Re: [OAUTH-WG] JSON Web Token (JWT) Profile

"Manfred Steyer" <> Tue, 11 March 2014 14:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B1F551A0738 for <>; Tue, 11 Mar 2014 07:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.446
X-Spam-Status: No, score=-2.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EHAYfCqaDE_u for <>; Tue, 11 Mar 2014 07:27:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C9A801A0736 for <>; Tue, 11 Mar 2014 07:27:02 -0700 (PDT)
Received: from IWINB07 ([]) by (mrgmx001) with ESMTPSA (Nemesis) id 0MFLhE-1WQh1X2bVk-00EQ3o for <>; Tue, 11 Mar 2014 15:26:55 +0100
From: Manfred Steyer <>
References: <>
In-Reply-To: <>
Date: Tue, 11 Mar 2014 15:26:54 +0100
Message-ID: <009501cf3d35$f4257410$dc705c30$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0096_01CF3D3E.55EF3340"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMQvuGC6nCHESWBhgEiO0rGzvkC2phY7aIw
Content-Language: de
X-Provags-ID: V03:K0:VZNqDmovIAaVmxgdj1Q6O4AOTPBd+JAFkkqJxcJunhjC70WtbLw /SdAZn+EqTVN3Toa/A/Mqgb1j1dUCMU0zm1OnQiX+vpE1h+oWuhQezYIWPbiO26s3wgGiJF 9euq46F4rJ6cUuZzAkohyEpw0NAWJbG8ox3tu78pzGlCwKlbfmLS0RJsUVqYP9Rien6UUol JrwV3lP/RiuxWXpz1ZEZQ==
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Mar 2014 14:27:08 -0000

Hi Antonio,


some time ago, I wrote about the same issue, but – unfortunately – didn’t
get an answer. I place my thoughts about this at the end of this mail.










the draft about the


JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants [1]




„The JWT MUST contain a "sub" (subject) claim identifying theprincipal that
is the subject of the JWT.  Two cases need to be differentiated:


        A.  For the authorization grant, the subject SHOULD identify an

            authorized accessor for whom the access token is being

            requested (typically the resource owner, or an authorized



        B.  For client authentication, the subject MUST be the

            "client_id" of the OAuth client.“



I’m not sure, if this makes sense, cause in an federation-scenario the
original jwt is issued in an other security-domain and the auth-server in
question does not necessarily know the users in thouse domain. Furthermore,
it is very likely that the auth-server is not interested in the subject
claim, but just in other incoming claims in view of mapping them to outgoing
ones. IMHO, all the auth-server can do with the subject-claim is to create a
protocol entry that says that some action was performed for this subject.


Do I see that right?








Von: OAuth [] Im Auftrag von Antonio Sanso
Gesendet: Dienstag, 11. März 2014 15:14
Betreff: [OAUTH-WG] JSON Web Token (JWT) Profile


hi *,


JSON Web Token (JWT) Profile section 3 [0] explicitely says 


The JWT MUST contain a "sub" (subject) claim 


Now IMHO there are cases where having the sub is either not needed or
redundant (since it might overlap with the issuer).\


As far as I can see “even Google” currently violates this spec [1] ( I know
that this doesn’t matter, just wanted to bring a real use case scenario).


WDYT might the “sub” be optional in some situation?