I have a website on ASP.NET consisting of web app and web API. In my website sign in used to be done with username and password, and then after few encryption database checks the user and start the session. Now, after adding Aure AD single sign-in, how to make sure specific user enters into webiste. Like I have read in Azure documentation that in Token from Azure AD we can get claim (sub tid) which are unique and immutable. Should I add a column in my database to store the value of these two (sub tid) in order to select the specific user? Is there any better way to do it?

CodePudding user response：

The tid claim will identify the Azure AD tenant used to authenticate the user. If you allow users to sign in from any tenant, this is a good one to store. If you only allow one tenant, then it might not be necessary to store.

There are two claims that can be used to identify a user. You can choose which one you use.

sub will uniquely identify the user in the context of that application and is immutable. It is the standard OpenID Connect identifier for a user. If the user signs in to another application, the value will be different there. This value cannot be known before the user signs in to your application, they are not available through any UI or API.

oid uniquely identifies the user and is the user's objectId. This is also immutable. If you want to make queries to e.g. Microsoft Graph API to get user info, you will need this value as it is what is used in APIs to identify the user. The objectId can be known in advance before the user logs in to your application (someone in their tenant can look at user list and see the ids there) and that can be an advantage in certain situations.