Elaborate Please...I've Yet To Ackowledge The Presentation Of How This Responce Came About, Or The Reckolection If Your Asking, Telling, Or, Saying... What Kind Of Communication & To What Comprehensive Level From Who It May Consern As To What You And I Of A Conclusion Of The Outcome Of This Reading Shall Come About
----- Original Message ----- From: [email protected] To: [email protected] Sent: Wed, 25 Dec 2013 15:00:07 -0500 (EST) Subject: OAuth Digest, Vol 62, Issue 14 Send OAuth mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://www.ietf.org/mailman/listinfo/oauth or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of OAuth digest..." Today's Topics: 1. JWT Profile: Does it make sense to demand a subject? (Manfred Steyer) ---------------------------------------------------------------------- Message: 1 Date: Tue, 24 Dec 2013 22:38:42 +0100 From: "Manfred Steyer" <[email protected]> To: <[email protected]> Subject: [OAUTH-WG] JWT Profile: Does it make sense to demand a subject? Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" Hi, the draft about the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants [1] says: "The JWT MUST contain a "sub" (subject) claim identifying theprincipal that is the subject of the JWT. Two cases need to be differentiated: A. For the authorization grant, the subject SHOULD identify an authorized accessor for whom the access token is being requested (typically the resource owner, or an authorized delegate). B. For client authentication, the subject MUST be the "client_id" of the OAuth client." I'm not sure, if this makes sense, cause in an federation-scenario the original jwt is issued in an other security-domain and the auth-server in question does not necessarily know the users in thouse domain. Furthermore, it is very likely that the auth-server is not interested in the subject claim, but just in other incoming claims in view of mapping them to outgoing ones. IMHO, all the auth-server can do with the subject-claim is to create a protocol entry that says that some action was performed for this subject. Do I see that right? Wishes, Manfred [1] https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.ietf.org/mail-archive/web/oauth/attachments/20131224/59551074/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth ------------------------------ End of OAuth Digest, Vol 62, Issue 14 ************************************* _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
