Microsoft Entra ID: How to get OID or other claims? (sub not reliable for user id)

[benhovinga]

With next-auth v5, how do I get the oid, roles, or other claims when authenticating? The user.id provided from sub is changing every time the user logs in and I can't use this as a reliable user id. I'd like to use oid instead.

I have new nextjs v15 app and everything is left as default. I added token to the session for debugging. On the homepage I have <pre>{JSON.stringify(session, null, 2)}</pre> to dump the entire session to the screen. Each time I log in I can see user.id and token.sub are changing. I also don't see any other claims on the token like oid or roles but think I should be get them because I set the scopes to 'openid profile email User.Read'.

I have also tried adding account and profile to token but they don't return anything. I expect to see at least the id_token or access_token in account.

Login results

First login

{
  "user": {
    "name": "Test User",
    "image": null,
    "id": "d7467e6d-9a65-45b9-8f57-34162e54b3ef"  // <-- Changes
  },
  "expires": "2025-02-28T16:10:19.118Z",
  "token": {
    "name": "Test User",
    "picture": null,
    "sub": "d7467e6d-9a65-45b9-8f57-34162e54b3ef",  // <-- Changes
    "id": "d7467e6d-9a65-45b9-8f57-34162e54b3ef",  // <-- Changes
    "test": "Test from JWT",
    "iat": 1738167019,
    "exp": 1740759019,
    "jti": "60720eb9-4f04-4b9f-b138-5277a620d1b8"
  },
  "test": "Test from session"
}

Second Login

{
  "user": {
    "name": "Test User",
    "image": null,
    "id": "38c02cbc-f48b-471c-ac17-ed167bacec07"  // <-- Changes
  },
  "expires": "2025-02-28T16:10:43.213Z",
  "token": {
    "name": "Test User",
    "picture": null,
    "sub": "38c02cbc-f48b-471c-ac17-ed167bacec07",  // <-- Changes
    "id": "38c02cbc-f48b-471c-ac17-ed167bacec07",  // <-- Changes
    "test": "Test from JWT",
    "iat": 1738167043,
    "exp": 1740759043,
    "jti": "934c99f3-a5d7-4cdf-b779-1cbd97ec7f62"
  },
  "test": "Test from session"
}

My Code

/** auth.ts */

import NextAuth from 'next-auth';
import MicrosoftEntraID from 'next-auth/providers/microsoft-entra-id';

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [
    MicrosoftEntraID({
      clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
      clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
      issuer: `https://login.microsoftonline.com/${process.env.AUTH_MICROSOFT_ENTRA_ID_TENANT}/v2.0`,
      authorization: {
        params: {
          scope: 'openid profile email User.Read',
          prompt: 'select_account'
        }
      }
    })
  ],
  callbacks: {
    jwt({ token, user, account, profile }) {
      if (user?.id) {
        token.id = user.id;
      }
      // Debug account
      token.account = account;
      // Debug profile
      token.profile = profile;
      // Debug test
      token.test = 'Test from JWT';
      return token;
    },
    session({ session, token }) {
      session.user.id = token.id;
      // Debug token
      session.token = token;
      // Debug test
      session.test = 'Test from session';
      return session;
    }
  }
});

/** app/page.tsx */

import { auth, signIn, signOut } from '@/auth';

export function SignIn() {
  return (
    <form
      action={async () => {
        'use server';
        await signIn();
      }}
    >
      <button type="submit">Sign in</button>
    </form>
  );
}

export function SignOut() {
  return (
    <form
      action={async () => {
        'use server';
        await signOut();
      }}
    >
      <button type="submit">Sign Out</button>
    </form>
  );
}

export default async function Home() {
  const session = await auth();
  if (!session)
    return (
      <div>
        Not authenticated <SignIn />
      </div>
    );

  return (
    <div>
      <pre>{JSON.stringify(session, null, 2)}</pre>
      <SignOut />
    </div>
  );
}

[benhovinga]

I figured out how to get the oid and other claims. But the user id is still getting changed and is not the same between logins.

New code

/** auth.ts */

import NextAuth from 'next-auth';
import MicrosoftEntraID from 'next-auth/providers/microsoft-entra-id';

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [
    MicrosoftEntraID({
      clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID || '',
      clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET || '',
      issuer: `https://login.microsoftonline.com/${process.env.AUTH_MICROSOFT_ENTRA_ID_TENANT || 'common'}/v2.0`,
      authorization: {
        params: {
          scope: 'openid profile email User.Read',
          prompt: 'select_account'
        }
      },
      async profile(profile) {
        return {
          id: profile.sub,  // <-- Both id and sub should be the same
          sub: profile.sub,  // <-- Both id and sub should be the same
          oid: profile.oid,
          email: profile.email,
          displayName: profile.name,
          firstName: profile.given_name,
          lastName: profile.family_name,
          username: profile.preferred_username
        };
      }
    })
  ],
  callbacks: {
    async jwt({ token, user }) {
      if (user) token.user = user;
      return token;
    },
    async session({ session, token }) {
      session.user = token.user;
      return session;
    }
  }
});

Results

{
  "user": {
    "id": "6d9ed1f7-d8ef-400f-b64d-24b603687bad",  // <-- Both id and sub should be the same
    "sub": "NFepgEpkWsxHWO9q_QPfX61XV01dQeJnK2jGnJHPyqA",  // <-- Both id and sub should be the same
    "oid": "<hidden>",
    "email": "testuser@<hidden>",
    "displayName": "Test User",
    "firstName": "TestFirstName",
    "lastName": "TestLastName",
    "username": "testuser@<hidden>"
  },
  "expires": "2025-02-28T19:04:39.522Z"
}

Can someone explain to me why the user.id is getting changed?