Menu
My web app is using multiple OAuth 2.0 Identity Providers, and would like to retrieve the 'sub' from the id_token of the Access Token Response and match it with one stored in my app's DB, since 'sub' is an unique id across whatever system the user is at, and it's a stand field in the id_token.
My question is: Is there an obvious/convenient way to retrieve a user's Token Subject Identifier (aka sub) from within Azure AD portal? I know 'Object ID' (aka Object Identifier or oid) is part of the user profile at the Azure AD portal. However, 'oid' is not a standard field in the JWT id_token (e.g. Azure AD uses it, but Google Identity doesn't), but 'sub' is.
633
A client application can request a managed identity app-only access token to access a given resource. The token is based on the managed identities for Azure resources service principal. As such, there's no need for the client to obtain an access token under its own service principal.
oid. String, a GUID. The immutable identifier for an object in the Microsoft identity system, in this case, a user account. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the oid claim.
In v2.0 tokens, this is always the client ID of the API, while in v1.0 tokens it can be the client ID or the resource URI used in the request, depending on how the client requested the token. Identifies the security token service (STS) that constructs and returns the token, and the Azure AD tenant in which the user was authenticated.
Identifies the security token service (STS) that constructs and returns the token, and the Azure AD tenant in which the user was authenticated. If the token issued is a v2.0 token (see the ver claim), the URI will end in /v2.0. The GUID that indicates that the user is a consumer user from a Microsoft account is 9188040d-6c67-4c5b-b112-36a304b66dad.
Use the authorization code to acquire the access token. A refresh token will be returned at the same time and can be used to refresh the access token. You must successfully pass this step before moving forward. If you encounter a “permission” problem, contact your administrator for help. Tenant ID in Azure AD.
If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens, and only 6 if issued via the implicit flow), then Azure AD does not emit the groups claim in the token.
From the Azure management portal you can only see the Object ID of the users in the Active Directory.
But in the C# code, if you have the JWT token for that user you can decode it like below and get whatever property you want from it:
var token = new JwtSecurityToken(jwtToken);
var oid = token.Claims.FirstOrDefault(m=>m.Type == "oid").Value;
var sub = token.Claims.FirstOrDefault(m => m.Type == "sub").Value;
However, If you don't have your users username password, you can't get a JWT token for them from AAD.
Alternatively, you can use AAD Graph API to get more detailed user information from AAD, but even Azure Graph API will not have "SUB" in the response, and only has the Object Id:
https://msdn.microsoft.com/en-us/library/azure/dn151678.aspx
Here is the response of GET Users call using AAD Graph:
{
"odata.metadata": "https://graph.windows.net/contoso.onmicrosoft.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.User/@Element",
"odata.type": "Microsoft.WindowsAzure.ActiveDirectory.User",
"objectType": "User",
"objectId": "4e971521-101a-4311-94f4-0917d7218b4e",
"accountEnabled": true,
"assignedLicenses": [],
"assignedPlans": [],
"city": null,
"country": null,
"department": null,
"dirSyncEnabled": null,
"displayName": "Alex Wu",
"facsimileTelephoneNumber": null,
"givenName": null,
"jobTitle": null,
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "AlexW",
"mobile": null,
"otherMails": [],
"passwordPolicies": null,
"passwordProfile": null,
"physicalDeliveryOfficeName": null,
"postalCode": null,
"preferredLanguage": null,
"provisionedPlans": [],
"provisioningErrors": [],
"proxyAddresses": [],
"state": null,
"streetAddress": null,
"surname": null,
"telephoneNumber": null,
"usageLocation": null,
"userPrincipalName": "[email protected]"
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
