Subject field accept

what is the purpose for the subject field.

my challenge request returns an empty subject field and given any random string
the accept request gets a 200.

the documentation wasn’t explaining much except that the subject is the “resource owner”.

most confusion I get putting it in context with the client.
is the client_id string representative for the service using the oauth2 protocol provider(hydra)
while the subject is the user on the service authenticating using the oauth2 protocol provider(hydra)?

just for clarification

The subject field is the end-user’s unique identifier. If you have a table of users in your database, you probably have a primary key for every one of your users that never changes. That should be the value of the subject field:

pk email password_hash
1234 [email protected]
4321 [email protected]
5151 [email protected]

If use [email protected] completes the login challenge, then you set the subject to 1234, and so on.

Never use things such as email addresses, usernames, or other things that may change over time for this field as that will have unintended consequences and may lead to people being able to sign into other people’s accounts!

thank you very much

1 Like