Pairwise Pseudonymous Identifier (PPID)

Pairwise Pseudonymous Identifier (PPID)

Per the OpenID Connect core specification:

Identify supports both public and pairwise subject types as follows:

  • public: Each client receives the same subject (sub) value.
  • pairwise: Each client receives a different subject (sub) value to prevent correlation between clients.

Discovery endpoint

You can check the discovery endpoint of your Identify instance to see if the subject_types_supported feature has pairwise support:

Dynamic client registration endpoint

Please visit the Client metadata section for more details:

Key name
sector_identifier_uri
subject_type

Protocol

Setting up OAuth2.0 protocol connection for pairwise

You update the settings below:

  • Suject type: Select the option "Pairwise".
  • Sector identifier uri: Enter an HTTPS uri from which Identify can fetch a JSON data file containing an array of redirect_uri values. Per the specification: If the Client has not provided a value for "sector_identifier_uri" in Dynamic Client Registration [OpenID.Registration], the Sector Identifier used for pairwise identifier calculation is the host component of the registered "redirect_uri". If there are multiple hostnames in the registered "redirect_uris", the Client MUST register a "sector_identifier_uri". Sample content for that file is:

  • Alter the setting "Subject identifier hash salt" if necessary

For the Identify Admin, you can find the options in the OAuth2.0 protocol connection:

identify-admin-pairwise

For the Safewhere Admin, you can find the option in the OpenID Connect/OAuth2.0 application's connection settings:

sw-admin-pairwise-sectoruri

And its security settings:

sw-admin-pairwise-subject

Or in the Clients' setting tab:

sw-admin-client-pairwise

For the REST API, you can add properties named "sectorIdentifierUri"/ "subjectType" / "subjectIdentifierHashSalt" into its "configuration" connection JSON element.

Client application

After specifying the pairwise subject, you now can verify it by using one of our OIDC client sample applications.

In this document, we use the ASP.NET MVC sample application to demonstrate the option.

Using the sample application to login by using the code flow, the result will look like:

oauth-access-token

You can verify the Access token by decoding it:

oauth-access-token-pairwise-decrypt

The subject value is generated as follows:

The value is not reversible by any party other than the Identify OAuth2.0 Authorization server.