Getting multiple subject IDs for the same user

We are using Auth0 to log in random users, and we are using the e-mail code method. When my application asks auth0 to authenticate the user these are the claims we are getting back:

nickname: someone
xttp:/schemas.xmlsoap.org/ws/2005/05/identity/claims/name: someone@somewhere.com
updated_at: 2023-06-21T00:29:10.1920000Z
xttp:/schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: email|634f575263bed0be4e10219a
sid: es9R93rpZxumeJoos18H0_I0MvZ2zksc

I understood that I should be using the subject id (sid) as the primary key for the user. The problem is that if I clear all my cookies and log in again (possibly after some time has passed) I get a completely different set of identifying properties for the same user, for example:

nickname: someone
xttp:/schemas.xmlsoap.org/ws/2005/05/identity/claims/name: someone@somewhere.com
updated_at: 2023-06-22T18:12:00.9640000Z
xttp:/schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: email|634f575263bed0be4e10219a
sid: fGn7nNcd8E4XJerZ5DD7Jv322zegpHwM

I can see that the “nameidentifier” is the same between the two, but all over the documentation and in this forum I see the direction that the subject ID is the key that I’m supposed to be using. Is there something that I could be doing wrong that is causing the subject ID to be unstable? Has Auth0 changed and I should ignore the sid value?

Note that as long as the auth0 cookies are still there, I continue to get the same sid value, it’s only after I clear those cookies that the sid changes. In this case more than 24 hours had elapsed and I got the same sid, until I cleared my cookies.

Also, note that I had to change the claim names above since the forum thinks I’m trying to link out to xmlsoap and gravatar.

Thanks!

Hello there @CityOfBoiseWebmaster welcome to the community!

The sid value is the session ID as opposed to subject ID - The sub claim is what I believe you are referring to in terms of identifying a user.

1 Like

That is definitely where I’m confused then and that makes total sense with what I was seeing, thanks!

Note that I am not seeing a “sub” claim from auth0. For my purposes the nameidentifier will do the job just fine. I wonder if that’s a configuration issue…

1 Like

No problem, happy to help!

My bad - You’re correct in this context (SAML) the NameID is what you’re after.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.