...
Note well: The application developer must scope-check all identifiers asserted by untrusted 3rd parties. This is especially true if the identifier is used for access control. Failure to do so may lead to gaping major security holes like the one reported in Office 365.
Of course this assumes the application relies on scoped identifiers to being begin with. In particular, an application should never rely on an email address to identify a user. An email address is not scoped. For instance, the email address trscavo@gmail.com may be legitimately asserted by any IdP. Conclusion: an email address makes a lousy user identifier
...