I am integrating my web application with Azure AD via OpenId. User privileges are controlled by my application. I therefore need to map the oid or sub I receive in my access token to a record on my application database that I can use to understand a user's permissions. I intended having a front end that would allow non-technical system administrators to do this as they receive requests for access.
Is there a way, without performing and logging an oAuth transaction that systems administrators could use to know the likely sub and/or oid that a user will be given at login, so that they could build the required permissions entry?
If not, I am assuming that I will need to perform a userinfo call on receipt of the access token in the server (as token introspection does exist on AD) to retrieve a different and more visible AD property. My application would then key permission records using this property and not oid or sub. My system administrators could set up user permissions using this more widely known field.
oid is the Object ID for the user, which is available through MS Graph API as the id property. In Azure Portal it's called object ID.
The sub claim is not available anywhere except the tokens issued to the application.
The same user would have different sub values for different applications as well.