We have an internal discussion I’m hopeful you can help resolve. In the past I have used the value contained in the
sub claim of the access token as the unique identifier of a user. We use Google oauth, so that value typically looks something like this:
email@example.com. My understanding is that we can rely on that value to be immutable, even if the person’s email change (in which case they would either get a new Google account or have an alias for their email but their id/
sub claim would remain the same). I have used this value because that’s how I’ve interpreted your recommendation here: Identify Users
However, some folks on my team are wary of using a value that includes the email since emails (at least with some providers) may be mutable. So they are recommending using the auth0 internal user id, which I believe is always just a random value like
So my question is very simple: does it matter? If so, which one should we use?