Reputation: 1002
Azure AD bearer token - Get User identifier
I have an ASP.NET Core API secured using the AzureADBearer authentication method.
Following the example laid our here: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore
Calls to the API are secured using a bearer token that is generated with ADAL.net with this method.
private async Task<string> getToken()
{
AuthenticationResult result = null;
string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
// Using ADAL.Net, get a bearer token to access the TodoListService
AuthenticationContext authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
ClientCredential credential = new ClientCredential(AzureAdOptions.Settings.ClientId, AzureAdOptions.Settings.ClientSecret);
result = await authContext.AcquireTokenAsync(AzureAdOptions.Settings.TodoListResourceId, credential);
return result.AccessToken;
}
However, when i look at the claims that the API receives.. there is no identifier that appears as being unique to the user. The Nameidentifier claim is identical for every user i generate the token for.
The objectid generated in the above code - is the only unique aspect in the generation of the token, and that doesn't seem to matter in the claims represented in the APIs de-construction of the token.
Any thoughts on how i can get any sort of user unique ID across to the API? That could be email, SID anything i can use..
Upvotes: 3
Views: 1752
Answers (1)
Reputation: 443
On the AccessToken there is a claim with a key written oid or Object ID. It is an immutable GUID that uniquely identifies the user as an Azure Object.
Look at this decoded JSON Web Token example of a user token generated by Azure AD implicit grant flow for a Single page application using MSAL.js.
Note: Some items were omitted and changed for privacy reasons.
{
"aud": "<app registration guid>"
"iss": "https://login.microsoftonline.com/<tenant id>/v2.0",
"iat": 1606857684,
"nbf": 1606857684,
"exp": 1606861584,
"name": "developer",
"oid": "<Object ID>",
"preferred_username": "[email protected]",
"sub": "RePapB10ksij8FA7dv-GdO9u4tz0_Hm4mmSeuGcqByY",
"tid": "<tenant id>"
"ver": "2.0"
}
Upvotes: 2
Related Questions
- Azure Get Authorization Bearer Token API
- Azure Apim Bearer token
- Get Azure Active Directory Token with username and password
- How to get user details from an Azure AD token?
- How to generate a bearer token from azure ad with user credentials
- .NET STANDARD 4.7.2 Azure Bearer Token Authorization
- IdentityServer4: get access token from Azure AD
- Azure AD token obtaining for guest
- Azure Active Directory Token
- Get Azure AD token on behalf of user - NetCore2