diff --git a/lib/accounts/user.ex b/lib/accounts/user.ex
index 2da15a1..d8c7a66 100644
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@@ -105,6 +105,8 @@ defmodule Mv.Accounts.User do
       upsert? true
       upsert_identity :unique_oidc_id
 
+      validate &__MODULE__.validate_oidc_id_present/2
+
       change AshAuthentication.GenerateTokenChange
 
       change fn changeset, _ctx ->
@@ -125,6 +127,16 @@ defmodule Mv.Accounts.User do
     end
   end
 
+  def validate_oidc_id_present(changeset, _context) do
+    user_info = Ash.Changeset.get_argument(changeset, :user_info) || %{}
+
+    if is_binary(user_info["sub"]) or is_binary(user_info["id"]) do
+      :ok
+    else
+      {:error, [user_info: "OIDC user_info must contain a non-empty 'sub' or 'id' field"]}
+    end
+  end
+
   attributes do
     uuid_primary_key :id