Microsoft-authentication-library-for-js: What is the correct string to use to identify a specific user in a local database?

Created on 8 May 2020  路  3Comments  路  Source: AzureAD/microsoft-authentication-library-for-js

Library

Documentation location

  • [x] MSAL.js Github Wiki
  • [x] README file
  • [x] Documentation does not exist

Description

It's hard to find which identifier to use when a user authenticated to Azure AD. The returned object from msal.getAccount() contains multiple fields that can be used but it's unclear which one.

A similar question has been asked here and shows 2 possible options:

In the README it syas:

When the login methods are called and the authentication of the user is completed by the Azure AD service, an id token is returned which is used to identify the user with some basic information.

But the class account says the idToken will be deprecated soon:

export class Account {
    accountIdentifier: string;
    homeAccountIdentifier: string;
    userName: string;
    name: string;
    idToken: StringDict; // will be deprecated soon
    idTokenClaims: StringDict;
    sid: string;
    environment: string;

My single goal is to be store settings for the app in the database and find them back the next time the user signs-in. Thank you for clarifying which ID to use for this purpose.

documentation question
Source
picture DarkLite1

All 3 comments

I believe oid is what you need. From the documentation:

The immutable identifier for an object in the Microsoft identity system, in this case, a user account. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the聽oid聽claim. The Microsoft Graph will return this ID as the聽id聽property for a given user account. Because the聽oid聽allows multiple apps to correlate users, the聽profile聽scope is required to receive this claim. Note that if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they're considered different accounts, even though the user logs into each account with the same credentials. The聽oid聽claim is a GUID and cannot be reused.

derisen picture derisen on 11 May 2020

Thanks for the feedback @derisen . So the correct one to use is idTokenClaims oid

It might be beneficial to add this to the examples as a comment. So it's clear for developers which one they need to use. Given that there's no need to store a token in the app, because acquireTokenSilent calls will do that for us, the only remaining question can be on how to identify the user with a unique string. So therefore a small comment in the examples might be a good idea.

DarkLite1 picture DarkLite1 on 11 May 2020
👍1

@DarkLite1 sounds good. I'm actually working on FAQ and will sure to add this.

derisen picture derisen on 11 May 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lecaillon picture lecaillon  路  3Comments
AbhaysinghBhosale picture AbhaysinghBhosale  路  3Comments
spottedmahn picture spottedmahn  路  4Comments
exequeryphil picture exequeryphil  路  3Comments
atvoid picture atvoid  路  3Comments