social-core icon indicating copy to clipboard operation
social-core copied to clipboard

Published 20 hours ago verified publisher icon python-social-auth

AzureAD: use objectId instead of UPN as unique identifier

Open Exordian opened this issue 2 years ago • 3 comments

Expected behaviour

Use Azure objectId as identifier.

Actual behaviour

UPN is used as user identifier [1].

What are the steps to reproduce this issue?

Use Azure AD authentication.

Any logs, error output, etc?

Any other comments?

The UPN should reflect the primary mail as recommended by Microsoft [2]. The e-mail address might change over time due to a new name of the person, merger and acquisitions or similar actions.

Microsoft recommends to use the objectId as unique identifier.

[1] https://github.com/python-social-auth/social-core/blob/98c81ad7f0a8231c1b4b55fe88064d364c8e9c86/social_core/backends/azuread.py#L81 [1] https://docs.microsoft.com/en-us/azure/active-directory/hybrid/howto-troubleshoot-upn-changes

Exordian avatar May 08 '22 19:05 Exordian

@Exordian That would be oid then and not objectId, wouldn't it?

svdHero avatar Aug 02 '22 14:08 svdHero

@svdHero yes it would be the oid. I also saw that the upn, preferred_username, or sub claims are used as the unique identifier (depending on the class), and I also thought that the oid was the claim recommended by Microsoft.

joachimBurket avatar Oct 18 '22 09:10 joachimBurket

I can make a PR to change it, but as I'm just starting to use this library, I'm not sure what it would imply on existing applications.

joachimBurket avatar Oct 18 '22 10:10 joachimBurket