Comment by anon84873628

Ah, right, Slack can have their own public oath client which is used for the code grant.

So what happens is: 1. New Workspace org created with same (old) domain name 2. Same domain name is sent in `hd` property, existing email address sent in the `email` property, new uuid in the `sub` property.

If the app is only matching on email instead of sub, then it will grant access to previous user data. Additionally, even if it makes a new user based on the new sub, it may still grant access to other SP resources associated with the existing domain based on the email address or hd value.

Instead there needs to be something like `hd` but uniquely identifying the Workspace org entity itself, not just the domain.