[OAUTH-WG] JSON Web Token (JWT) Profile
Antonio Sanso <asanso@adobe.com> Tue, 11 March 2014 14:13 UTC
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E451A072C for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 07:13:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55vTv8duq8-m for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 07:13:50 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) by ietfa.amsl.com (Postfix) with ESMTP id BA4381A0718 for <oauth@ietf.org>; Tue, 11 Mar 2014 07:13:49 -0700 (PDT)
Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by DM2PR02MB320.namprd02.prod.outlook.com (10.141.83.149) with Microsoft SMTP Server (TLS) id 15.0.888.9; Tue, 11 Mar 2014 14:13:43 +0000
Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.29]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.185]) with mapi id 15.00.0893.001; Tue, 11 Mar 2014 14:13:42 +0000
From: Antonio Sanso <asanso@adobe.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: JSON Web Token (JWT) Profile
Thread-Index: AQHPPTQaKxckAjMng0+5U95NRYKjsA==
Date: Tue, 11 Mar 2014 14:13:41 +0000
Message-ID: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [193.104.215.11]
x-forefront-prvs: 0147E151B5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(428001)(51694002)(189002)(199002)(95416001)(76796001)(92726001)(76786001)(74876001)(47446002)(97336001)(76176001)(76482001)(87266001)(93516002)(53806001)(74502001)(74366001)(33656001)(93136001)(36756003)(92566001)(94946001)(56776001)(54316002)(77096001)(15202345003)(94316002)(86362001)(31966008)(69226001)(95666003)(54356001)(56816005)(83716003)(59766001)(77982001)(66066001)(47736001)(46102001)(4396001)(50986001)(81342001)(49866001)(16236675002)(2656002)(87936001)(15975445006)(19580395003)(80976001)(83322001)(80022001)(82746002)(65816001)(81816001)(51856001)(63696002)(85306002)(83072002)(81686001)(90146001)(97186001)(47976001)(85852003)(74662001)(81542001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR02MB320; H:CO1PR02MB206.namprd02.prod.outlook.com; CLIP:193.104.215.11; FPR:BFEE5EF4.2CF021CB.497C9188.C4EF3AD2.20142; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: adobe.com does not designate permitted sender hosts)
Content-Type: multipart/alternative; boundary="_000_3A1BC33F1AE2492FBCE9CCB9CF4C3C83adobecom_"
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/FWXA1-aLWmZcBYTUjBeetNNasB8
Subject: [OAUTH-WG] JSON Web Token (JWT) Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 14:13:53 -0000
hi *, JSON Web Token (JWT) Profile section 3 [0] explicitely says The JWT MUST contain a "sub" (subject) claim Now IMHO there are cases where having the sub is either not needed or redundant (since it might overlap with the issuer).\ As far as I can see “even Google” currently violates this spec [1] ( I know that this doesn’t matter, just wanted to bring a real use case scenario). WDYT might the “sub” be optional in some situation? regards antonio [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
- [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Manfred Steyer
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Hannes Tschofenig
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Hannes Tschofenig
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Hannes Tschofenig
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile John Bradley
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile John Bradley
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Manfred Steyer
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile John Bradley
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Phil Hunt
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Nat Sakimura
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Manfred Steyer
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso