Link user's profile stored in DB to Azure Active Directory account
Question
We use Azure Active Directory(OpenId and OAuth2) for authorization and authentication needs. We also would like to keep users' profiles in one of our microservices, let's name this service "User Preferences". The service will store many specific fields required only for one of our products and it is why we don't want to store them in Active Directory(custom fields).
Having all of this, we are searching for the best Azure AD field we can use to connect user's profile to Active Directory account.
There're several candidates:
- UPN - in some cases JWT doesn't contain it
- ObjectId - always available, but not read-friendly and unique in multi tenant structure
- Unique Name - should be used only to display it on UI(recommended by Azure)
Could you please recommend the best field for our case?
1 answers
solution1
1 ACCPTED 2018-12-21 20:42:48
Compiling my comments as an answer:
Object id or name identifier (sub claim) are the only immutable fields you can choose from. Using the UPN is dangerous as it can be changed.
Object id is unique across directories, though if you support multiple tenants you should store the tenant id (tid) as well.
UPN can change when an admin changes it.
And also, if a user is invited as a guest to other AAD tenants, they'll have an object id per directory, it won't be the same.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.