We talking about ID tokens or Access tokens? Your ID tokens should contain a sub
claim matching the user’s ID in Okta, and an access token should contain a sub
claim matching the users email address.
We don’t really offer a way to configure the sub
claim, outside of the one returned in an Access Token issued by a custom Authorization Server, so is it possible for your system to check a different claim instead?