davidjrh
commented
6 years ago This sounds good to me, but don't like breaking changes :) I'm thinking on adding a private setting to specify which claim will be used for Ids. On this specific upgrade version scenario, the setting will default to JwtRegisteredClaimNames.UniqueName, while on later versions on first time installations will be "oid" (a migration tool will be needed to change current installations if desired).
I'm wondering if this has any collateral effect, and would like to test this on some sites before merging the pull request.
[Breaking Change]
Right now when a user's UPN is changed in AAD, DNN throws a "User already exist" error because it attempts to register the user as the new user with their new UPN. This is problematic.
Using the AAD
ObjectIdclaim as theUserIdresolves this issue.ObjectIdis guaranteed never to change in AAD."Contains a unique identifier of an object in Azure AD. This value is immutable and cannot be reassigned or reused. Use the object ID to identify an object in queries to Azure AD. " - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims
This is a breaking change whereas users who have already registered will now have to re-register with their new Id, but same credentials. Their old account will have to be removed before. Alternatively, you may be able to get their ObjectId from AAD and make it match the UserId in the DNN Database and resolve the issue that way.