Comment by physicsguy
1 year ago
The OIDC spec tells you that you must not to use e-mail as a unique identifier. You must use the 'iss' and 'sub' fields as username in your application.
Why? Well, for a start, it's obvious that user e-mail addresses can be re-used. If you've got a contractor working for Business A and Business B, both who create a user account in their authentication service for them, then as a SaaS platform, you can't match their e-mail address to a single B2B customer.
Secondly, there's the really obvious thing that e-mail addresses change. Businesses get bought, change name, go through mergers, etc. etc., and people's names change too (marriage, divorce, because they feel like it).
I found implementing SSO to be really challenging for a start-up. Getting it correct is hard, and you need to have a good understanding of the general concepts and OIDC and OAuth2 before trying to put it into use. Auth0 have a good book. If you don't understand this, then you'll probably end up doing something like implementing password grant auth everywhere and leave your application insecure.
Sometimes reading articles like these are a good well to alleviate any accumulating imposter syndrome. "Oh, I'm interfacing with a third party system for something that represents an abstract actor. it better have a stable, non-stringy reliable identifier". And yes, the spec is very clear about this, beyond just basic considerations of building a remotely robust system.