Seems that pairwise subject type does not work well with the CIBA flow. Thus, if the id token has the subject as pairwise and we go through the CIBA flow, the /access_token endpoint fails with
Caused by: org.forgerock.oauth2.core.exceptions.NoUserExistsException: Not able to read user information.
at org.forgerock.openam.oauth2.IdentityManager.getResourceOwnerIdentity(IdentityManager.java:162)
at org.forgerock.openam.oauth2.IdentityManager.getResourceOwnerOrClientIdentity(IdentityManager.java:101)
at org.forgerock.openam.oauth2.token.OAuth2ScriptHelper.getUsersIdentity(OAuth2ScriptHelper.java:158)
at org.forgerock.openam.oauth2.token.OAuth2ScriptHelper.getIdentityAndScopes(OAuth2ScriptHelper.java:126)
at org.forgerock.openam.oauth2.OpenAMScopeValidator.initScriptBindings(OpenAMScopeValidator.java:340)
at org.forgerock.openam.oauth2.OpenAMScopeValidator.modifyAccessToken(OpenAMScopeValidator.java:320)
at org.forgerock.oauth2.core.RealmOAuth2ProviderSettings.modifyAccessToken(RealmOAuth2ProviderSettings.java:1339)
at org.forgerock.openam.oauth2.token.OpenAMTokenStore.saveNewAccessToken(OpenAMTokenStore.java:123)
at org.forgerock.oauth2.core.BackChannelGrantTypeHandler.createToken(BackChannelGrantTypeHandler.java:105)
at org.forgerock.oauth2.core.BackChannelGrantTypeHandler.handle(BackChannelGrantTypeHandler.java:79)
From the documentation seems that Forgerock AM uses guidelines provided by Financial-grade API (FAPI) WG | OpenID for CIBA implementation and there is no mention of pairwise there.
Is there any patch or config available to have this working ?