OpenID Connect basically provides two subject identifier types: public or pairwise. With public, the sub= claim is simply the user id or equivalent for the user. This creates a flow something like the below:
|Typical "public" subject identifier OIDC flow|
This is just a typical authorization_code flow - end result is the id_token payload. The sub= claim is simply clear and readable. This allows the possibility of correlating all of sub=jdoe activity.
So, what if you want a bit more privacy within your ecosystem? Well here comes the Pairwise Subject Identifier type. This allows each client to be basically issued with a non-reversible hash of the sub= claim, preventing correlation.
To configure in ForgeRock Access Management, alter the OIDC provider settings. On the advanced tab, simply add pairwise as a subject type.
|Enabling Pairwise on the provider|
Next alter the salt for the hash, also on the provider settings advanced tab.
|Add a salt for the hash|
|Client profile settings|
Note the addition of the sector_identifier_uri parameter. Once you've exchanged the authorization_code for an access_token, take a peak inside the associated id_token. This now contains an opaque sub= claim:
The overall flow would now look something like this:
|OIDC flow with Pairwise|