> the AS could issue the 'sub' value as "urn:anonymous:<large random number>" > and create a new value with every token that is issued
But it those cases it would be better to omit "sub", instead of sending a per-token value (we have "jti" as a per-token id). That at least avoids other parties misinterpreting these unusual "sub"s as long-term ids (and, for example, creating persistent user entries for each one). -- James Manger
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
