[Openid-specs-ab] Issue #1247: `sub` or `op_sub`? (openid/connect)

Nat issues-reply at bitbucket.org
Wed Jun 16 06:38:59 UTC 2021

New issue 1247: `sub` or `op_sub`?

Nat Sakimura:

Line 540 says: 

 `1. MUST contain *sub* claim that is set to the *uid* claim value if it was in the request;`


Maybe it should be `op_sub` or something instead. Current OIDC Core 1.0 states in 5.6.2:

> The JWT SHOULD NOT contain a `sub` \(subject\) Claim unless its value is an identifier for the End-User at the Claims Provider \(and not for the OpenID Provider or another party\); this typically means that a `sub` Claim SHOULD NOT be provided.

Just omitting `sub` like this text however is a bit problematic as it is a statement about a subject and without it, it can be prone to a token swap attack, e.g., a malicious SIOP user using a JWT that describes somebody else.


**Tobias Looker**


In general I think this constraint is only one way to suitably bind a claim set to the OP presenting it, I would expect to see this constraint relaxed overtime as we get into more details around different approaches to binding, for instance W3C VC’s and mDL’s tend to opt for a model that leverages cryptography to bind the claim set \(credential\) to the OP \(holder\)


**Nat Sakimura**

5 days ago

@{557058:8f0db39c-8807-4c20-8466-25be0b9dadc2} ​Indeed. This is where I want your subsequent PRs to address. This is just the placeholder for the expansion

More information about the Openid-specs-ab mailing list