Layer7 API Management

  • Private Community
 View Only

  • 1.  sub claim in JWT

    Posted Apr 26, 2025 03:11 PM

    Hello there,

    Any reason why i don't see 'sub' claim in JWT access token? However i see 'sub' claim in userInfo response. API Gateway version 11.0.00

    We need to have 'sub' claim inside the JWT access token...

    JWT access token:

    {
      "iss": "https://mygateway.com",
      "iat": 1745688927,
      "aud": "fecb2jf7-346e-4811-a7a4-88b02fe54gj6",
      "exp": 1745690127,
      "jti": "2fecef2d-0fb5-40d1-b64e-5f344fd892da-1745690127",
      "token_details": {
        "scope": " openid profile",
        "expires_in": 1200,
        "token_type": "Bearer",
          }
    }

    However i see sub claim in userInfo response as below...

    {
      "sub": "gn1xifF2KIn41MhMfPp8bfizfEhkKwPkBLXvXKBQjoM",
      "aud": "e0k197f4-7330-4c05-9d42-e78c19a2f7b1",
      "c_hash": "YG-llJp4YtYgJBfeuZGkfw",
      "acr": "0",
      "azp": "e0k197f4-7330-4c05-9d42-e78c19a2f7b1",
      "auth_time": 1744118590,
      "iss": "https://mygateway.com",
      "exp": 1744204990,
      "iat": 1744118590
    }



  • 2.  RE: sub claim in JWT

    Posted Apr 29, 2025 02:30 AM

    Hello Suthakar,

    In OAuth2 and OpenID Connect, the access token is mainly used for authorization, it doesn't always include the sub (which is a unique user identity) by default.

    If your APIs need user identity (sub) directly from the access token, you will need to modify the JWT generation in the Layer7 OTK policies by adding the sub claim during token creation.

    Alternatively, if you just need the user's identity, you should use the ID token instead the sub is always included in the ID token as per the OpenID Connect specification.
    Thanks


    Original Message