1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

`sub` or `op_sub`?

Issue #1247 new
Nat Sakimura created an issue

Line 540 says:

1. MUST contain *sub* claim that is set to the *uid* claim value if it was in the request;

Maybe it should be op_sub or something instead. Current OIDC Core 1.0 states in 5.6.2:

The JWT SHOULD NOT contain a sub (subject) Claim unless its value is an identifier for the End-User at the Claims Provider (and not for the OpenID Provider or another party); this typically means that a sub Claim SHOULD NOT be provided.

Just omitting sub like this text however is a bit problematic as it is a statement about a subject and without it, it can be prone to a token swap attack, e.g., a malicious SIOP user using a JWT that describes somebody else.

Tobias Looker

2021-06-09

In general I think this constraint is only one way to suitably bind a claim set to the OP presenting it, I would expect to see this constraint relaxed overtime as we get into more details around different approaches to binding, for instance W3C VC’s and mDL’s tend to opt for a model that leverages cryptography to bind the claim set (credential) to the OP (holder)

Nat Sakimura

5 days ago

@Tobias Looker ​Indeed. This is where I want your subsequent PRs to address. This is just the placeholder for the expansion

Comments (0)

  1. Log in to comment
Assignee
Type
bug
Priority
major
Status
new
Component
Claims Aggregation
Milestone
Version
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!