oauth2.dev

sub

IESG

Registry Context

The optional `sub` member identifies the token's subject. It is usually a machine-readable identifier of the resource owner who authorized the token.

Technical Summary

RFC 7662 defines `sub` as an OPTIONAL top-level introspection response member whose meaning follows RFC 7519. Its value is a case-sensitive StringOrURI and MUST be locally unique within the issuer context or globally unique. A StringOrURI containing a colon MUST be a URI.

When Used

Use this when validating or generating the `sub` member of an OAuth token introspection response.

Normative Requirements

Unspecified actor

MUST
2
  1. RFC 7519 - Section 2

    A StringOrURI value containing a colon MUST be a URI..

    Condition: When the `sub` value contains a `:` character.

    any value containing a ":" character MUST be a URI

  2. RFC 7519 - Section 4.1.2

    The subject value MUST either be locally unique within the issuer context or globally unique..

    Condition: When a `sub` value is included.

    The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.

MAY
1
  1. RFC 7519 - Section 2

    The StringOrURI value MAY contain an arbitrary string value..

    Condition: When the value does not violate the URI requirement for values containing a colon.

    arbitrary string values MAY be used

OPTIONAL
1
  1. RFC 7662 - Section 2.2

    The introspection response may include the `sub` member..

    Condition: For an OAuth token introspection response.

    sub OPTIONAL.

Validation Guidance

info

Do not require `sub` for a valid introspection response.

error

Reject a `sub` value that is not a JSON string.

error

If `sub` contains a colon, verify that the complete value is a valid URI.

info

Compare `sub` values as case-sensitive strings without transformation or canonicalization.

error

Ensure that `sub` is locally unique within the issuer context or globally unique.

Reference

Details

Entry Id
sub
Name
sub
Description
Subject of the token
Change Controller
IESG
Reference
RFC7662 - Section 2.2