I work in the public service sector. When we're architecting OAuth2/OIDC integrations we specify using a unique identifier like a guid or some otherwise immutable id as the federation id. This way other attributes that may be ephemeral can change at will. It's not always easy determining this but it's worth it.