In this case it is safe to assume sub will contain a stable user identifier that uniquely identifies the user within the scope of the identity provider (the Auth0 service) as that it’s what the OIDC specification mandates. At this time, the sub claim is filled with the user_id information and is unlikely to change, but the most useful characteristics are the ones mandated by the spec; unique and stable (does not change across the lifetime of the end-user account).