What is in the sub and oid claims when getting client_credentials tokens from the Azure AD OAuth v2 token endpoint?

Question

I can get these tokens after setting up keys/secrets, but I don't know if or how I can rely on the sub claim in my app.

For more background, my app is actually a B2C registered app and I'm going to the v2 endpoint in the B2C tenant, but with no policy specified in order to use the client credentials flow (probably resulting in a regular AAD, non-B2C token -- I had to load multiple keysets on the back end for token validation to work since we're basically using multiple token sources doing it this way). In our app we use middleware to validate the JWT Bearer token and look up valid callers by sub/oid to add any appropriate claims to the contextual claims identity.

In this client_credentials case, I am trying to figure out if the oid is related to some service principal, my app, a GUID representing the client secret used, or something else entirely - and whether I can rely on it enough to just add it to my expected "users" database with appropriate application privileges. Ideally there would be an easier way to identify tokens that were being used for service-to-service calls.

Here is an example of retrieving these tokens using Postman:

resulting in:

{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 0,
    "access_token": "eyJ...pcQ"
}

The token contents, from jwt.io:

Answer 1

@juunas had the right answer (it's the service principal). The difficulty was in verifying the answer.

In my case I am getting tokens for an appId which is defined in an Azure AD B2C tenant. The tenant was created using my main (enterprise) logon. The service principals are difficult to find in Azure, and I followed some red herrings using the AzureAD Powershell extensions. Ultimately I found that I had the same kind of problem as this guy, so I created an admin in my tenant to use when logging in through Powershell using the MSOnline extensions. Once I had that setup and was logged in through Powershell under the right account, I was able to run Get-MsolServicePrincipal -TenantId 88...e9 -AppPrincipalId 0a...23 to see the info for my application. The resulting displayed AppPrincipalId is the application id that is visible in the portal. The ObjectId returned matches the oid (and sub) I see in client credentials grant tokens issued for this app.