Generation of sub

-
+
<list style="symbols">
<t>If the Access Token is tied with an End-User, the <spanx style="verb">sub</spanx> is RECOMMENDED to be <spanx style="verb">pairwise</spanx> with a value based on the Sector Identifier of the Client. It is assumed that the Sector Identifier has been verified during the Access Token issuance process. The <spanx style="verb">sub</spanx> MAY also be <spanx style="verb">public</spanx>.
</t>
<t>If the Access Token is not tied with an End-User, the <spanx style="verb">sub</spanx> is RECOMMENDED to be <spanx style="verb">public</spanx> with a value based on the <spanx style="verb">user_id</spanx> and <spanx style="verb">user_id_type</spanx>. 
A pairwise <spanx style="verb">sub</spanx> MAY be used in this case, but the OP MUST take special care to ensure the Client is entitled to use the associated Sector Identifier as the Client's <spanx style="verb">redirect_uri</spanx> that is usually used for this check is not involved in the flow.
Either <spanx style="verb">public</spanx> or <spanx style="verb">pairwise</spanx>, with such an Access Token, the <spanx style="verb">sub</spanx> is less valuable for the Client than the couple <spanx style="verb">user_id</spanx> and <spanx style="verb">user_id_type</spanx>.
</t>
</list>