Re: [OAUTH-WG] The use of sub in POP-02
The second paragraph of https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-03#section-3 now provides a more general description of ways that applications may choose to identify the presenter, including use of the “azp” (authorized party) claim. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Monday, March 23, 2015 12:25 AM To: oauth Subject: [OAUTH-WG] The use of sub in POP-02 Re: https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3 I understand the use of sub in this section comes down from SAML but I feel that some separation between sub and presenter would be nice. For example, when I am presenting the token using an app that I installed on my iPhone, the presenter is that app and not me, while the sub still may be me. The app is the authorized presenter/party (azp) of the token. So my proposal is to use a claim like "azp" instead of "sub" to identify the presenter. Less overload would cause less confusion later, IMHO. -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] The use of sub in POP-02
+1 The JWT may well be about the sub but presented by some software component that should be independently identified. On Mon, Mar 23, 2015 at 2:25 AM, Nat Sakimura wrote: > Re: > https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3 > > I understand the use of sub in this section comes down from SAML but I > feel that some separation between sub and presenter would be nice. > > For example, when I am presenting the token using an app that I installed > on my iPhone, the presenter is that app and not me, while the sub still may > be me. The app is the authorized presenter/party (azp) of the token. > > So my proposal is to use a claim like "azp" instead of "sub" to identify > the presenter. Less overload would cause less confusion later, IMHO. > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] The use of sub in POP-02
+1 sounds reasonable to distinguish the software and the user. Am 23. März 2015 08:25:13 MEZ, schrieb Nat Sakimura : >Re: >https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3 > >I understand the use of sub in this section comes down from SAML but I >feel >that some separation between sub and presenter would be nice. > >For example, when I am presenting the token using an app that I >installed >on my iPhone, the presenter is that app and not me, while the sub still >may >be me. The app is the authorized presenter/party (azp) of the token. > >So my proposal is to use a claim like "azp" instead of "sub" to >identify >the presenter. Less overload would cause less confusion later, IMHO. > >-- >Nat Sakimura (=nat) >Chairman, OpenID Foundation >http://nat.sakimura.org/ >@_nat_en > > > > >___ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth