Comment 4 for bug 1532280

Actually - this is a bug. It only happens with the Fernet provider. The original test that I was using to reproduce this had the project for the trust and the trustee in the same domain. When that domain was disabled, the trust-scoped token would fail to validate because the owning domain of the project was disabled, which is a consistent behavior across all token providers.

This can be recreated if the project used in the trust and trustor are in their own domain and the trustee is in another. A trust is established between the trustor in domain X and the trustee in domain Y for a project in domain X. If domain Y is disabled, the trust-scoped token is still valid.

I'm going to rework the patch that exposes the behavior through tests and remove 'Closes-Bug' from the commit message.