I'm running a Cordova app which connects to a Web API hosted on Azure. I've got the API secured using Azure AD bearer authentication. When the user tries to call one of the endpoints, he's forwarded to the Azure AD sign-in page, enters his credentials and then is given the token. The token is added to all subsequent requests to the API. I'm using the mobile apps client SDK to do so (cordova-plugin-ms-azure-mobile-apps).
I now would like to know who's calling the API, on the server side. I've inspected the User property of my Web API controller. There's some information there including a number of claims, but nothing which resembles the actual username (only a sid).
So the question now is:
And perhaps there's another options I didn't think of.
I found this: https://github.com/Azure/azure-mobile-apps-net-server/wiki/Understanding-User-Ids. It explains how the "stable_sid" property is a more stable identifier than the e-mail address of the user as you might have multiple authentication providers and a provider in turn might decide to change things on their side.
So I came to the conclusion that instead of trying to find the e-mail address, I'm going to rewrite some things to use the stable_sid identifier instead.