从Azure AD中获取用户的令牌主题标识符（子） [英] Getting User's Token Subject Identifier (sub) From Within Azure AD

问题描述

我的Web应用程序正在使用多个OAuth 2.0身份提供程序，并希望从访问令牌响应的id_token中检索 sub ，并将其与应用程序数据库中存储的一个进行匹配，因为' sub '是用户所在系统上的唯一ID，并且是id_token中的标准字段。

My web app is using multiple OAuth 2.0 Identity Providers, and would like to retrieve the 'sub' from the id_token of the Access Token Response and match it with one stored in my app's DB, since 'sub' is an unique id across whatever system the user is at, and it's a stand field in the id_token.

我的问题是：
是否有明显/便捷的方法可从Azure AD门户中检索用户的令牌主题标识符（又名 sub ）？我知道 对象ID （又名对象标识符或 oid ）是Azure AD门户用户配置文件的一部分。但是， oid 不是JWT id_token中的标准字段（例如，Azure AD使用它，但Google Identity不使用），而 sub 是。

My question is: Is there an obvious/convenient way to retrieve a user's Token Subject Identifier (aka sub) from within Azure AD portal? I know 'Object ID' (aka Object Identifier or oid) is part of the user profile at the Azure AD portal. However, 'oid' is not a standard field in the JWT id_token (e.g. Azure AD uses it, but Google Identity doesn't), but 'sub' is.

推荐答案

在Azure管理门户中，您只能看到Active Directory中用户的对象ID。

From the Azure management portal you can only see the Object ID of the users in the Active Directory.

但是在C＃代码中，如果您拥有该标签的JWT令牌用户，您可以像下面这样对其进行解码，并从中获取所需的任何属性：

But in the C# code, if you have the JWT token for that user you can decode it like below and get whatever property you want from it:

var token = new JwtSecurityToken(jwtToken);
var oid = token.Claims.FirstOrDefault(m=>m.Type == "oid").Value;
var sub = token.Claims.FirstOrDefault(m => m.Type == "sub").Value;

但是，如果您没有用户密码，就无法获得JWT令牌

However, If you don't have your users username password, you can't get a JWT token for them from AAD.

或者，您可以使用AAD Graph API从AAD获取更详细的用户信息，但是即使Azure Graph API在其中也不会包含 SUB响应，并且只有对象ID：

Alternatively, you can use AAD Graph API to get more detailed user information from AAD, but even Azure Graph API will not have "SUB" in the response, and only has the Object Id:

https://msdn.microsoft.com/zh-cn/library/azure/dn151678.aspx

这是GET用户使用AAD图调用的响应：

Here is the response of GET Users call using AAD Graph:

{
    "odata.metadata": "https://graph.windows.net/contoso.onmicrosoft.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.User/@Element",
    "odata.type": "Microsoft.WindowsAzure.ActiveDirectory.User",
    "objectType": "User",
    "objectId": "4e971521-101a-4311-94f4-0917d7218b4e",
    "accountEnabled": true,
    "assignedLicenses": [],
    "assignedPlans": [],
    "city": null,
    "country": null,
    "department": null,
    "dirSyncEnabled": null,
    "displayName": "Alex Wu",
    "facsimileTelephoneNumber": null,
    "givenName": null,
    "jobTitle": null,
    "lastDirSyncTime": null,
    "mail": null,
    "mailNickname": "AlexW",
    "mobile": null,
    "otherMails": [],
    "passwordPolicies": null,
    "passwordProfile": null,
    "physicalDeliveryOfficeName": null,
    "postalCode": null,
    "preferredLanguage": null,
    "provisionedPlans": [],
    "provisioningErrors": [],
    "proxyAddresses": [],
    "state": null,
    "streetAddress": null,
    "surname": null,
    "telephoneNumber": null,
    "usageLocation": null,
    "userPrincipalName": "Alex@contoso.onmicrosoft.com"
}

这篇关于从Azure AD中获取用户的令牌主题标识符（子）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！