0

In an ASP.NET Web API, I need to be able to identify users with a unique id so I can refer to them in another DB. All users are on Azure Active Directory. I don't want something that can change over time (like a SID).

I tried getting the user Guid with a Membership like this, but I found that Azure Active Directory does not support Memberships.

I found IdentityExtensions.GetUserId() that is used like this: User.Identity.GetUserId(). The id generated seems to be neither the Guid or the SID. However, it seems to be unique to each user.

Can User.Identity.GetUserId() be used to uniquely identify AAD users? If not, what is the right way to do it?

Maxime
  • 2,192
  • 1
  • 18
  • 23

1 Answers1

2

Can User.Identity.GetUserId() be used to uniquely identify AAD users?

Yes, if it's using the ClaimTypes.NameIdentifier.

How can you tell (other than F12/ctrl+F12)?

Default it should be using ClaimTypes.NameIdentifier, provided you are on ASP Identity or comparable code (Older Membership, basically a Microsoft implementation). 

    <ClaimsIdentityOptions.cs>

    /// <summary>
    /// Gets or sets the ClaimType used for the user identifier claim.
    /// </summary>
    /// <remarks>
    /// This defaults to <see cref="ClaimTypes.NameIdentifier"/>.
    /// </remarks>
    public string UserIdClaimType { get; set; } = ClaimTypes.NameIdentifier;

There is a unit test in IdentityOptionsTest.cs called VerifyDefaultOptions that can be used to confirm the defaults. Navigating to the implementation is really the only way to be sure. It should however not be needed if you didn't change the defaults.

Original explanation regarding NameIdentifier here

ASP Identity source code

Martin van Delft
  • 447
  • 2
  • 8