JWT token sub value in OIDC client credentials flow

We have a multi-tenant application where we need to ensure that the “Client ID” used to access a tenant-specific endpoint is assigned to that tenant. We do this by maintaining a mapping between each “Client ID” (using the sub field of the incoming JWT token) and the “tenant” (extracted from the endpoint used to access the application).

In our local developer test environment, we are running keycloak in Docker Compose. The problem we are running into is that every time we restart keycloak, the value of the sub for the same Client ID changes. Is there some way to change how the sub gets populated to either make it a known value (e.g., same as the Client ID) or at least make it a value that doesn’t change across restarts?