We have an Asp.Net 4.5 MVC app using Asp.Net Identity to manage our customer database. We are currently using Microsoft Account Authentication. We are considering using OpenId Connect so that customers with a work/school account can also sign-in Add sign-in to an .NET MVC web app.
Microsoft Account Authentication returns ProviderKey as the unique id of the user who has logged in. This is mapped onto UserId in our customer database.
OpenId Connect does not appear to return a ProviderKey, but NameIdentifier
looks promising
ClaimsPrincipal.Current.FindFirst(System.IdentityModel.Claims.ClaimTypes.NameIdentifier)?.Value;
Is NameIdentifier
the unique identifier of the user returned by OpenId Connect? Can it be reliably used to uniquely identify a user over time?
AFAIK, the
NameIdentifier
is mapped fromNameId
orSub
claim from the id_token(refer here). And for the id_token for Azure AD, it used theSub
claim.And from the description of sub claim:
The answer is yes, it reliably used to uniquely identify a user over time.