Azure AD bearer token - Get User identifier

3
votes

I have an ASP.NET Core API secured using the AzureADBearer authentication method.

Following the example laid our here: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore

Calls to the API are secured using a bearer token that is generated with ADAL.net with this method. 

    private async Task<string> getToken()
    {
        AuthenticationResult result = null;
        string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;

        // Using ADAL.Net, get a bearer token to access the TodoListService
        AuthenticationContext authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
        ClientCredential credential = new ClientCredential(AzureAdOptions.Settings.ClientId, AzureAdOptions.Settings.ClientSecret);

        result = await authContext.AcquireTokenAsync(AzureAdOptions.Settings.TodoListResourceId, credential);


        return result.AccessToken;
    }

However, when i look at the claims that the API receives.. there is no identifier that appears as being unique to the user. The Nameidentifier claim is identical for every user i generate the token for.

The objectid generated in the above code - is the only unique aspect in the generation of the token, and that doesn't seem to matter in the claims represented in the APIs de-construction of the token.

Any thoughts on how i can get any sort of user unique ID across to the API? That could be email, SID anything i can use..

1
asp.net.netasp.net-mvcasp.net-coreazure-active-directory
Why have you commented out the line of code that might work? You are using an overload of AcquireTokenAsync() that will use purely the client credentials to authenticate.juunas
That isnt an actual overload that works.. That overload is for AcquireTokenSilentAync() which requires a tokenchache.Cody Popham
Right, is there a problem with the token cache?juunas
It returns an error saying there is no token cache.. when i use itCody Popham
Okay? I see that you are configuring a token cache though? Maybe it is not finding a token in the cache? You'll want to make sure your cache is populated after login and that the data is stored properly.juunas

1 Answers

1
votes

On the AccessToken there is a claim with a key written oid or Object ID. It is an immutable GUID that uniquely identifies the user as an Azure Object.

Look at this decoded JSON Web Token example of a user token generated by Azure AD implicit grant flow for a Single page application using MSAL.js.

Note: Some items were omitted and changed for privacy reasons.

{
  "aud": "<app registration guid>"
  "iss": "https://login.microsoftonline.com/<tenant id>/v2.0",
  "iat": 1606857684,
  "nbf": 1606857684,
  "exp": 1606861584,
  "name": "developer",
  "oid": "<Object ID>",
  "preferred_username": "dev@foo.bar",
  "sub": "RePapB10ksij8FA7dv-GdO9u4tz0_Hm4mmSeuGcqByY",
  "tid": "<tenant id>"
  "ver": "2.0"
}