Comment by jeroenhd

Google promises to use a different `sub` claim for every account, even if you reuse the domain name. However, according to the talk, the `sub` claim isn't stable in normal scenarios, so developers don't use that like they're supposed to.

Google should fix the `sub` problem if the problem is on their side (and not, for instance, related to user accounts impersonation or recreated user accounts, which are expected to fail this check). Everyone integrating with Google should use the `sub` claim like they're supposed to.

Of course this approach doesn't help if a domain admin can recover the original workspace account (rather than simply re-registering the domain with Google), but that can easily be solved by not having the domain admin accounts use the domain they're hosted on.