Need a way to omit subject verification

[tzetze]

We are using JWT to pass user identity in the subject (sub) claim to our API.

With the current implementation the subject, issuer and audience claims are mandatory to set in the verifying context if the token to be verified contains these claims. Its totally okay for issuer and audience because on the verifier side these are known, so setting expectaion on these is a good practice.

Subject is a bit different because it holds the "unknown part" of the token, the identity if the subject represented by the token. If the token contains the subject claim, the verifier requires that the context holds the same subject. So, to verify a JWT containing a subject claim we have to do something like this before verification:

$context = new Jwt\Verification\Context($encryption); $context->setSubject($token->getPayload()->findClaimByName(Jwt\Claim\Subject::NAME)->getValue());

So we have to prefill context with the subject of the token to be verified to pass the subject verification against the subject of the token. I don't see the point of verifying subject that way.

I know there's a way to override the getVerifiers() method in the Jwt class, but i think verifying subject is unnecessary this way in general.

What's your opinion on this?

[tzetze]

This is partially connected to issue #11

[emarref]

Referring to the subject as the "unknown part", is pretty accurate. Given that definition, it would make accurately verifying an unknown value impossible, so removing verification of the subject might make sense. However, setting the subject of the context to the value of the subject claim in the token seems a little inert.

The method of verification for the subject (or lack thereof in this instance) seems like it's tied to the use-case of the token. It seems to me that any time someone implements JWT, they may or may not have a different way of verifying a subject. Which suggests to me that subject verification should be handled by the business logic of the application. It would be impossible to cover all possible usages of the subject claim.

By default, the subject claim is verified as expected based on the other claims. If something else is required, the library supports the developer overriding the verifiers as you mention.

For example, if using JWT for authentication, a system might insert the desired username as the token subject. This is always going to be an arbitrary value, but it makes sense to the application, so the application might verify the username in the subject somehow.

I agree there needs to be a simpler way of configuring the verifiers. Perhaps a verifier bag, or add/remove capability. But I don't believe subject verification should be removed entirely by default. I also don't believe setting the subject in the context to that of the claim value is the right solution in your situation. My opinion is that if you have a custom way to verify a class of token that does not need subject verification, then I would create a custom instance of the JWT service that does not verify the subject.

What do you think?

[emarref]

Closing due to lack of activity, and being unable to verify arbitrary subject assertions.