Fetching NameIdentifier from Azure Active Directory AuthenticationResult.AccessToken

Question

I need to get the nameidentifier from the token that Azure AD sends. I am assuming this is unique for each user of the AD and have some custom authorization logic based on it. For example,

AuthenticationResult result = authenticationContext.AcquireToken(webApiResourceId, certificateCredential);
string accessToken = result.AccessToken;

This accessToken is sent to the WebAPI as AuthenticationHeader, that decrypts it and fetches the nameidentifier as

Claim tenantClaim = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier);

But this process on the WebAPI is transparent and is performed by ADAL.However, i need to get the NameIdentifier at client side itself. Is there any way I can fetch the NameIdentifier at client side itself, by decrypting the AccessToken? I do not seem to find the correct answer upon searching.

Answer 1

Can you expand on why you need the NameIdentifier on the client? Note that the client side does not do perform any validation on the token, hence you should not take any access control decisions on the client based on the token content. The server side can take decisions based on the token content given that the token itself is validated before making its content available to the application. Another important consideration: the access token is meant for the web API and the client should not try to read it. Even if you manage to read it, you'd be generating extremely brittle logic as the format can change at any time, it might be encrypted with a key that your client should not have, and so on. If you need access to the NameIdentifier on the client for different reasons, you can inspect the id_token. The id token is another token that is sent alongside the access token. The id token is meant for the client, hence it is safe for you to look at. You can find it as a property in AuthenticationResult. HTH V.