An endpoint to access the pairwise generated subjects

We want to import users from a legacy system and need to enforce the pairwise “Subject Identifier Algorithm”. Once a user is imported, we need to tell the legacy system what the new subject identifier or the user is (so they can link their existing db to the new users). It seems that Hydra does not provide a way to get the pairwise subject identifier for a user/app (if there is a way, please let me know).

One approach would be to add an admin endpoint that takes a pair (subject, client_id) and returns the new subject generated by the pairwise algorithm.

Any thoughts?

For reference:

• The pairwise algorithm documentation: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
• Hydra implementation of the pairwise algorithm: https://github.com/ory/hydra/blob/65b7406abe9e94011235776af009d0da94b01617/consent/subject_identifier_algorithm_pairwise.go#L42

I wanted to post a link to hydra config for pairwise algorithm too, but I got this lovely error

image.png1258×252 15.3 KB

Oh discourse…sorry about that

It seems that Hydra does not provide a way to get the pairwise subject identifier for a user/app (if there is a way, please let me know).

This works by using force_subject_identifier as is documented in the last paragraph of https://www.ory.sh/docs/hydra/advanced#subject-identifier-algorithms