oauth2-server-php: Jwt Bearer is not sure whether "sub" contains the username or the user email.

JWTBearerTest says “@param $sub The subject we are acting on behalf of. This could be the email address of the user in the system.” The email address is what examples elsewhere use for the subject field as well.

However, the JwtBearer grant type has:

    public function getUserId()
    {
        return $this->jwt['sub'];
    }

This treats the subject as the username (since user id is always the username in the library.) So, either the library changes its tests and code docs to indicate that “sub” contains a username, or it introduces a new storage method for loading the user by mail, and uses that in the JwtBearer grant type.

Semi-related question: Why does getClientKey($client_id, $subject) accept the $subject? Is it likely that a client would have a public key per user? And is there a source (spec?) for that?

About this issue

Original URL
State: open
Created 10 years ago
Comments: 15 (8 by maintainers)

Most upvoted comments

@bojanz excellent questions.

As far as the user_id question goes, the entire concept of a user identifier is not defined in this library, and is defined by the server implementing the library. Yes, we have the UserStorage, but that is the most rhudimentary of all the storages implemented in the library, and my hope has always been that someone will develop adaptors for Drupal, Wordpress, FOSUserBundle, etc. So in conclusion, if we update the documentation to make this clear, will that suffice?
I have been wondering the same thing. In Adobe’s implementation, we simply ignore the $subject parameter. It does not make sense (to me) to have a public key per client per user. If this implementation is desired, then this can be done by the application desiring it. I have to double check the spec to be certain, however. The author of this grant type is @dsquier. Perhaps he can shed some light on it.

bshaffer on Jan 8, 2014