Hi Manfred, Hi Antonio, Note that there are two documents that talk about the JWT and you guys might be looking at the wrong document.
The main JWT document (see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defines the subject claim as optional (see Section 4.1.2). The JWT bearer assertion document (see http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does indeed define it as mandatory but that's intentional since the purpose of the spec is to authenticate the client (or the resource owner for an authorization grant). The assertion documents are used for interworking with "legacy" identity infrastructure (such as SAML federations). So, are you sure you are indeed looking at the right document? Ciao Hannes On 03/11/2014 03:13 PM, Antonio Sanso wrote: > hi *, > > JSON Web Token (JWT) Profile section 3 [0] explicitely says > > The JWT MUST contain a "sub" (subject) claim > > > Now IMHO there are cases where having the sub is either not needed or > redundant (since it might overlap with the issuer).\ > > As far as I can see “even Google” currently violates this spec [1] ( I > know that this doesn’t matter, just wanted to bring a real use case > scenario). > > WDYT might the “sub” be optional in some situation? > > regards > > antonio > > [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 > [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
