Error message: "A unique identifier was not provided for the user" while adding a new user via AAD

polodrawers5

Follow the guidelines at to utilize the AAD configuration
at https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-ad/redactle https://fusionauth.io/community/forum/category/1/announcements

When create registration is enabled, however, I am unable to create a new FA user. I receive an error "The user was not given a unique identification. This account cannot be used to login; thus, this login request cannot be completed."

According to the event log

2/23/2023 07:48:05 AM Z Build a new user object from the returned Userinfo response:
{
  "sub" : "3XXJmjO2q9DQCmGWV8-dyv_EzpOT-m_IAc3NX5nuYXA",
  "name" : "Simon Roberts",
  "family_name" : "Roberts",
  "given_name" : "Simon",
  "picture" : "https://graph.microsoft.com/v1.0/me/photo/$value",
  "email" : "simon.roberts@mycompany.com"
}
2/23/2023 07:48:05 AM Z Linking strategy [LinkByEmail]
2/23/2023 07:48:05 AM Z Resolved email to [smycompany.com]
2/23/2023 07:48:05 AM Z Resolved username to [null]
2/23/2023 07:48:05 AM Z Resolved unique Id to [null]
2/23/2023 07:48:05 AM Z A unique Id was not provided b

How can I get the one-of-a-kind ID? When I open the bearer token in jwt.io, I can see my AAD OID.

"name": "Simon Roberts",
"oid": "fa87b189-7080-4050-aa1b-e77e113e6799",

"openid" is the name of my scope.

What am I overlooking?

dan

@polodrawers5 Hiya,

It looks like the sub claim returned is not a UUID: 3XXJmjO2q9DQCmGWV8-dyv_EzpOT-m_IAc3NX5nuYXA.

FusionAuth requires all user ids to be a UUID.

The default unique identifier for OIDC is sub, but that can be changed under the Options tab.

So I'd try changing that to oid and see if you can create a user.

Thanks for using FusionAuth!