`sub` or `op_sub`?
Line 540 says:
1. MUST contain *sub* claim that is set to the *uid* claim value if it was in the request;
Maybe it should be op_sub
or something instead. Current OIDC Core 1.0 states in 5.6.2:
The JWT SHOULD NOT contain a
sub
(subject) Claim unless its value is an identifier for the End-User at the Claims Provider (and not for the OpenID Provider or another party); this typically means that asub
Claim SHOULD NOT be provided.
Just omitting sub
like this text however is a bit problematic as it is a statement about a subject and without it, it can be prone to a token swap attack, e.g., a malicious SIOP user using a JWT that describes somebody else.
Tobias Looker
2021-06-09
In general I think this constraint is only one way to suitably bind a claim set to the OP presenting it, I would expect to see this constraint relaxed overtime as we get into more details around different approaches to binding, for instance W3C VC’s and mDL’s tend to opt for a model that leverages cryptography to bind the claim set (credential) to the OP (holder)
Nat Sakimura
5 days ago
@Tobias Looker Indeed. This is where I want your subsequent PRs to address. This is just the placeholder for the expansion