I am building a website that uses OAuth2.0 and OpenId-Connect (of some third party vendor) to authenticate user.
Before redirecting the user to the vendor's OAuth page, I am not asking the user to enter a unique UserID on my website, I was thinking of using the user's emailid that I receive as a part of IDToken after the Authorization process is done, as the user's User Name(unique identity) for my Website.
But the OpenID specification here
https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
says that emailid is optional and may not be returned.
So the questions is, is it a standard practice to ask the User to provide with a unique name (that I can use as user's identity on my website), before I initiate the OAUTH/OpenID-Connect process?
The sub claim must be unique per issuer. Required Claims will always be present. You can use the iss + sub to uniquely identify users.