Currently I'm developing "SignIn via Google/Apple" functionality for my app.
On some stage of interaction between my app and Google/Apple I will obtain an ID token. The possible payload of the token is described here for Google and here for Apple. In both cases it contains SUB
property. Google describes it like
the ID that represents the principal making the request
I have several questions
SUB
value is linked one-to-one with the particular user and will not change tomorrow, after one month or whenever I will ask Google/Apple for this token again?SUB
value as a external_user_id
in my app?The sub claim is unique for a given user and should never change. The format of the sub, can however vary between services, sometimes it is a string, sometimes it is a guid. So just treat it as a string.
Calling the received sub claim in the ID-token external_user_id in your database is totally fine.
The user does not care about the sub value and usually it is internal and not visible on the user account/profile page.