Sub claim clarification - kmd-identity/documentation GitHub Wiki

KMD Identity is able to issue an id_token and access_token after succesfully authenticating a user. The value of the claim called "sub" differs between the two tokens.

The value of the sub claim is:

• id_token: the hash of client ID + value of the unique identifier from Identity Provider. The unique identifier from Identity Provider is the value of the "unique_name" claim.
• access_token: the value of the unique identifier from Identity Provider.

Read more about sub in the OpenID specification regarding id_token.

KMD Identity supports pairwise subject type which is also specified in the OpenID Connect discovery page for KMD Identity (subject_types_supported).

Sub in id_token is therefore always scoped to the specific client ID, meaning two different OpenID applications (Client IDs) authenticating the same user will get a different value in sub claim in id_token but the same value in sub claim in access_token.