sub
Registry Context
`sub` identifies the principal that is the subject of a JWT. Its value is a case-sensitive string that must be locally unique within the issuer's context or globally unique. RFC 9101 registers `sub` for use in OAuth authorization requests, including as a JWT claim in a Request Object.
Technical Summary
RFC 7519 defines `sub` as an optional, case-sensitive StringOrURI value identifying the JWT subject. RFC 9101 registers it in the OAuth Parameters registry with an authorization request usage location. In a Request Object, authorization request parameters are represented as JWT claims; parameter names and string values must be JSON strings encoded using UTF-8.
When Used
When a JWT, including an OAuth Request Object, identifies the principal that is its subject.
Normative Requirements
Requests
RFC 9101 - Section 4
include all parameters used to process the OAuth authorization request except `request` and `request_uri`..
Condition: when constructing a Request Object, including when `sub` is used to process the authorization request.
It MUST contain all the parameters (including extension parameters) used to process the OAuth 2.0 authorization request except the request and request_uri parameters.
RFC 9101 - Section 4
include parameter names and string values as JSON strings..
Condition: when representing authorization request parameters as JWT claims in a Request Object.
Parameter names and string values MUST be included as JSON strings.
RFC 9101 - Section 4
encode parameter names and string values represented as JSON strings using UTF-8..
Condition: when encoding a Request Object.
these JSON strings MUST be encoded using UTF-8
Unspecified actor
RFC 7519 - Section 4.1.2
use the `sub` claim..
Condition: when creating or processing a JWT.
Use of this claim is OPTIONAL.
JWT producers
RFC 7519 - Section 4.1.2
scope the subject value so that it is locally unique within the issuer context or globally unique..
Condition: when including the `sub` claim in a JWT.
The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.
Validation Guidance
Verify that a `sub` value is locally unique within the issuer context or globally unique.
Do not require `sub` to be present solely because an object is a JWT or Request Object.
Verify that `sub` is a case-sensitive JSON string containing a StringOrURI value.
When `sub` is used to process an authorization request represented by a Request Object, verify that it is included in that Request Object.
Verify that Request Object JSON strings, including a string-valued `sub`, are encoded using UTF-8.
Reference
Details
- Entry Id
sub- Name
sub- Parameter Usage Location
authorization request- Change Controller
IETF- Reference
RFC7519 - Section 4.1.2, RFC9101