Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Getting User's Token Subject Identifier (sub) From Within Azure AD

My web app is using multiple OAuth 2.0 Identity Providers, and would like to retrieve the 'sub' from the id_token of the Access Token Response and match it with one stored in my app's DB, since 'sub' is an unique id across whatever system the user is at, and it's a stand field in the id_token.

My question is: Is there an obvious/convenient way to retrieve a user's Token Subject Identifier (aka sub) from within Azure AD portal? I know 'Object ID' (aka Object Identifier or oid) is part of the user profile at the Azure AD portal. However, 'oid' is not a standard field in the JWT id_token (e.g. Azure AD uses it, but Google Identity doesn't), but 'sub' is.

like image 633
gye Avatar asked Sep 10 '15 20:09

gye


People also ask

How do I get my token from managed identity?

A client application can request a managed identity app-only access token to access a given resource. The token is based on the managed identities for Azure resources service principal. As such, there's no need for the client to obtain an access token under its own service principal.

What is OID in Azure?

oid. String, a GUID. The immutable identifier for an object in the Microsoft identity system, in this case, a user account. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the oid claim.

What is the client ID in an Azure AD token?

In v2.0 tokens, this is always the client ID of the API, while in v1.0 tokens it can be the client ID or the resource URI used in the request, depending on how the client requested the token. Identifies the security token service (STS) that constructs and returns the token, and the Azure AD tenant in which the user was authenticated.

What is the GUID that indicates that the user is Azure AD?

Identifies the security token service (STS) that constructs and returns the token, and the Azure AD tenant in which the user was authenticated. If the token issued is a v2.0 token (see the ver claim), the URI will end in /v2.0. The GUID that indicates that the user is a consumer user from a Microsoft account is 9188040d-6c67-4c5b-b112-36a304b66dad.

How do I refresh an access token in Azure AD?

Use the authorization code to acquire the access token. A refresh token will be returned at the same time and can be used to refresh the access token. You must successfully pass this step before moving forward. If you encounter a “permission” problem, contact your administrator for help. Tenant ID in Azure AD.

What is the overage limit for SAML tokens in Azure AD?

If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens, and only 6 if issued via the implicit flow), then Azure AD does not emit the groups claim in the token.


1 Answers

From the Azure management portal you can only see the Object ID of the users in the Active Directory.

enter image description here

But in the C# code, if you have the JWT token for that user you can decode it like below and get whatever property you want from it:

var token = new JwtSecurityToken(jwtToken);
var oid = token.Claims.FirstOrDefault(m=>m.Type == "oid").Value;
var sub = token.Claims.FirstOrDefault(m => m.Type == "sub").Value;

However, If you don't have your users username password, you can't get a JWT token for them from AAD.

Alternatively, you can use AAD Graph API to get more detailed user information from AAD, but even Azure Graph API will not have "SUB" in the response, and only has the Object Id:

https://msdn.microsoft.com/en-us/library/azure/dn151678.aspx

Here is the response of GET Users call using AAD Graph:

{
    "odata.metadata": "https://graph.windows.net/contoso.onmicrosoft.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.User/@Element",
    "odata.type": "Microsoft.WindowsAzure.ActiveDirectory.User",
    "objectType": "User",
    "objectId": "4e971521-101a-4311-94f4-0917d7218b4e",
    "accountEnabled": true,
    "assignedLicenses": [],
    "assignedPlans": [],
    "city": null,
    "country": null,
    "department": null,
    "dirSyncEnabled": null,
    "displayName": "Alex Wu",
    "facsimileTelephoneNumber": null,
    "givenName": null,
    "jobTitle": null,
    "lastDirSyncTime": null,
    "mail": null,
    "mailNickname": "AlexW",
    "mobile": null,
    "otherMails": [],
    "passwordPolicies": null,
    "passwordProfile": null,
    "physicalDeliveryOfficeName": null,
    "postalCode": null,
    "preferredLanguage": null,
    "provisionedPlans": [],
    "provisioningErrors": [],
    "proxyAddresses": [],
    "state": null,
    "streetAddress": null,
    "surname": null,
    "telephoneNumber": null,
    "usageLocation": null,
    "userPrincipalName": "[email protected]"
}
like image 190
Aram Avatar answered Oct 22 '22 23:10

Aram