What is the recommended way to obtain the Object ID of a AD B2C user from within a nodejs Azure Function that uses EasyAuth?
I'm able to:
- Sign the user into B2C and obtain an Access Token
- Send the Access Token to /.auth/login/aad and obtain an Authentication Token
- Call my back-end function, passing in the Authentication Token, and receive the x-ms-* headers inside my function
- Successfully exit the function and return data to the client
The x-ms-* headers received by the function are:
"x-ms-client-principal-id": "sid:f0a0c2c<removed>",
"x-ms-client-principal-idp": "aad",
"x-ms-client-principal": "eyJhdXRoX3<removed>",
"x-ms-token-aad-access-token": "eyJ0eXAiOiJKV<removed>"
I was (naively) expecting that x-ms-client-principal-id would be my user's B2C Object ID (9XXXXXXX-7XXX-4XXX-9XXX-0XXXXXXXXXX).
The options I can see are:
a) Call /.auth/me from within the function and use the "http://schemas.microsoft.com/identity/claims/objectidentifier" claim. However, the docs say this is intended for use by client code
b) Parse the jwt token from the "x-ms-token-aad-access-token" header and use its "oid" property. However, the docs say you shouldn't rely on the format of access tokens.
c) Have the client also pass in the idToken, parse the jwt token from the "x-ms-token-aad-id-token" header, and use its "oid" property. However, it isn't clear if we can trust EasyAuth to have validated the idToken.
What is the recommended approach?
Many thanks in advance.