Getting User's Token Subject Identifier (sub) From Within Azure AD

Question

My web app is using multiple OAuth 2.0 Identity Providers, and would like to retrieve the 'sub' from the id_token of the Access Token Response and match it with one stored in my app's DB, since 'sub' is an unique id across whatever system the user is at, and it's a stand field in the id_token.

My question is: Is there an obvious/convenient way to retrieve a user's Token Subject Identifier (aka sub) from within Azure AD portal? I know 'Object ID' (aka Object Identifier or oid) is part of the user profile at the Azure AD portal. However, 'oid' is not a standard field in the JWT id_token (e.g. Azure AD uses it, but Google Identity doesn't), but 'sub' is.

Answer 1

From the Azure management portal you can only see the Object ID of the users in the Active Directory.

But in the C# code, if you have the JWT token for that user you can decode it like below and get whatever property you want from it:

var token = new JwtSecurityToken(jwtToken);
var oid = token.Claims.FirstOrDefault(m=>m.Type == "oid").Value;
var sub = token.Claims.FirstOrDefault(m => m.Type == "sub").Value;

However, If you don't have your users username password, you can't get a JWT token for them from AAD.

Alternatively, you can use AAD Graph API to get more detailed user information from AAD, but even Azure Graph API will not have "SUB" in the response, and only has the Object Id:

https://msdn.microsoft.com/en-us/library/azure/dn151678.aspx

Here is the response of GET Users call using AAD Graph:

{
    "odata.metadata": "https://graph.windows.net/contoso.onmicrosoft.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.User/@Element",
    "odata.type": "Microsoft.WindowsAzure.ActiveDirectory.User",
    "objectType": "User",
    "objectId": "4e971521-101a-4311-94f4-0917d7218b4e",
    "accountEnabled": true,
    "assignedLicenses": [],
    "assignedPlans": [],
    "city": null,
    "country": null,
    "department": null,
    "dirSyncEnabled": null,
    "displayName": "Alex Wu",
    "facsimileTelephoneNumber": null,
    "givenName": null,
    "jobTitle": null,
    "lastDirSyncTime": null,
    "mail": null,
    "mailNickname": "AlexW",
    "mobile": null,
    "otherMails": [],
    "passwordPolicies": null,
    "passwordProfile": null,
    "physicalDeliveryOfficeName": null,
    "postalCode": null,
    "preferredLanguage": null,
    "provisionedPlans": [],
    "provisioningErrors": [],
    "proxyAddresses": [],
    "state": null,
    "streetAddress": null,
    "surname": null,
    "telephoneNumber": null,
    "usageLocation": null,
    "userPrincipalName": "Alex@contoso.onmicrosoft.com"
}