What is a unique identifier for users in OpenId Connect

We have an Asp.Net 4.5 MVC application using Asp.Net Identity to manage our client database. We are currently using Microsoft account authentication. We are considering using OpenId Connect so that clients with a work / school account can also log in. Add Login to .NET MVC Web Application .

Microsoft Account Authentication returns the ProviderKey as the unique identifier of the user who is logged on. It appears in the UserId in our customer database.

OpenId Connect will not return ProviderKey, but NameIdentifier

looks promising ClaimsPrincipal.Current.FindFirst(System.IdentityModel.Claims.ClaimTypes.NameIdentifier)?.Value;

Is the NameIdentifier

user ID returned by OpenId Connect unique? Can it be reliably used to uniquely identify a user over time?

+3


source to share


1 answer


Is the NameIdentifier a unique identifier for the user returned by OpenId Connect? Can it be reliably used to uniquely identify a user over time?

AFAIK, NameIdentifier

displayed from NameId

or Sub

from id_token (see here ). And for id_token for Azure AD, it used request Sub

.

And from the sub-item description :



Identifies the principal that the token claims information about, such as the user of the application. This value is immutable and cannot be reassigned or reused, so it can be safely used to verify authorization. Since the object is always present in tokens, problems with Azure AD, we recommend using this value in a general authorization system.

The answer is yes, it is securely used to uniquely identify a user over time.

+5


source







All Articles