Search code examples
azureoauth-2.0azure-active-directorymicrosoft-entra-idazure-app-registration

In Entra ID OpenID token, which I get using an Azure App registration, what is "oid" claim in the resulting access token, and where it comes from?

I have an App Registration in Azure:

Application (client) ID: aeb***f61
Object ID: f3f***1d9
Directory (tenant) ID: 937***7d1

I am prototyping a client using Postman. I can get the token successfully with the following Authorization settings:

Grant type: Client Credentials
Access Token URL: https://login.microsoftonline.com/{{tenantid}}/oauth2/v2.0/token
Client ID: {{clientid}}
Client Secret: {{clientsecret}}
Scope: {{scope}}

In the resulting token there is an "oid" claim, which I know it stands for Object ID, but that is neither the application id, neither the application's object id, neither my Entra ID user id (which is btw nowhere configured in Postman)

{
    "aud": "https://service.flow.microsoft.com/",
    "iss": "https://sts.windows.net/937***7d1/",
    "iat": 1714630709,
    "nbf": 1714630709,
    "exp": 1714634609,
    "aio": "E2N***AQA=",
    "appid": "aeb***f61",
    "appidacr": "1",
    "idp": "https://sts.windows.net/937***7d1/",
    "idtyp": "app",
    "oid": "266***b55",
    "rh": "0.A***QA.",
    "sub": "266***b55",
    "tid": "937***7d1",
    "uti": "OVe***LAA",
    "ver": "1.0"
}

Where this "266***b55" GUID is coming from?

Why I am asking this?

I want to secure this service (which is a Power Automation Cloud Flow, triggered by a http request. In the "When a HTTP Request Received" step I can set the "Who can trigger the flow" to "Specific users in my tenant", and this case when I set the "Allowed users" to "266***b55" it works, all other cases I got 403. So the implementation of Cloud Flow looks for this claim, I just do not know where it is coming from.... so I can not base a security strategy on this. (maybe is it common for all App, or some Azure built in service object id)

Solution

  • It's the objectID of the calling service principal, which can be found on the "Enterprise application side" of your app registration in Entra/Azure Portal.

    Further explanation: In the case of other grant types such as authorization code flow, it will be the objectID of the user making the request, as detailed by the description to 'oid'. Back to the case of client credentials flow; an educated guess is that the Enterprise applications are outward facing and identify themselves using a more "global" GUID compared to the app registration which is a trust tied to your tenant.