I've implemented successfully oauth2 in my Django project. After the user authorizes my app I receive an access token and, with it, I can access all of his information (username and email). And so far everything is ok.
Now I'd like to use his username to let him log in without asking for his password. But here comes the problem. If A has registered as some_name on my app and B has registered on the authorization server as some_name then B can access A's information on my app.
So, I thought I can use the email provided together with the username to double check the user identity. But here comes another problem. If A has registered on my app with a_name and a_email and the same A has registered on the authorization server as a_name and b_email then A won't be able to access my app using oauth2.
I know this is a theoretical problem and there is no code to review, so if there is another place where I should post this type of question, please let me know.
probably it won't be helpful anymore, but I want to answer your question anyway.
You should check which field your IdP uses to identify its users. Then you make that field in your app unique and it's done. BUT, make sure that that field is verifiable, otherwise anyone can be anyone regardless of what the IdP says.
So, overall the email is always the best choice. Because to use it you need access to it, hence it's verifiable; the username isn't.