feature: use sub instead of email as username

Also exposed email as it can be of use for the webapps

I'm also thinking if the "credentials" can be shown as "user" instead, and pile up all the relevant information about the user there: for example, add roles and other info about users that the AAP exposes.

It may also be worth thinking about having as an API only this credentials/user objects, instead of many functions that extract information about the user from the token, it seems to be replicated.