CODEWITHSUNDEEP
azure-active-directoryazure-ad-msalmsal.js
Patrick
Patrick

Reputation: 5836

MSAL - userIdentifier versus idToken.oid

I am using MSAL to validate a user against Microsoft Azure AD and am getting a valid token back.

The MSAL library is handing me back a User object which contains a property called userIdentifier.

This is a string, not a GUID.

The documentation says to use a field called oid to uniquely identify users across the Microsoft Identity platform. I have this property available under User.idToken.oid.

This value is a GUID as the documentation says.

My question is, what is this User.userIdentifier and should I be using this? I need to know what to store on the database side to tie this local user to an Azure AD user.

Upvotes: 2

Views: 2724

Answers (2)

DarkLite1
DarkLite1

Reputation: 14695

For clarity's sake it is advised to use the accountIdentifier property as it will always be populated, even in the edge cases where oid might not be available:

const accountIdentifier: string = idToken.objectId || idToken.subject;

More info on GitHub.

Upvotes: 3

juunas
juunas

Reputation: 58723

Looking at the source code (https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-core/src/Account.ts), there is no userIdentifier, but there is an accountIdentifier. Could be yours is an older version, in which case this might not be correct for that. 

// create accountIdentifier
const accountIdentifier: string = idToken.objectId ||  idToken.subject;

It is either the oid or sub claim, whichever has a value. If you want the oid, you should get it from the idTokenClaims property on Account.

Upvotes: 2

Related Questions