[Openid-specs-ab] siopv2 sub claim format
Jeremie Miller
jmiller at pingidentity.com
Fri Dec 9 01:08:40 UTC 2022
I think the text in 12.1 is just unclear, I believe it is referring to the
values of the metadata parameter `subject_syntax_types_supported`. When the
subject syntax type is "urn:ietf:params:oauth:jwk-thumbprint" then "sub":
"NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" is allowed, at least in the
current implementers draft.
That said, I'm wondering if there's some updates likely to happen that will
change this and make all the references to and examples of thumbprints use
the more formal jwk-thumbprint urn prefix for the sub value so that it is
always required to be a URI. (cc @kristina)
Jer
On Thu, Dec 8, 2022 at 1:43 AM Nikos Fotiou via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> Hi,
>
>
>
> In siop v2 (
> https://openid.net/specs/openid-connect-self-issued-v2-1_0.html#name-self-issued-id-token)
> when it comes to the “self-issued ID Token” section 12 says:
>
>
>
> “sub[…]When Subject Syntax Type is JWK Thumbprint, the value is the
> base64url encoded representation of the thumbprint of the key in the
> sub_jwk Claim”
>
>
>
> Then, a example follows where the “sub” claim is indeed a base64url
> encoded representation of key thumbprint. However, in section 12.1 the text
> says:
>
>
>
> “The RP MUST identify which Subject Syntax Type is used based on the URI
> of the sub Claim. Valid values defined in this specification are
> urn:ietf:params:oauth:jwk-thumbprint for JWK Thumbprint Subject Syntax Type
> and did: for Decentralized Identifier Subject Syntax Type”
>
>
>
> This confuses me. Which of the following is the correct syntax for the sub
> claim when Subject Syntax Type is JWK Thumbprint:
>
>
>
> "sub": "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs",
>
>
>
> Or
>
>
>
> "sub":
> "urn:ietf:params:oauth:jwk-thumbprint:NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs",
>
>
>
>
>
> Best,
>
> Nikos
>
>
>
> --------
>
> Nikos Fotiou - https://www.fotiou.gr
>
> Researcher - Mobile Multimedia Laboratory
>
> Athens University of Economics and Business
>
> https://mm.aueb.gr
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20221208/98f46576/attachment.html>
More information about the Openid-specs-ab
mailing list