We want to import users from a legacy system and need to enforce the pairwise “Subject Identifier Algorithm”. Once a user is imported, we need to tell the legacy system what the new subject identifier or the user is (so they can link their existing db to the new users). It seems that Hydra does not provide a way to get the pairwise subject identifier for a user/app (if there is a way, please let me know).
One approach would be to add an admin endpoint that takes a pair (subject, client_id) and returns the new subject generated by the pairwise algorithm.
- The pairwise algorithm documentation: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
- Hydra implementation of the pairwise algorithm: https://github.com/ory/hydra/blob/65b7406abe9e94011235776af009d0da94b01617/consent/subject_identifier_algorithm_pairwise.go#L42