Pairwise Pseudonymous Identifier (PPID)

Per the OpenID Connect core specification:

Pairwise Pseudonymous Identifier (PPID)
    Identifier that identifies the Entity to a Relying Party that
    cannot be correlated with the Entity's PPID at another Relying
    Party.

Personally Identifiable Information (PII)
    Information that (a) can be used to identify the natural person to
    whom such information relates, or (b) is or might be directly or
    indirectly linked to a natural person to whom such information
    relates.

Relying Party (RP)
    OAuth 2.0 Client application requiring End-User Authentication and
    Claims from an OpenID Provider.

Sector Identifier
    Host component of a URL used by the Relying Party's organization
    that is an input to the computation of pairwise Subject
    Identifiers for that Relying Party.

Identify supports both public and pairwise subject types as follows:

• public: Each client receives the same subject (sub) value.
• pairwise: Each client receives a different subject (sub) value to prevent correlation between clients.

Discovery endpoint

You can check the discovery endpoint of your Identify instance to see if the subject_types_supported feature has pairwise support:

"subject_types_supported":["public","pairwise"]

Dynamic client registration endpoint

Please visit the Client metadata section for more details:

Key name
sector_identifier_uri
subject_type

Protocol

Setting up OAuth 2.0 protocol connection for pairwise

You update the settings below:

• Suject type: Select the option "Pairwise".
• Sector identifier uri: Enter an HTTPS uri from which Identify can fetch a JSON data file containing an array of redirect_uri values. Per the specification: If the Client has not provided a value for "sector_identifier_uri" in Dynamic Client Registration [OpenID.Registration], the Sector Identifier used for pairwise identifier calculation is the host component of the registered "redirect_uri". If there are multiple hostnames in the registered "redirect_uris", the Client MUST register a "sector_identifier_uri". Sample content for that file is:

["http://localhost:62640/Home/ImplicitCallback","https://test.com/Home/CodeFlowCallback","http://localhost:62640/Home/HybridCallback","http://localhost:62640/Home/CodeFlowCallback"]

• Alter the setting "Subject identifier hash salt" if necessary

For the Identify Admin, you can find the options in the OAuth 2.0 protocol connection:

For the Safewhere Admin, you can find the option in the OpenID Connect/OAuth 2.0 application's connection settings:

And its security settings:

Or on the Clients' setting tab:

For the REST API, you can add properties named "sectorIdentifierUri"/ "subjectType" / "subjectIdentifierHashSalt" into its "configuration" connection JSON element.

Client application

After specifying the pairwise subject, you now can verify it by using one of our OIDC client sample applications.

In this document, we use the ASP.NET MVC sample application to demonstrate the option.

Using the sample application to login by using the code flow, the result will look like:

You can verify the Access token by decoding it:

The subject value is generated as follows:

base64urlencode(HS256Signature(sectorIdentifier + client_id + salt, key))

The value is not reversible by any party other than the Identify OAuth 2.0 Authorization server.