Get username linked to Azure AD bearer token

Question

I'm running a Cordova app which connects to a Web API hosted on Azure. I've got the API secured using Azure AD bearer authentication. When the user tries to call one of the endpoints, he's forwarded to the Azure AD sign-in page, enters his credentials and then is given the token. The token is added to all subsequent requests to the API. I'm using the mobile apps client SDK to do so (cordova-plugin-ms-azure-mobile-apps).

I now would like to know who's calling the API, on the server side. I've inspected the User property of my Web API controller. There's some information there including a number of claims, but nothing which resembles the actual username (only a sid).

So the question now is:

  • Can I somehow add the information to the token? Since the token comes from Azure AD I suppose that would also be the place to add additional information but I'm not sure whether that is possible.
  • If not, can I somehow use the sid to translate this into the user that has logged in?

And perhaps there's another options I didn't think of.

Solution

I found this: https://github.com/Azure/azure-mobile-apps-net-server/wiki/Understanding-User-Ids. It explains how the "stable_sid" property is a more stable identifier than the e-mail address of the user as you might have multiple authentication providers and a provider in turn might decide to change things on their side.

So I came to the conclusion that instead of trying to find the e-mail address, I'm going to rewrite some things to use the stable_sid identifier instead.