Getting the Current User Identity in a Low Trust App in SharePoint 2013

Today’s post comes primarily because it’s a common question, but not because it’s a particularly brilliant answer; maybe just a bit unexpected.  If you followed the some of the differences between low trust and high trust apps in SharePoint, you will know that in a low trust app, SharePoint knows who the user is, versus a high trust app where the app tells SharePoint who the user is – see Security in SharePoint Apps Part 3 for more details (

The common misconception here though is that you can look at the context token that SharePoint sends over to determine who the user is that is making the request.  I explain more about the context token in Part 4 of the Security in SharePoint Apps series:  If you look at the contents of the context token you’ll see that there really isn’t a single thing in there that uniquely identifies an individual.  The solution to this problem then, is that you need to make a CSOM call to actually get the user’s identity.  Fortunately this actually pretty easy; what I’ve got here is a slightly modified version of the basic code that Visual Studio generates for you when you create a new low trust SharePoint App project in a provider hosted web:

var contextToken = TokenHelper.GetContextTokenFromRequest(Page.Request);
var hostWeb = Page.Request[“SPHostUrl”];

using (var clientContext = TokenHelper.GetClientContextWithContextToken(hostWeb, contextToken, Request.Url.Authority))
 clientContext.Load(clientContext.Web, web => web.Title, user => user.CurrentUser);
 Microsoft.SharePoint.Client.User curUser = clientContext.Web.CurrentUser;
 Response.Write(“Current user is ” + curUser.Email);

I highlighted the parts there to illustrate the main difference with the code that you get out of the box.  As you can see, you can just use the CurrentUser of the context web in order to get information about which user is actually using your application.  As I said, not difficult, but maybe not the answer you were expecting.



2 thoughts on “Getting the Current User Identity in a Low Trust App in SharePoint 2013

  1. Interesting blog post! I receive an “Invalid length for a Base-64 char array or string” error when using your code which originates from ReadAndValidateContextToken.


  2. I get the same error as Ryan. when using identity tokens from a javascript add-in:

    private AppIdentityToken CreateAndValidateIdentityToken(string rawToken, string hostUri)
    AppIdentityToken token = (AppIdentityToken)AuthToken.Parse(rawToken);
    token.Validate(new Uri(hostUri));

    WriteToFile(“Token has been validated. Returning token”);

    return token;
    catch (TokenValidationException ex)
    WriteToFile(“TokenValidationException: ” + ex.Message);
    throw new ApplicationException(“A client identity token validation error occurred.”, ex);

    What exactly causes this issue? I’m not sure.

    Interesting post though. Keep up the good work!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s