Getting the Current User Identity in a Low Trust App in SharePoint 2013

Today's post comes primarily because it's a common question, but not because it's a particularly brilliant answer; maybe just a bit unexpected. If you followed the some of the differences between low trust and high trust apps in SharePoint, you will know that in a low trust app, SharePoint knows who the user is, versus a high trust app where the app tells SharePoint who the user is - see Security in SharePoint Apps Part 3 for more details (https://blogs.technet.com/b/speschka/archive/2013/07/29/security-in-sharepoint-apps-part-3.aspx).

The common misconception here though is that you can look at the context token that SharePoint sends over to determine who the user is that is making the request. I explain more about the context token in Part 4 of the Security in SharePoint Apps series: https://blogs.technet.com/b/speschka/archive/2013/07/30/security-in-sharepoint-apps-part-4.aspx. If you look at the contents of the context token you'll see that there really isn't a single thing in there that uniquely identifies an individual. The solution to this problem then, is that you need to make a CSOM call to actually get the user's identity. Fortunately this actually pretty easy; what I've got here is a slightly modified version of the basic code that Visual Studio generates for you when you create a new low trust SharePoint App project in a provider hosted web:

var contextToken = TokenHelper.GetContextTokenFromRequest(Page.Request);
var hostWeb = Page.Request["SPHostUrl"];

using (var clientContext = TokenHelper.GetClientContextWithContextToken(hostWeb, contextToken, Request.Url.Authority))
{
 clientContext.Load(clientContext.Web, web => web.Title, user => user.CurrentUser);
 clientContext.ExecuteQuery();
 Microsoft.SharePoint.Client.User curUser = clientContext.Web.CurrentUser;
 Response.Write("Current user is " + curUser.Email);
}

I highlighted the parts there to illustrate the main difference with the code that you get out of the box. As you can see, you can just use the CurrentUser of the context web in order to get information about which user is actually using your application. As I said, not difficult, but maybe not the answer you were expecting.