Sorry for coming late in the game, but I really think that the "sub" claim should be OPTIONAL instead of REQUIRED.
We are implementing OAuth 2.0 for the Norwegian health sector, where we have several resources in production already. I don't think the "sub" claim should have different meaning depending on the flow - we would prefer to omit the sub claim in cases where the resource owner isn't present. This is not possible with the current language. We would like to be able to choose if and how we use the "sub" - the "client_id" claim will always be present. Regards Steinar ons. 13. mai 2020 kl. 16:07 skrev Rifaat Shekh-Yusef < rifaat.s.i...@gmail.com>: > All, > > Based on the 3rd WGLC, we believe that we have consensus to move this > document forward. > https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/ > > We will be working on the shepherd write-up and then submit the document > to the IESG soon. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Vennlig hilsen Steinar Noem Partner Udelt AS Systemutvikler | stei...@udelt.no | h...@udelt.no | +47 955 21 620 | www.udelt.no |
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth