We have an Asp.Net 4.5 MVC app using Asp.Net Identity to manage our customer database. We are currently using Microsoft Account Authentication. We are considering using OpenId Connect so that customers with a work/school account can also sign-in Add sign-in to an .NET MVC web app.

Microsoft Account Authentication returns ProviderKey as the unique id of the user who has logged in. This is mapped onto UserId in our customer database.

OpenId Connect does not appear to return a ProviderKey, but NameIdentifier looks promising ClaimsPrincipal.Current.FindFirst(System.IdentityModel.Claims.ClaimTypes.NameIdentifier)?.Value;

Is NameIdentifier the unique identifier of the user returned by OpenId Connect? Can it be reliably used to uniquely identify a user over time?

Is NameIdentifier the unique identifier of the user returned by OpenId Connect? Can it be reliably used to uniquely identify a user over time?

AFAIK, the NameIdentifier is mapped from NameId or Sub claim from the id_token(refer here). And for the id_token for Azure AD, it used the Sub claim.

And from the description of sub claim:

Identifies the principal about which the token asserts information, such as the user of an application. This value is immutable and cannot be reassigned or reused, so it can be used to perform authorization checks safely. Because the subject is always present in the tokens the Azure AD issues, we recommended using this value in a general purpose authorization system.

The answer is yes, it reliably used to uniquely identify a user over time.