What does the OAuth / OpenID Connect Sub Claim regex match?

Matches an OAuth 2.0 / OIDC subject identifier: alphanumeric string, typically UUID or opaque token.

Is the OAuth / OpenID Connect Sub Claim regex ReDoS-safe?

Yes. The pattern uses a flat, non-backtracking structure with no nested quantifiers, making catastrophic backtracking impossible.

How do I use this regex in php?

// No imports required — PCRE is built into PHP $pattern = '/^[A-Za-z0-9\-._|]{8,255}$/'; $is_valid = (bool) preg_match($pattern, $input);

Identity & PII/Digital Identity

Verified Safe

OAuth / OpenID Connect Sub Claim Regex for PHP

/^[A-Za-z0-9\-._|]{8,255}$/

What this pattern does

This page provides a lightweight, single-purpose regular expression for matching oauth / openid connect sub claim, ported and verified for PHP. Identity and credential patterns need both correctness and safety, since they're frequent targets for adversarial input. The snippet below is ready to drop into your PHP project — whether you're validating in a Laravel validator, a WordPress plugin, or a standalone PHP script.

Php Implementation

Php

<?php
// OAuth / OpenID Connect Sub Claim
// ReDoS-safe | RegexVault — Identity & PII > Digital Identity

define('OAUTH_OPENID_CONNECT_SUB_CLAIM_PATTERN', '/^[A-Za-z0-9\-._|]{8,255}$/');

function validate_oauth_openid_connect_sub_claim(string $input): bool {
    return (bool) preg_match(OAUTH_OPENID_CONNECT_SUB_CLAIM_PATTERN, $input);
}

// Example
var_dump(validate_oauth_openid_connect_sub_claim("248289761001")); // bool(true)

Test Cases

Matches (Valid)	Rejects (Invalid)
`248289761001`	`ab`
`user123456`	`user@name`
`auth0\|507f191e810c19729de860ea`	`user name`
`google-oauth2\|1234567890`	—

When to use this pattern

This pattern is drawn from the Identity & PII > Digital Identity category and carries a ReDoS-safe certification. That matters for PHP developers because especially relevant in PHP where PCRE backtracking limits can trigger silent failures on malicious input. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

The OIDC sub claim should be opaque — do not encode personal data in it. If it contains a username or email, it violates the spirit of the OIDC specification and creates privacy risks.

Technical Notes

OIDC sub (subject) is a locally unique, never-reassigned identifier for the end user. Format is provider-specific: Google uses numeric strings, Auth0 uses provider|id format, Okta uses UUID format. Must be stable and not reassigned.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern