I enabled the IdentityServer to authenticate with Facebook with the implicit flow.

now when I get authenticated i get an id value as subject. like 502967fe0125ce3ff75050ef7b83fd68 I used it as a user id to store user related data. But from time to time it seems like the content of the subject changes and I get a different id.

Am I missunderstanding the concept of the Subject . Is it expected that it is chagning ?

Shouldn't be the subject id constant? What information should I use to store user related data ?

This is how i configure the facebook provider in the identityserver:

 public static void Configure(IAppBuilder app, string signInAsType)
        {
            var fb = new FacebookAuthenticationOptions
            {
                AuthenticationType = "Facebook",
                Caption = "Facebook",
                SignInAsAuthenticationType = signInAsType,
                AppId = myAppId,
                AppSecret = mySecret 
            };
            app.UseFacebookAuthentication(fb);
        }

And here is the client config in the website

   JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "cookies"
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            AuthenticationType = "oidc",
            SignInAsAuthenticationType = "cookies",

            ClientId = "website",
            Authority = identServer,
            RedirectUri = "http://localhost/pluto/",
            ResponseType = "id_token token",
            Scope = "openid profile email warehouseapi"
        }

The sub claim represents the unique identifier of the user in the context of the STS.

This typically means that a new sub is created the first time the user logs in. This sub is then associated with the external login (issuer name and external sub) and re-used.

Found the reason. The id in sub returned is the user id of identity server and not the facebook id. And as I use a memory implementation then every time the identity server is restarted the id changes.

So for me this is closed but there is still the question wether this is a desireable behavior.

Should it be more likely the facebook id which is put to subject?