I work in the public service sector. When we're architecting OAuth2/OIDC integrations we specify using a unique identifier like a guid or some otherwise immutable id as the federation id. This way other attributes that may be ephemeral can change at will. It's not always easy determining this but it's worth it.
I would love to see improvements on the "Social Authentication" process, making the third party ID as primary identifier, instead of the email.