Auth0 User ID vs. Sub Claim

Hey folks.

We have an internal discussion I’m hopeful you can help resolve. In the past I have used the value contained in the sub claim of the access token as the unique identifier of a user. We use Google oauth, so that value typically looks something like this: google-apps|john.doe@company.com. My understanding is that we can rely on that value to be immutable, even if the person’s email change (in which case they would either get a new Google account or have an alias for their email but their id/sub claim would remain the same). I have used this value because that’s how I’ve interpreted your recommendation here: Identify Users

However, some folks on my team are wary of using a value that includes the email since emails (at least with some providers) may be mutable. So they are recommending using the auth0 internal user id, which I believe is always just a random value like 5f7c8ec7c33c6c004bbafe82.

So my question is very simple: does it matter? If so, which one should we use?

Thank you!

1 Like

Hey there @filipem welcome to the community!

I apologize for the delayed response on this one but was combing through our backlog and wanted to respond - Where exactly did you land with this? Were you using the Google enterprise connection or standard social connection?

For future reference, the sub claim should look something like google-apps|117686103243408785895170 rather than using the user’s email. It looks like an issue was fixed at some point where the mapping did point to the email rather than an id.

The complaint was that the email may be too “brittle” - In this particular case either should’ve worked, but perhaps the internal id may have been a slightly better option. The sub claim is now improved to include an id as mentioned previously.

Hope this helps!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.