Comment by jbmsf
1 year ago
I get it, but this is also, frankly, terrible. I should not be required to store your identifiers in my system in case order to login users.
I've always felt that email+email_verified would make much more sense.
I don't actually care about the email address being a unique person, just that they have access to it.
The email address is not guaranteed to be stable.
I get it, but you're throwing technical specifications at a product/human/application problem.
No one wants to build an application that has to invent its own id scheme or manage this complexity. That fact that the specs don't provide a solution here -- something like informing you when an email address is no longer valid (again, I get it, this is hard/impossible) -- means that the spec will always be in conflict with actual usage.