hi Hannes, I am aware of the 2 documents,
I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about Authorization Grant Processing (this is the part I do use in my implementation ) and not only Client Authentication Processing. Just my 0.02 $ but this seems to be a place where different implementer have the same issue :) regards antonio On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig <[email protected]> wrote: > Hi Manfred, Hi Antonio, > > Note that there are two documents that talk about the JWT and you guys > might be looking at the wrong document. > > The main JWT document (see > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defines > the subject claim as optional (see Section 4.1.2). > > The JWT bearer assertion document (see > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does indeed > define it as mandatory but that's intentional since the purpose of the > spec is to authenticate the client (or the resource owner for an > authorization grant). > > The assertion documents are used for interworking with "legacy" identity > infrastructure (such as SAML federations). > > So, are you sure you are indeed looking at the right document? > > Ciao > Hannes > > > On 03/11/2014 03:13 PM, Antonio Sanso wrote: >> hi *, >> >> JSON Web Token (JWT) Profile section 3 [0] explicitely says >> >> The JWT MUST contain a "sub" (subject) claim >> >> >> Now IMHO there are cases where having the sub is either not needed or >> redundant (since it might overlap with the issuer).\ >> >> As far as I can see “even Google” currently violates this spec [1] ( I >> know that this doesn’t matter, just wanted to bring a real use case >> scenario). >> >> WDYT might the “sub” be optional in some situation? >> >> regards >> >> antonio >> >> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 >> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
