Question

As a dataholder (DH), we expect that the nbf claim should be provided in any scenario that requires a  JSON web token (JWT) validation. Scenarios include  Data Change Request (DCR), create/modify Request and SSA JWT, Consent Request JWT, Client_assertion JWT (revoke, CDR introspection, /token endpoint.

The nbf claim is not mentioned in the CDS or the register standards, but these requirements are taken from the FAPI profile specification referenced from the standards. 

If we turn on nbf validation, we will reject requests from ADRs that do not include the nbf claim. Is this compliant?

Answer

Clients are not required to present the nbf claim, however if the nbf claim is received, the DH must validate it in accordance to RFC7523 and RFC7519.

The mandatory requirement of nbf was introduced in FAPI 1.0. The CDS currently relies on FAPI WG Draft 06, which does not include this requirement. The nbf claim is not currently required by the CDS. A review of differences between Draft 06 and 1.0 Final is currently being undertaken to identify changes like this that will have breaking change impacts. 

The additional constraints on validation of the nbf claim introduced in FAPI 1.0 Final don't currently apply. However on completion of the analysis and consultation on FAPI standards uplift, the nbf claim requirement will probably be adopted.

See:

• RFC 7519 JSON Web Token nbf claim
• CDS Security Profile