oauth2.dev

sub

IETF

Registry Context

`sub` identifies the principal that is the subject of a JWT. Its value is a case-sensitive string that must be locally unique within the issuer's context or globally unique. RFC 9101 registers `sub` for use in OAuth authorization requests, including as a JWT claim in a Request Object.

Technical Summary

RFC 7519 defines `sub` as an optional, case-sensitive StringOrURI value identifying the JWT subject. RFC 9101 registers it in the OAuth Parameters registry with an authorization request usage location. In a Request Object, authorization request parameters are represented as JWT claims; parameter names and string values must be JSON strings encoded using UTF-8.

When Used

When a JWT, including an OAuth Request Object, identifies the principal that is its subject.

Normative Requirements

Requests

MUST
3
  1. RFC 9101 - Section 4

    include all parameters used to process the OAuth authorization request except `request` and `request_uri`..

    Condition: when constructing a Request Object, including when `sub` is used to process the authorization request.

    It MUST contain all the parameters (including extension parameters) used to process the OAuth 2.0 authorization request except the request and request_uri parameters.

  2. RFC 9101 - Section 4

    include parameter names and string values as JSON strings..

    Condition: when representing authorization request parameters as JWT claims in a Request Object.

    Parameter names and string values MUST be included as JSON strings.

  3. RFC 9101 - Section 4

    encode parameter names and string values represented as JSON strings using UTF-8..

    Condition: when encoding a Request Object.

    these JSON strings MUST be encoded using UTF-8

Unspecified actor

OPTIONAL
1
  1. RFC 7519 - Section 4.1.2

    use the `sub` claim..

    Condition: when creating or processing a JWT.

    Use of this claim is OPTIONAL.

JWT producers

MUST
1
  1. RFC 7519 - Section 4.1.2

    scope the subject value so that it is locally unique within the issuer context or globally unique..

    Condition: when including the `sub` claim in a JWT.

    The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.

Validation Guidance

error

Verify that a `sub` value is locally unique within the issuer context or globally unique.

info

Do not require `sub` to be present solely because an object is a JWT or Request Object.

error

Verify that `sub` is a case-sensitive JSON string containing a StringOrURI value.

error

When `sub` is used to process an authorization request represented by a Request Object, verify that it is included in that Request Object.

error

Verify that Request Object JSON strings, including a string-valued `sub`, are encoded using UTF-8.

Reference

Details

Entry Id
sub
Name
sub
Parameter Usage Location
authorization request
Change Controller
IETF
Reference
RFC7519 - Section 4.1.2, RFC9101