We are using Auth0 to log in random users, and we are using the e-mail code method. When my application asks auth0 to authenticate the user these are the claims we are getting back:
nickname: someone
xttp:/schemas.xmlsoap.org/ws/2005/05/identity/claims/name: someone@somewhere.com
updated_at: 2023-06-21T00:29:10.1920000Z
xttp:/schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: email|634f575263bed0be4e10219a
sid: es9R93rpZxumeJoos18H0_I0MvZ2zksc
I understood that I should be using the subject id (sid) as the primary key for the user. The problem is that if I clear all my cookies and log in again (possibly after some time has passed) I get a completely different set of identifying properties for the same user, for example:
nickname: someone
xttp:/schemas.xmlsoap.org/ws/2005/05/identity/claims/name: someone@somewhere.com
updated_at: 2023-06-22T18:12:00.9640000Z
xttp:/schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: email|634f575263bed0be4e10219a
sid: fGn7nNcd8E4XJerZ5DD7Jv322zegpHwM
I can see that the “nameidentifier” is the same between the two, but all over the documentation and in this forum I see the direction that the subject ID is the key that I’m supposed to be using. Is there something that I could be doing wrong that is causing the subject ID to be unstable? Has Auth0 changed and I should ignore the sid value?
Note that as long as the auth0 cookies are still there, I continue to get the same sid value, it’s only after I clear those cookies that the sid changes. In this case more than 24 hours had elapsed and I got the same sid, until I cleared my cookies.
Also, note that I had to change the claim names above since the forum thinks I’m trying to link out to xmlsoap and gravatar.
Thanks!