What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?
Context
I've read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it's not clear to me why.
The recommended approach seems to be using aud and sub claims or other similar combinations but this has obvious drawbacks:
for example if a user logs in with Google and then after a few months, not remembering which SSO provider it used, it logs in with Facebook, with the same email, then a new account will be created; if we were matching by email address instead the two accounts would be effectively linked.
Question
Assuming access to the email should grant access to the application, what are the downsides of matching users by the email provided by a SSO provider (assuming email_verified is true)?
