1

I need to get the nameidentifier from the token that Azure AD sends. I am assuming this is unique for each user of the AD and have some custom authorization logic based on it. For example, 

AuthenticationResult result = authenticationContext.AcquireToken(webApiResourceId, certificateCredential);
string accessToken = result.AccessToken;

This accessToken is sent to the WebAPI as AuthenticationHeader, that decrypts it and fetches the nameidentifier as 

Claim tenantClaim = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier);

But this process on the WebAPI is transparent and is performed by ADAL.However, i need to get the NameIdentifier at client side itself. Is there any way I can fetch the NameIdentifier at client side itself, by decrypting the AccessToken? I do not seem to find the correct answer upon searching.

4

1 回答 1

2

您能否详细说明为什么需要客户端上的 NameIdentifier?请注意,客户端不对令牌执行任何验证,因此您不应根据令牌内容对客户端进行任何访问控制决策。服务器端可以根据令牌内容做出决定,因为令牌本身在使其内容对应用程序可用之前已经过验证。另一个重要的考虑因素:访问令牌用于 Web API,客户端不应尝试读取它。即使您设法阅读它,您也会生成极其脆弱的逻辑,因为格式可以随时更改,它可能会使用您的客户端不应该拥有的密钥进行加密,等等。如果您出于不同原因需要访问客户端上的 NameIdentifier,您可以检查 id_token。id 令牌是与访问令牌一起发送的另一个令牌。id 令牌是为客户端准备的,因此您可以安全地查看。您可以在 AuthenticationResult 中找到它作为属性。HTH V。

于 2015-03-26T19:05:43.550 回答