[OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue

[Hannes Tschofenig]

Hi all,

in preparing the shepherd write-up for draft-ietf-oauth-jwt-bearer-08 I
had to review our recent email conversations and the issue raised by
Antonio in
http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html belong
to it.

The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-08 says:
"
   2.   The JWT MUST contain a "sub" (subject) claim identifying the
        principal that is the subject of the JWT.  Two cases need to be
        differentiated:

        A.  For the authorization grant, the subject SHOULD identify an
            authorized accessor for whom the access token is being
            requested (typically the resource owner, or an authorized
            delegate).

        B.  For client authentication, the subject MUST be the
            "client_id" of the OAuth client.
"

Antonio pointed to the current Google API to illustrate that the subject
is not always needed. Here is the Google API documentation:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount

The Google API used the client authentication part (rather than the
authorization grant), in my understanding.

I still believe that the subject field has to be included for client
authentication but I am not so sure anymore about the authorization
grant since I could very well imagine cases where the subject is not
needed for authorization decisions but also for privacy reasons.

I would therefore suggest to change the text as follows:

"
   2.   The JWT contains a "sub" (subject) claim identifying the
        principal that is the subject of the JWT.  Two cases need to be
        differentiated:

        A.  For the authorization grant, the subject claim MAY
            be included. If it is included it MUST identify the
            authorized accessor for whom the access token is being
            requested (typically the resource owner, or an authorized
            delegate). Reasons for not including the subject claim
            in the JWT are identity hiding (i.e., privacy protection
            of the identifier of the subject) and cases where
            the identifier of the subject is irrelevant for making
            an authorization decision by the resource server.

        B.  For client authentication, the subject MUST be the
            included in the JWT and the value MUST be populated
            with the "client_id" of the OAuth client.
"

What do you guys think?

Ciao
Hannes

signature.asc
Description: OpenPGP digital signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth