Re: [OAUTH-WG] JSON Web Token (JWT) Profile

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 11 March 2014 14:45 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59B7C1A0735 for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 07:45:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fJNtVcktqe11 for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 07:45:43 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 398821A045D for <oauth@ietf.org>; Tue, 11 Mar 2014 07:45:43 -0700 (PDT)
Received: from [192.168.131.134] ([80.92.123.72]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0LrIPo-1XJrkN3OuK-0133Cn; Tue, 11 Mar 2014 15:45:31 +0100
Message-ID: <531F1F72.8010805@gmx.net>
Date: Tue, 11 Mar 2014 15:36:34 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Antonio Sanso <asanso@adobe.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com>
In-Reply-To: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="uIT25RUGIQ1GOD4afXOhX20j1pkTNTJr6"
X-Provags-ID: V03:K0:1ZyGaEIM1tAQXDU/MhCiBLW0OA+0ydafo3CV8B1hsPlffXSQoNe QubHyh9XE8lM2l8ZtbPTNqlh5wWWGRAvMywOeq09XyIgki/hp2Z+69mo5SgjjX7I37UridL BpFovyRrPF6h923MKXk7g+9DobC66UKPaPoblRzgcPH63x9HXKCqI6Mwb7CP6W4yeYoNhzO 35oYA8om5FN6xuuhMCQNw==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GwuyCRXYAxF5NgViBFPrrsu0Vek
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 14:45:45 -0000

Hi Manfred, Hi Antonio,

Note that there are two documents that talk about the JWT and you guys
might be looking at the wrong document.

The main JWT document (see
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defines
the subject claim as optional (see Section 4.1.2).

The JWT bearer assertion document (see
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does indeed
define it as mandatory but that's intentional since the purpose of the
spec is to authenticate the client (or the resource owner for an
authorization grant).

The assertion documents are used for interworking with "legacy" identity
infrastructure (such as SAML federations).

So, are you sure you are indeed looking at the right document?

Ciao
Hannes


On 03/11/2014 03:13 PM, Antonio Sanso wrote:
> hi *,
> 
> JSON Web Token (JWT) Profile section 3 [0] explicitely says 
> 
> The JWT MUST contain a "sub" (subject) claim 
> 
> 
> Now IMHO there are cases where having the sub is either not needed or
> redundant (since it might overlap with the issuer).\
> 
> As far as I can see “even Google” currently violates this spec [1] ( I
> know that this doesn’t matter, just wanted to bring a real use case
> scenario).
> 
> WDYT might the “sub” be optional in some situation?
> 
> regards
> 
> antonio 
> 
> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3
> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>