https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> Is there an admin API to find the r...
# ory-copilot
a
@chilly-king-10285 Is there an admin API to find the real identity ID using the subject (sub)? Alternatively, can I disable subject anonymization for trusted clients?
c
A message from kapa.ai
Ory provides two subject identifier algorithms: 
public
and 
pairwise
for anonymizing user identities. The 
public
algorithm provides the same subject value (sub) to all clients, while the 
pairwise
algorithm provides a different subvalue to each client. You can enable either one or both algorithms and override the obfuscated 
sub
value with your own value. However, there is no direct API to find the real identity ID using the subject (sub) [source](https://www.ory.sh/docs/hydra/guides/openid). For trusted clients, you can use the 
public
algorithm which provides the same subject value to all clients. This can be set using the Ory CLI with the following command:
Copy code
bash ory patch oauth2-config {project.id} \  --replace "/oidc/subject_identifiers/supported_types=[\"public\"]"
However, please note that changing the algorithm or the salt value in production can cause serious complications with authentication in your system as all client applications receive new user IDs from Ory [source](https://www.ory.sh/docs/hydra/guides/openid). As for disabling subject anonymization, Ory does not provide a direct option to disable it. However, you can override the obfuscated 
sub
value with your own value by setting 
force_subject_identifier
when accepting the login request in your custom OAuth2 login app [source](https://www.ory.sh/docs/hydra/guides/openid).
9 Views
Open in Slack
PreviousNext
Powered by