sub
Registry Context
The optional `sub` member identifies the token's subject. It is usually a machine-readable identifier of the resource owner who authorized the token.
Technical Summary
RFC 7662 defines `sub` as an OPTIONAL top-level introspection response member whose meaning follows RFC 7519. Its value is a case-sensitive StringOrURI and MUST be locally unique within the issuer context or globally unique. A StringOrURI containing a colon MUST be a URI.
When Used
Use this when validating or generating the `sub` member of an OAuth token introspection response.
Normative Requirements
Unspecified actor
RFC 7519 - Section 2
A StringOrURI value containing a colon MUST be a URI..
Condition: When the `sub` value contains a `:` character.
any value containing a ":" character MUST be a URI
RFC 7519 - Section 4.1.2
The subject value MUST either be locally unique within the issuer context or globally unique..
Condition: When a `sub` value is included.
The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.
RFC 7519 - Section 2
The StringOrURI value MAY contain an arbitrary string value..
Condition: When the value does not violate the URI requirement for values containing a colon.
arbitrary string values MAY be used
RFC 7662 - Section 2.2
The introspection response may include the `sub` member..
Condition: For an OAuth token introspection response.
sub OPTIONAL.
Validation Guidance
Do not require `sub` for a valid introspection response.
Reject a `sub` value that is not a JSON string.
If `sub` contains a colon, verify that the complete value is a valid URI.
Compare `sub` values as case-sensitive strings without transformation or canonicalization.
Ensure that `sub` is locally unique within the issuer context or globally unique.
Reference
Details
- Entry Id
sub- Name
sub- Description
Subject of the token- Change Controller
IESG- Reference
RFC7662 - Section 2.2