The OpenID 2.0 protocol security model is built around an Authenticated Identifier - not an email address. Thus, the best approach is to make your kingdom consistent. If you can do this, this is the best approach.
It might also be a good idea to keep the email address in your user table so that if your area has ever changed (perhaps your company has acquired another), you can transfer your users. But if you plan on doing this, you should also keep what the OP endpoint was during authentication, when you received the email address so you know if you can trust it.
It is generally unsafe to trust an email address at all. If you trust the Provider (Google in your case) to provide you with verified email addresses, you can trust the email addresses if you make sure that it is actually the Provider that authenticated the user. This can only be done correctly by confirming that the value of IAuthenticationResponse.Provider.Uri matches the one you trust. This cannot be done implicitly, simply by offering the "Sign in with Google" button because of the "unsolicited OpenID claims", which allows users to log in with arbitrary providers regardless of what the RP offers in its user interface. And this cannot be done by checking the domain of the claimed identifier due to the difference between the declared and local identifiers.
Andrew Arnott
source share