If not, is the common approach to use a registration ID plus the Principal name? And if so does that mean the principal name is always unique across users under a single oAuth provider?