Subject Identifier is not Unique for Multiple Logins
As stated in the OpenID specification, the ID token contains a subject identifier ("sub") that is supposed to uniquely identify an end-user. However, I find that the sub changes if I log in multiple times with the same credential.
Here are two dummy examples that you can throw into jwt.io to check yourselves:
The current behaviour is especially problematic when configuring AAS as an identity provider for Keycloak. Upon the second login, Keycloak will complain that a user with the same username/email already exists.
If I'm doing something wrong here, please let me know. I would assume that the sub should either be part of the credential (e.g., a DID) or could be a hash of the credential contents to make it unique...