Subject Type

Introduction

The subject is a unique identifier for an entity, which is either the end-user or the client. It is used as the sub claim in access tokens and id tokens.

The value can be globally used from AuthServer among all clients, or the value can be scoped to a sector identifier, where clients using the same sector identifier will share the same subjects.

Determining the type of the subject is done through the client metadata "subject_type". The available subject types are found at the discovery endpoint. There are two available values "public" and "pairwise".

Specifications

Table 1: Specifications
Name	Description
OpenId Connect	Core specification for OpenId Connect

Public

Subjects that are public are shared among all clients from AuthServer. The unique identifier of the end-user is used as the subject value.

The public subject type might be unacceptable for high security scenarios, where anonymity is required. Because the public subject can be used to track end-user activity across all clients in the end-users single-sign-on session.

Pairwise

Subjects that are pairwise are shared among all clients that use the same sector identifier. For each unique sector identifier, there will be a unique subject for each end-user. Resulting in an end-user having many subjects.

It can be useful to share the same sector identifier among multiple clients, if the clients have a trust among them. For example an enterprise having multiple programs they own, where they want to track an end-users activity between all their owned clients.

The sector identifier is provided as client metadata and done through "sector_identifier_uri". It must be an HTTPS absolute URI which responds with a JSON array of all the client uris that share the sector_identifier_uri. That makes sure a malicious client cannot register a sector_identifier_uri that is only supposed to shared among trusted clients.

The sector_identifier_uri should not be considered a secret, as it cannot be used to register malicious clients, or deduce the pairwise subjects of end-users as the pairwise subject is a hash of combining the sector identifier, a salt and the public subject.

The URIs in the response must match the values from the client's registered "client_uri" at AuthServer.

The following HTTP example shows a request from AuthServer to the sector_identifer_uri.

            
                
GET /sector-identifier HTTP/1.1
Host: client.authserver.dk
Accept: application/json

The following HTTP example shows a response where the sector_identifier_uri responds with trusted client uris.

            
                
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store

["https://client.authserver.dk"]