Comment by jsnell

Comment by jsnell 4 days ago

0 replies

View on Hacker News

> To be honest I'm surprised google isn't using a uuid tied to the account for the identity given to others

But they are providing a unique, stable, never reused identifier tied to the account, as has been mentioned a number of times in this thread. It's the "sub" field[0], whose entire purpose is to be the unique identifier for tying the IDP's data to the RP's data.

What they're not doing is to provide that unique id in the "email" field, because the purpose of the email field is to contain the email address. The documentation even specifically tells not to use it as the primary identifier.

> The e-mail should only be used as metadata for contact info

Indeed. But that's up to the relying party. The only way to prevent them from checking the wrong field would be to not provide them the email address at all, even when they're explicitly requesting it.

[0] https://developers.google.com/identity/openid-connect/openid...