The second paragraph of
https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-03#section-3
now provides a more general description of ways that applications may choose to
identify the presenter, including use of the “azp” (authorized party) claim.
-- Mike
From: OAuth [mailto:[email protected]] On Behalf Of Nat Sakimura
Sent: Monday, March 23, 2015 12:25 AM
To: oauth
Subject: [OAUTH-WG] The use of sub in POP-02
Re:
https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3
I understand the use of sub in this section comes down from SAML but I feel
that some separation between sub and presenter would be nice.
For example, when I am presenting the token using an app that I installed on my
iPhone, the presenter is that app and not me, while the sub still may be me.
The app is the authorized presenter/party (azp) of the token.
So my proposal is to use a claim like "azp" instead of "sub" to identify the
presenter. Less overload would cause less confusion later, IMHO.
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
