11

My web app is using multiple OAuth 2.0 Identity Providers, and would like to retrieve the 'sub' from the id_token of the Access Token Response and match it with one stored in my app's DB, since 'sub' is an unique id across whatever system the user is at, and it's a stand field in the id_token.

My question is: Is there an obvious/convenient way to retrieve a user's Token Subject Identifier (aka sub) from within Azure AD portal? I know 'Object ID' (aka Object Identifier or oid) is part of the user profile at the Azure AD portal. However, 'oid' is not a standard field in the JWT id_token (e.g. Azure AD uses it, but Google Identity doesn't), but 'sub' is.

gye
  • 1,374
  • 3
  • 16
  • 27
  • what do you mean: "from within Azure AD"? do you want to extract the sub from the JWT token in C# code? – Aram Sep 10 '15 at 20:16
  • I mean from the Azure AD portal. I will update the post. Sorry for the confusion. My app needs to import users' identifiers(sub) into its database before hand. I just couldn't find them easily from the Azure AD portal. – gye Sep 10 '15 at 20:17

1 Answers1

8

From the Azure management portal you can only see the Object ID of the users in the Active Directory.

enter image description here

But in the C# code, if you have the JWT token for that user you can decode it like below and get whatever property you want from it:

var token = new JwtSecurityToken(jwtToken);
var oid = token.Claims.FirstOrDefault(m=>m.Type == "oid").Value;
var sub = token.Claims.FirstOrDefault(m => m.Type == "sub").Value;

However, If you don't have your users username password, you can't get a JWT token for them from AAD.

Alternatively, you can use AAD Graph API to get more detailed user information from AAD, but even Azure Graph API will not have "SUB" in the response, and only has the Object Id:

https://msdn.microsoft.com/en-us/library/azure/dn151678.aspx

Here is the response of GET Users call using AAD Graph:

{
    "odata.metadata": "https://graph.windows.net/contoso.onmicrosoft.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.User/@Element",
    "odata.type": "Microsoft.WindowsAzure.ActiveDirectory.User",
    "objectType": "User",
    "objectId": "4e971521-101a-4311-94f4-0917d7218b4e",
    "accountEnabled": true,
    "assignedLicenses": [],
    "assignedPlans": [],
    "city": null,
    "country": null,
    "department": null,
    "dirSyncEnabled": null,
    "displayName": "Alex Wu",
    "facsimileTelephoneNumber": null,
    "givenName": null,
    "jobTitle": null,
    "lastDirSyncTime": null,
    "mail": null,
    "mailNickname": "AlexW",
    "mobile": null,
    "otherMails": [],
    "passwordPolicies": null,
    "passwordProfile": null,
    "physicalDeliveryOfficeName": null,
    "postalCode": null,
    "preferredLanguage": null,
    "provisionedPlans": [],
    "provisioningErrors": [],
    "proxyAddresses": [],
    "state": null,
    "streetAddress": null,
    "surname": null,
    "telephoneNumber": null,
    "usageLocation": null,
    "userPrincipalName": "Alex@contoso.onmicrosoft.com"
}
Aram
  • 5,537
  • 2
  • 30
  • 41
  • Thanks for this detailed answer. It does answer the posted questions. – gye Sep 10 '15 at 21:02
  • What if I would like to bulk-upload many users' '**sub**' to my web app? Once the authentication process returns a response with a JWT, my app would extract the 'sub' and compare it with the one stored in the DB, and see whether this user is already registered in my app. Now it seems that it's very difficult to get many users' '**sub**'. – gye Sep 10 '15 at 21:09
  • It doesn't seem like you can specify sub in Graph Update user api: https://msdn.microsoft.com/en-us/library/azure/dn130117.aspx – Aram Sep 10 '15 at 21:18
  • 1
    nope. But anyway, now it seems like I need to make some customization just for MS AAD to extract 'oid' instead of 'sub'. – gye Sep 11 '15 at 17:51
  • 4
    This doesn't answer the question. – Warren Parad Jan 31 '21 at 15:31