diff --git a/npm/src/controller/oauth.ts b/npm/src/controller/oauth.ts
index 9372d6e14..c33f8311a 100644
--- a/npm/src/controller/oauth.ts
+++ b/npm/src/controller/oauth.ts
@@ -1330,16 +1330,24 @@ export class OAuthController implements IOAuthController {
         };
         const signingKey = await loadJWSPrivateKey(jwtSigningKeys.private, jwsAlg!);
         const kid = await computeKid(jwtSigningKeys.public, jwsAlg!);
+        let subjectPrefix = ""
+        if(codeVal.requested?.tenant) {
+            subjectPrefix += `${codeVal.requested.tenant}|`;
+        }
+        if(codeVal.requested?.product) {
+          subjectPrefix += `${codeVal.requested.product}|`;
+        }
+        const subject_id = subjectPrefix + codeVal.profile.claims.id;
         const id_token = await new jose.SignJWT(claims)
           .setProtectedHeader({ alg: jwsAlg!, kid })
           .setIssuedAt()
           .setIssuer(this.opts.externalUrl)
-          .setSubject(codeVal.profile.claims.id)
+          .setSubject(subject_id)
           .setAudience(tokenVal.requested.client_id)
           .setExpirationTime(`${this.opts.db.ttl}s`) //  identity token only really needs to be valid long enough for it to be verified by the client application.
           .sign(signingKey);
         tokenVal.id_token = id_token;
-        tokenVal.claims.sub = codeVal.profile.claims.id;
+        tokenVal.claims.sub = subject_id;
       }
 
       const { hexKey, encVal } = encrypt(tokenVal);