+1 The JWT may well be about the sub but presented by some software component that should be independently identified.
On Mon, Mar 23, 2015 at 2:25 AM, Nat Sakimura <sakim...@gmail.com> wrote: > Re: > https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3 > > I understand the use of sub in this section comes down from SAML but I > feel that some separation between sub and presenter would be nice. > > For example, when I am presenting the token using an app that I installed > on my iPhone, the presenter is that app and not me, while the sub still may > be me. The app is the authorized presenter/party (azp) of the token. > > So my proposal is to use a claim like "azp" instead of "sub" to identify > the presenter. Less overload would cause less confusion later, IMHO. > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
