aaronpkthe problematic value is email address, since emails are not good at being stable user identifiers. lots of examples of websites consuming an email address as a user ID from oauth/openid flows and running into edge cases and vulnerabilities as a result
