time it represents 
(possibly allowing for some small leeway to account for clock skew).</t>

References

🤖 Generated with Claude Code

@andreassolberg @claude
Fix Trust Mark Delegation validation for optional exp claim
71a6ea7 
The exp claim is defined as OPTIONAL in the Trust Mark Delegation JWT
claims, with the note: "If not present, it means that the delegation
does not expire."

However, validation step 7 unconditionally required checking the exp
claim, which was inconsistent with its OPTIONAL status.

This change makes validation step 7 conditional on the presence of exp.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@selfissued
Copy link
Member

selfissued commented Jan 8, 2026

This fix also applies to OpenID Federation 1.0.

@rohe rohe self-requested a review January 8, 2026 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohe rohe Awaiting requested review from rohe

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andreassolberg @selfissued