How is the sub claim in the userinfo OpenID endpoint established?

Question

Hi,
When I register an app in AAD, and then perform an OAuth2 / OpenID authentication, and then query the OpenID userinfo endpoint (https://graph.microsoft.com/oidc/userinfo) with the access_token, it returns a JSON like this:

{  
    "sub": "bPnSL00SVbZoFB97zHSwi9ksiT4bAzGxL2LKk2oaJcM",  
    "name": "steve",  
    "picture": "https://graph.microsoft.com/v1.0/me/photo/$value"  
}  

My question is - how is the 'sub' claim created?
Per the documentation, it returns a different value per application, but I would like to predict it up front to pre-load identities in the other application to have them automatically matched. I'm restricted in how I can do that, and can only use the 'sub' field from the userinfo response. ( I cannot change the application )

From:

https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens

The subject is, however, a pairwise identifier - it is unique to a particular application ID. Therefore, if a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim.

Answer 1

Hello @Ted van der Voorde , such information is internal and not publicly available. I would recommend using the oid to identity a user within a tenant or to duplicate the sub mission combine the clientid + oid and store them in the state parameter or output them as a claim using claims transformation.

Let us know if this answer was helpful to you. If so, please remember to accept it so that others in the community with similar questions can more easily find a solution.