Hey folks.
We have an internal discussion I’m hopeful you can help resolve. In the past I have used the value contained in the sub
claim of the access token as the unique identifier of a user. We use Google oauth, so that value typically looks something like this: google-apps|john.doe@company.com
. My understanding is that we can rely on that value to be immutable, even if the person’s email change (in which case they would either get a new Google account or have an alias for their email but their id/sub
claim would remain the same). I have used this value because that’s how I’ve interpreted your recommendation here: Identify Users
However, some folks on my team are wary of using a value that includes the email since emails (at least with some providers) may be mutable. So they are recommending using the auth0 internal user id, which I believe is always just a random value like 5f7c8ec7c33c6c004bbafe82
.
So my question is very simple: does it matter? If so, which one should we use?
Thank you!