diff --git a/command/ssh/login.go b/command/ssh/login.go
index fd34f808..c002255c 100644
--- a/command/ssh/login.go
+++ b/command/ssh/login.go
@@ -198,9 +198,9 @@ func loginAction(ctx *cli.Context) error {
 		identityKey = key
 	}
 
-	// NOTE: For OIDC token the principals should be completely empty. The OIDC
-	// provisioner is responsible for setting default principals by using an
-	// identity function.
+	// NOTE: For OIDC tokens the subject should be always the email. The
+	// provisioner is responsible to setting the principals by using an identity
+	// function.
 	if email, ok := tokenHasEmail(token); ok {
 		subject = email
 	}
diff --git a/command/ssh/proxycommand.go b/command/ssh/proxycommand.go
index e808afc3..0c4447aa 100644
--- a/command/ssh/proxycommand.go
+++ b/command/ssh/proxycommand.go
@@ -143,9 +143,9 @@ func doLoginIfNeeded(ctx *cli.Context, subject string) error {
 		return err
 	}
 
-	// NOTE: For OIDC token the principals should be completely empty. The OIDC
-	// provisioner is responsible for setting default principals by using an
-	// identity function.
+	// NOTE: For OIDC tokens the subject should be always the email. The
+	// provisioner is responsible to setting the principals by using an identity
+	// function.
 	if email, ok := tokenHasEmail(token); ok {
 		subject = email
 	}