Authentication with Microsoft for existing users

Question

I'm developing a Webapp with (ext)ASP.NET that already has users registered. I'm trying to add Authentication with Microsoft (OpenID Connect).

My problem is, that I don't know how I should connect the existing users to their respective Microsoft account. After the first time they have logged in, I should have the "sub" saved in my database, and can compare users with that.

But the first time, I don't know what to do. I can't really check for email in they payload in "preferred_username", since that is mutable.

My second question is, is saving the "sub" in my Database the wrong approach?

Answer 1

@WilliamAgner-4354, Thank you for reaching out. To begin with I would first like to share my understanding about the issue: You already have an existing Azure AD Tenant that has users in it and now you are trying to develop a Webapp, where these Azure AD users would be logging in and you are using ASP .NET framework to develop this web application.

Now, with this understanding, I would like to share my views. To start with you can take a look at the following sample which talks about the ways to implement OIDC (Open ID Connect) in your webapp to get organization users to login to your application.

Now in this sample you would find implementation of MSAL library of Microsoft to fetch the tokens from AAD for your users and then using Open ID Connect using the OWIN middleware.

Also, can you share little more details about your idea of saving the "sub" into a Database. I mean just wanted to understand your thought behind it to make sure we are on the same page and then proceed and by "sub" I believe you are referring to the sub claim present in the token.

Do share the details so that we can help you better and if the current sample and response helped in answering your query completely, please accept the response as an Answer so that it helps others visiting the forum with similar queries.