Re: [OAUTH-WG] JSON Web Token (JWT) Profile

Tue, 11 Mar 2014 07:27:21 -0700 

Hi Antonio,

 

some time ago, I wrote about the same issue, but – unfortunately – didn’t
get an answer. I place my thoughts about this at the end of this mail.

 

Wishes,

Manfred

 

8<-------------------------------

 

 

Hi,

 

the draft about the

 

JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants [1]

 

says:

 

„The JWT MUST contain a "sub" (subject) claim identifying theprincipal that
is the subject of the JWT.  Two cases need to be differentiated:

 

        A.  For the authorization grant, the subject SHOULD identify an

            authorized accessor for whom the access token is being

            requested (typically the resource owner, or an authorized

            delegate).

 

        B.  For client authentication, the subject MUST be the

            "client_id" of the OAuth client.“

 

 

I’m not sure, if this makes sense, cause in an federation-scenario the
original jwt is issued in an other security-domain and the auth-server in
question does not necessarily know the users in thouse domain. Furthermore,
it is very likely that the auth-server is not interested in the subject
claim, but just in other incoming claims in view of mapping them to outgoing
ones. IMHO, all the auth-server can do with the subject-claim is to create a
protocol entry that says that some action was performed for this subject.

 

Do I see that right?

 

Wishes,

Manfred

 

[1] https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07

 

 

Von: OAuth [mailto:[email protected]] Im Auftrag von Antonio Sanso
Gesendet: Dienstag, 11. März 2014 15:14
An: [email protected]
Betreff: [OAUTH-WG] JSON Web Token (JWT) Profile

 

hi *,

 

JSON Web Token (JWT) Profile section 3 [0] explicitely says 

 

The JWT MUST contain a "sub" (subject) claim 

 

Now IMHO there are cases where having the sub is either not needed or
redundant (since it might overlap with the issuer).\

 

As far as I can see “even Google” currently violates this spec [1] ( I know
that this doesn’t matter, just wanted to bring a real use case scenario).

 

WDYT might the “sub” be optional in some situation?

 

regards

 

antonio 

 

[0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 

[1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to