Monday, 15 July 2013

Azure Active Directory: Get user's UPN with OpenID Connect authentication -



Azure Active Directory: Get user's UPN with OpenID Connect authentication -

i want login scheme asp.net mvc 5 website backed azure active directory.

specifically want find out, whether user fellow member of specific grouping , give access based on that.

i have code query users/groups in ad, , users advertisement authenticated microsoft , redirected website.

but seems need user's principal name (upn, claimtypes.upn) query azure advertisement graph api, while openid connect provider gives me version of user's e-mail address:

from openid connect: user.identity.name = live.com#timm@domain.tld

from advertisement graph api: user.userprincipalname = timm_domain#ext@something.onmicrosoft.com

is there possibility internal user guid or 1 id other in order able query advertisement graph api current user?

indeed. objectid of user objectidentifier claim, using:

claimsprincipal.current.findfirst("http://schemas.microsoft.com/identity/claims/objectidentifier").value

upn property set default regular organizational accounts - whereas signing msa (microsoft account) external user. msa external users not have upn property set default. said, not need user's upn query grouping membership using graph api - objectid recommended. further, recommend authorization purpose, utilize getmembergroup api returns transitive grouping membership of user.

hope helps.

for reference on other claim types: raw jwt access token issued azure advertisement msa external user looks this:

{ "family_name": "guest", "unique_name": "live.com#aadguest@outlook.com", "altsecid": "1:live.com:00034001c80d80e9", "ver": "1.0", "aud": "https://graph.windows.net", "acr": "1", "iss": "https://sts.windows.net/62e173e9-301e-423e-bcd4-29121ec1aa24/", "oid": "fa6fa59a-5f2b-4069-a8e4-c76e52179f64", "scp": "directory.read userprofile.read", "idp": "live.com", "email": "aadguest@outlook.com", "appidacr": "1", "given_name": "aad", "exp": 1403260411, "appid": "29181964-d91b-4331-859d-d815863848d6", "tid": "62e173e9-301e-423e-bcd4-29121ec1aa24", "iat": 1403256511, "amr": [ "pwd" ], "nbf": 1403256511, "sub": "wi6cvq6fvj_aj3na076wm-c6ejy6ck6yhb3pr9jpty0" }

active-directory openid azure-active-directory

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)