hi *, JSON Web Token (JWT) Profile section 3 [0] explicitely says
The JWT MUST contain a "sub" (subject) claim Now IMHO there are cases where having the sub is either not needed or redundant (since it might overlap with the issuer).\ As far as I can see “even Google” currently violates this spec [1] ( I know that this doesn’t matter, just wanted to bring a real use case scenario). WDYT might the “sub” be optional in some situation? regards antonio [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
