svdHero
commented
2 years ago @Exordian That would be oid then and not objectId, wouldn't it?
Open Exordian opened 2 years ago
svdHero
commented
2 years ago @Exordian That would be oid then and not objectId, wouldn't it?
joachimBurket
commented
1 year ago @svdHero yes it would be the oid.
I also saw that the upn, preferred_username, or sub claims are used as the unique identifier (depending on the class), and I also thought that the oid was the claim recommended by Microsoft.
joachimBurket
commented
1 year ago I can make a PR to change it, but as I'm just starting to use this library, I'm not sure what it would imply on existing applications.
Expected behaviour
Use Azure objectId as identifier.
Actual behaviour
UPN is used as user identifier [1].
What are the steps to reproduce this issue?
Use Azure AD authentication.
Any logs, error output, etc?
-
Any other comments?
The UPN should reflect the primary mail as recommended by Microsoft [2]. The e-mail address might change over time due to a new name of the person, merger and acquisitions or similar actions.
Microsoft recommends to use the objectId as unique identifier.
[1] https://github.com/python-social-auth/social-core/blob/98c81ad7f0a8231c1b4b55fe88064d364c8e9c86/social_core/backends/azuread.py#L81 [1] https://docs.microsoft.com/en-us/azure/active-directory/hybrid/howto-troubleshoot-upn-changes