Hi,
the draft about the
JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants [1]
says:
"The JWT MUST contain a "sub" (subject) claim identifying theprincipal that
is the subject of the JWT. Two cases need to be differentiated:
A. For the authorization grant, the subject SHOULD identify an
authorized accessor for whom the access token is being
requested (typically the resource owner, or an authorized
delegate).
B. For client authentication, the subject MUST be the
"client_id" of the OAuth client."
I'm not sure, if this makes sense, cause in an federation-scenario the
original jwt is issued in an other security-domain and the auth-server in
question does not necessarily know the users in thouse domain. Furthermore,
it is very likely that the auth-server is not interested in the subject
claim, but just in other incoming claims in view of mapping them to outgoing
ones. IMHO, all the auth-server can do with the subject-claim is to create a
protocol entry that says that some action was performed for this subject.
Do I see that right?
Wishes,
Manfred
[1] https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
