Question:

What value does the OpenID Service/RP receive as the unique identifier of the logon user? Is the ‘sub’ attribute used for this and if so, can its value be adjusted, even per RP if necessary? The problem is that the subject contains the user name.
"sub": "f:688938b4-1bfa-4235-84e8-e5314ba00708:m.mustermann"

Answer:

The subject and its schema cannot be modified. The default of this schema is from keycloak, but it could be overwritten with a mapper. You can ignore the sub-field and create a separate claim for a unique field, such as the uid

Question:

How exactly do I overwrite the “sub” claim using my own mapper?
→ Simply create an “User Attribute” mapper in the client, choose the desired attribute and then enter the value “sub” in the “Token Claim Name”?

Answer:

Yes:

1. In Keycloak, go to the corresponding client scope (e.g. profile).
2. navigate to the mappers.
3. add a new mapper and select the mapper type User Attribute.
4. configure your user-defined value for the unique identification, e.g. using the uid.