从 Azure AD 中获取用户的令牌主题标识符(子) [英] Getting User's Token Subject Identifier (sub) From Within Azure AD

问题描述

我的网络应用程序正在使用多个 OAuth 2.0 身份提供者，并且想要从访问令牌响应的 id_token 中检索sub"并将其与存储在我的应用程序数据库中的一个匹配，因为'sub' 是用户所在系统的唯一 ID，它是 id_token 中的一个 Stand 字段.

My web app is using multiple OAuth 2.0 Identity Providers, and would like to retrieve the 'sub' from the id_token of the Access Token Response and match it with one stored in my app's DB, since 'sub' is an unique id across whatever system the user is at, and it's a stand field in the id_token.

我的问题是:是否有一种明显/方便的方法可以从 Azure AD 门户中检索用户的令牌主题标识符(又名 sub)?我知道对象 ID"(又名 对象标识符 或 oid)是 Azure AD 门户中用户配置文件的一部分.但是，'oid' 不是 JWT id_token 中的标准字段(例如 Azure AD 使用它，但 Google Identity 不使用它)，但 'sub' 是.

My question is: Is there an obvious/convenient way to retrieve a user's Token Subject Identifier (aka sub) from within Azure AD portal? I know 'Object ID' (aka Object Identifier or oid) is part of the user profile at the Azure AD portal. However, 'oid' is not a standard field in the JWT id_token (e.g. Azure AD uses it, but Google Identity doesn't), but 'sub' is.

推荐答案

从 Azure 管理门户您只能看到 Active Directory 中用户的对象 ID.

From the Azure management portal you can only see the Object ID of the users in the Active Directory.

但是在 C# 代码中，如果您拥有该用户的 JWT 令牌，您可以像下面那样对其进行解码并从中获取您想要的任何属性:

But in the C# code, if you have the JWT token for that user you can decode it like below and get whatever property you want from it:

var token = new JwtSecurityToken(jwtToken);
var oid = token.Claims.FirstOrDefault(m=>m.Type == "oid").Value;
var sub = token.Claims.FirstOrDefault(m => m.Type == "sub").Value;

但是，如果您没有用户名密码，则无法从 AAD 为他们获取 JWT 令牌.

However, If you don't have your users username password, you can't get a JWT token for them from AAD.

或者，您可以使用 AAD Graph API 从 AAD 获取更详细的用户信息，但即使是 Azure Graph API 的响应中也不会有SUB"，并且只有 Object Id:

Alternatively, you can use AAD Graph API to get more detailed user information from AAD, but even Azure Graph API will not have "SUB" in the response, and only has the Object Id:

https://msdn.microsoft.com/en-us/library/azure/dn151678.aspx

这是使用 AAD Graph 调用 GET 用户的响应:

Here is the response of GET Users call using AAD Graph:

{
    "odata.metadata": "https://graph.windows.net/contoso.onmicrosoft.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.User/@Element",
    "odata.type": "Microsoft.WindowsAzure.ActiveDirectory.User",
    "objectType": "User",
    "objectId": "4e971521-101a-4311-94f4-0917d7218b4e",
    "accountEnabled": true,
    "assignedLicenses": [],
    "assignedPlans": [],
    "city": null,
    "country": null,
    "department": null,
    "dirSyncEnabled": null,
    "displayName": "Alex Wu",
    "facsimileTelephoneNumber": null,
    "givenName": null,
    "jobTitle": null,
    "lastDirSyncTime": null,
    "mail": null,
    "mailNickname": "AlexW",
    "mobile": null,
    "otherMails": [],
    "passwordPolicies": null,
    "passwordProfile": null,
    "physicalDeliveryOfficeName": null,
    "postalCode": null,
    "preferredLanguage": null,
    "provisionedPlans": [],
    "provisioningErrors": [],
    "proxyAddresses": [],
    "state": null,
    "streetAddress": null,
    "surname": null,
    "telephoneNumber": null,
    "usageLocation": null,
    "userPrincipalName": "Alex@contoso.onmicrosoft.com"
}

这篇关于从 Azure AD 中获取用户的令牌主题标识符(子)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！