I am using Apple OAuth login in my two apps. I identify users using the "sub" claim that can be obtained from the id_token each time they log in. Since it has to identify as the same user in both apps if it's the same account, I need to receive the same sub token.
I've created OAuth clients with different APP_IDs for each of the two apps, but I confirmed that I can receive the same sub value for the same account.
Is it okay to follow this policy for the login feature? I am curious if there is any official documentation that I can refer to on this matter. Thank you.
This documentation can be helpful for your question but, it's always a good idea to add extra layers of security to directly your app or from API Gateway.