Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

Denis <> Mon, 13 April 2020 15:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EE20E3A1752 for <>; Mon, 13 Apr 2020 08:15:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.398, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YmUd-PtR-LZc for <>; Mon, 13 Apr 2020 08:15:30 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E8943A17B2 for <>; Mon, 13 Apr 2020 08:15:23 -0700 (PDT)
Received: from [] ([]) by mwinf5d89 with ME id SFFH220084FMSmm03FFHlc; Mon, 13 Apr 2020 17:15:18 +0200
X-ME-Helo: []
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 13 Apr 2020 17:15:18 +0200
References: <> <> <>
From: Denis <>
Message-ID: <>
Date: Mon, 13 Apr 2020 17:15:16 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------DDBFB801289E5E6826556362"
Content-Language: en-GB
Archived-At: <>
Subject: Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Apr 2020 15:15:32 -0000


More on privacy about "JWT Profile for Access Tokens".

The current document REQUIRES the claim names *sub* and *client_id*.

  * sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].
  * client_id  REQUIRED - as defined in section 4.3 of [RFC8693]

*1) **sub  REQUIRED*

RFC 7519 states:

    4.1.2.  "sub" (Subject) Claim
        The "sub" (subject) claim identifies the principal that is the
        subject of the JWT.  The claims in a JWT are normally statements
        about the subject.  The subject value MUST either be scoped to**
    *be locally unique in the context of the issuer or be globally unique*.
        The processing of this claim is generally application specific.  The
        "sub" value is a case-sensitive string containing a StringOrURI
        value. *Use of this claim is OPTIONAL.*

If *sub *is *REQUIRED *for this profile, then this allows all resource 
servers to link accesses made by the same client on different servers.

*2) client_id  REQUIRED*

RFC 8693 states:

    4.3. "client_id" (Client Identifier) Claim
    The client_id claim carries the client identifier of the OAuth 2.0
    [RFC 6749] client that requested the token.

RFC 6749 states:

    2.2.  Client Identifier
        The authorization server issues the registered client a client
        identifier -- a unique string representing the registration
        information provided by the client.  The client identifier is not a
        secret; it is exposed to the resource owner and MUST NOT be used
        alone for client authentication. *The client identifier is
    unique to**
    **   the authorization server.*

If *client_id* is REQUIRED for this profile, this also allows all 
resource servers to link accesses made by the same client on different 

*Both claim names should be OPTIONAL *to allow to support the privacy 
principle of unlinkability.

Would both names remain *REQUIRED*, the Privacy considerations section 
should mention that such a linkage by different resource servers
will always be possible when using this profile.


> I have uploaded the second presentation for today's session, the JWT 
> Profile for Access Tokens.
> Regards,
>  Rifaat