[Bug] ClaimsPrincipalExtensions.GetNameIdentifierId uses utid instead of sub claim

[felickz]

Which Version of Microsoft Identity Web are you using ?
Note that to get help, you need to run the latest version.
Microsoft Identity Web 0.1.3-preview
https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web/ClaimsPrincipalExtensions.cs
Where is the issue?

• Web App
  • Sign-in users
  • Sign-in users and call web APIs
• Web API
  • Protected web APIs (Validating tokens)
  • Protected web APIs (Validating scopes)
  • Protected web APIs call downstream web APIs
• Token cache serialization
  • In Memory caches
  • Session caches
  • Distributed caches

Other? - please describe;

Is this a new or existing app?

Repro

        /// <summary>
        /// Gets the NameIdentifierId associated with the <see cref="ClaimsPrincipal"/>.
        /// </summary>
        /// <param name="claimsPrincipal">the <see cref="ClaimsPrincipal"/> from which to retrieve the sub claim.</param>
        /// <returns>Name identifier ID (sub) of the identity, or <c>null</c> if it cannot be found.</returns>
        public static string GetNameIdentifierId(this ClaimsPrincipal claimsPrincipal)
        {
            return claimsPrincipal.FindFirstValue(ClaimConstants.UniqueObjectIdentifier);
        }

Expected behavior
As per documentation - this should be looking for SUB claim?

Actual behavior
Uses

        /// <summary>
        /// UniqueObjectIdentifier: "utid".
        /// </summary>
        public const string UniqueObjectIdentifier = "utid";

Possible Solution

            return claimsPrincipal.FindFirstValue(ClaimConstants.Sub);

[jmprieur]

@felickz: which documentation?

[jmprieur]

@felickz ?

[felickz]

@jmprieur - the XML comment which indicates it pulls the "sub claim" - which is published to docs: https://docs.microsoft.com/en-us/dotnet/api/microsoft.identity.web.claimsprincipalextensions.getnameidentifierid?view=azure-dotnet-preview#parameters

Parameters
ClaimsPrincipal
the ClaimsPrincipal from which to retrieve the sub claim.

Only stumbled on this because our b2c integration code fell into a odd flow, if this would have been looking at the sub claim as documented - my code would have worked out of the box. I cannot find any documentation on what the utid is intended to be sent by - some internal MSAL claim?

Interesting though - that code has already been refactored and the method which caused that code to fall through is no longer there

string nameIdentifierId = claimsPrincipal.GetNameIdentifierId();

448ce07#diff-dd842d9acd1b68a77df061ba4429d4d6

[jmprieur]

Thanks @felickz for your explanations

[pmaytak]

Fixed in Microsoft Identity Web 0.1.5-preview release.

cc: @felickz