auth: add AllowMissingExpiration option to RequireBearerTokenOptions

BorisTyshkevich · claude · BorisTyshkevich · commit 7261e1582a7a · 2026-05-22T11:53:11.000+02:00
Some IdPs emit session-bound bearer tokens that do not carry a standalone
`exp` claim — the token's lifetime is bounded by an external session and is
not advertised in-band. Resource servers integrating with such IdPs need to
opt in to validating the rest of the token (scopes, signature via the
verifier callback) without requiring the expiration field to be present.

Adds an AllowMissingExpiration bool to RequireBearerTokenOptions. Default
false preserves the existing strict behaviour. When true, a TokenInfo with
a zero Expiration is accepted; non-zero expirations are still checked for
elapsed validity.

Extends TestVerify with a "no expiration with AllowMissingExpiration accepts"
case mirroring the existing strict-reject case.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/auth/auth.go b/auth/auth.go
@@ -47,6 +47,21 @@ type RequireBearerTokenOptions struct {
 	ResourceMetadataURL string
 	// The required scopes.
 	Scopes []string
+	// AllowMissingExpiration opts the middleware out of the
+	// `tokenInfo.Expiration.IsZero()` reject. Default false preserves the
+	// existing strict behaviour (every TokenInfo must carry an Expiration).
+	//
+	// Some IdPs emit session-bound bearer tokens that do not carry a standalone
+	// `exp` claim — the token's lifetime is bounded by an external session and
+	// is not advertised in-band. Resource servers integrating with such IdPs
+	// need to opt in to validating the rest of the token (scopes, signature
+	// via the verifier callback, etc.) without requiring the expiration field
+	// to be present.
+	//
+	// When enabled, the verifier is still responsible for any session-level
+	// validity check it can perform; this option only relaxes the middleware's
+	// own expiration enforcement.
+	AllowMissingExpiration bool
 }
 
 type tokenInfoKey struct{}
@@ -131,9 +146,10 @@ func verify(req *http.Request, verifier TokenVerifier, opts *RequireBearerTokenO
 
 	// Check expiration.
 	if tokenInfo.Expiration.IsZero() {
-		return nil, "token missing expiration", http.StatusUnauthorized
-	}
-	if tokenInfo.Expiration.Before(time.Now()) {
+		if opts == nil || !opts.AllowMissingExpiration {
+			return nil, "token missing expiration", http.StatusUnauthorized
+		}
+	} else if tokenInfo.Expiration.Before(time.Now()) {
 		return nil, "token expired", http.StatusUnauthorized
 	}
 	return tokenInfo, "", 0
diff --git a/auth/auth_test.go b/auth/auth_test.go
@@ -62,6 +62,11 @@ func TestVerify(t *testing.T) {
 			"no expiration", nil, "Bearer noexp",
 			"token missing expiration", 401,
 		},
+		{
+			"no expiration with AllowMissingExpiration accepts",
+			&RequireBearerTokenOptions{AllowMissingExpiration: true}, "Bearer noexp",
+			"", 0,
+		},
 		{
 			"expired", nil, "Bearer expired",
 			"token expired", 401,
