We have an Asp.Net 4.5 MVC app using Asp.Net Identity to manage our customer database. We are currently using Microsoft Account Authentication. We are considering using OpenId Connect so that customers with a work/school account can also sign-in Add sign-in to an .NET MVC web app.
Microsoft Account Authentication returns ProviderKey as the unique id of the user who has logged in. This is mapped onto UserId in our customer database.
OpenId Connect does not appear to return a ProviderKey, but NameIdentifier
looks promising
ClaimsPrincipal.Current.FindFirst(System.IdentityModel.Claims.ClaimTypes.NameIdentifier)?.Value;
Is NameIdentifier
the unique identifier of the user returned by OpenId Connect? Can it be reliably used to uniquely identify a user over time?
A wide variety of clients may use OpenID Connect (OIDC) to identify users, from single-page applications (SPA) to native and mobile apps. It may also be used for Single Sign-On (SSO) across applications. OIDC uses JSON Web Tokens (JWT), HTTP flows and avoids sharing user credentials with services.
OpenID Connect employs OAuth 2.0 access tokens to allow client apps to retrieve consented user information from the UserInfo endpoint. An OpenID provider may extend the access token scope to other protected resources and web APIs. We were unable to load Disqus Recommendations. If you are a moderator please see our troubleshooting guide.
10.1 How is OpenID Connect related to OAuth 2.0? OAuth 2.0 is a framework for obtaining access tokens for protected resources such as web APIs. OpenID Connect utilises the OAuth 2.0 semantics and flows to allow clients (relying parties) to access the user's identity, encoded in a JSON Web Token (JWT) called ID token.
The OpenID authentication request is essentially an OAuth 2.0 authorisation request to access the user's identity, indicated by an openid value in the scope parameter. Example authentication redirection to the OP: The request parameters are encoded in the URI query:
Is NameIdentifier the unique identifier of the user returned by OpenId Connect? Can it be reliably used to uniquely identify a user over time?
AFAIK, the NameIdentifier
is mapped from NameId
or Sub
claim from the id_token(refer here). And for the id_token for Azure AD, it used the Sub
claim.
And from the description of sub claim:
Identifies the principal about which the token asserts information, such as the user of an application. This value is immutable and cannot be reassigned or reused, so it can be used to perform authorization checks safely. Because the subject is always present in the tokens the Azure AD issues, we recommended using this value in a general purpose authorization system.
The answer is yes, it reliably used to uniquely identify a user over time.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With