1

I am trying to retrieve the Azure AD user given a subject id (sub) in an Azure AD registered application. I know the application and the sub, but I cannot find a way to retrieve the oid or upn for the actual user using this information.

Digging around I cannot find anything on retrieving User based on sub and application id in the docs:

https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0

When reading about the id token it is suggested that sub + tid + oid should be used for synchronizing across services. And looking at sub more specifically says:

The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused. It can be used to perform authorization checks safely, such as when the token is used to access a resource, and can be used as a key in database tables. Because the subject is always present in the tokens that Azure AD issues, we recommend using this value in a general-purpose authorization system. The subject is, however, a pairwise identifier - it is unique to a particular application ID. Therefore, if a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim.

I also had a look around SO and only found this related answer but it seems to go from OID to SUB:

Getting User's Token Subject Identifier (sub) From Within Azure AD

Can I query the Graph API using application identifier and subject identifier to find the object identifier or upn?

If it is not possible using the Graph API. Is there any way at all to backtrack which Azure AD user has a given subject id for an application?

span
  • 5,405
  • 9
  • 57
  • 115
  • How did you get the subject id? If you have got an ID token and get subject id from the ID token, you should be able to find the upn in the ID token. – Allen Wu Jan 08 '20 at 09:52
  • Yeah, I have everything I need in the token but I was curious on how to retrieve the data, if possible, from the Graph API. Lets say its for audit purposes so the token is no longer accessible :) – span Jan 08 '20 at 10:00
  • I don't quite understand. I mean if you get sub id from ID token, you can also get upn from ID token using the same way. So I want to know where did you get the sub id. – Allen Wu Jan 09 '20 at 02:02
  • @AllenWu Thank you for your interest in my question :). I am trying to find out if it is possible to backtrack from sub to oid/upn, This is because we might want to use sub as an identifier for users and perhaps even audit logging. If it is not possible to backtrack from sub, we need to use something else as you suggest (upn or even oid). It seems to me the whole purpose of sub+applicationId instead of using oid is to be able to have separate identifiers but still be able to trace them to the originating user since sub is supposed to _identify_ the user. – span Jan 09 '20 at 10:42

1 Answers1

0

By design sub is unique for each user per application. So the same user visiting two applications will have a different sub. This is to ensure that applications that don't have the profile scope are not able to map the users profile outside its own data.

There isn't a way to obtain the oid from the sub for this very reason.

Omkar Khair
  • 1,364
  • 2
  • 17
  • 40