3

In my client app, I get a token for an application with

IConfidentialClientApplication espaceClientApp;
            espaceClientApp = ConfidentialClientApplicationBuilder
            .Create(clientId)
            .WithTenantId(tenantId)
            .WithClientSecret(clientSecret)
            .Build();

espaceClientApp.AddInMemoryTokenCache();

AuthenticationResult authResult = await espaceClientApp.AcquireTokenForClient(new[] {
    $"{validAudience}/.default"
}).ExecuteAsync();

I then get a oauth token but I can't figure what the value of the "sub" claim correspond to in B2C? I think it could be the audience id, but I don't see it in my AAD B2C Portal. No application has the ID that I get in the token. It may be related to the URI in the "Expose an API" menu? Fact is I used a custom name URI instead of the one defined by default (a Guid). I supposed this Guid is what I get in the "sub" claim. If it is so, how can I retreive the Guid in B2C dashboard or Graph API?

Patrice Cote
  • 3,572
  • 12
  • 43
  • 72

1 Answers1

1

Subject claim is entity(typically user) is unique for the user(which uniquely identifies the user. ) and the service for which the token is intended. Object Id is its default value (maybe object id of service principal) which is name id and it is not an application id .

enter image description here

According to Microsoft docs azure active directory id tokens .

  • When identifying a user (or looking for them in a database, or deciding what permissions they have), it's critical to use
    information that will remain constant and unique across time.

  • Instead, the claims provided by the OIDC standard, or the extension >claims provided by Microsoft - the sub and oid claims are used as GUIDs are unique.

The sub claim in the Microsoft identity platform is "pair-wise" - it is unique based on a combination of the token recipient, tenant, and user. Therefore, two apps that request ID tokens for a given user will receive different sub claims, but the same oid claims for that user.

The sub claim contains a unique, immutable identifier for the user for that one app. Its value is different in other apps for the same user. So it is possibly computed based on some other identifiers.This value is immutable and cannot be reassigned or reused

It will be different for ID Token and Access Token also.

Note: ID Token audience/sub is the client app where the user is signing in, and the Access Token audience is the resource server the client app will attempt to access (on behalf of the signed-in user).

Maybe we can’t find it ,but the sub claim works for identifying a user uniquely in an app. 'sub' is mapped to 'schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'

Set of mappings are defined in package or assembly System.IdentityModel.Tokens.Jwt; here: github.com-System.IdentityModel.Tokens.Jwt/ClaimTypeMapping/AzureAD/

Please check: What is in the sub and oid claims when getting client_credentials tokens from the Azure AD OAuth v2 token endpoint? - Stack Overflow

References:

  1. specs/openid-connect-core.
  2. asp.net core - How do I get an OID claim in ASPCore from Azure B2C - Stack Overflow
kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • 1
    Thanks, great explanations. And the link to the other questions gave me the correct answer about where to fin it. Appllication registration -> click on the client app you used to get the token -> "Managed application in l..." -> ObjectId – Patrice Cote Apr 06 '22 at 11:46