We've had an .NET Framework 4.6/Asp.NET MVC app secured for some time with Azure B2C, enabling sign in with social providers and with a workplace Azure AD account. We configured this more than a year ago with custom policies, when the Identity Experience Framework was quite new, and it has worked successfully ever since.
In about mid-January, some users started experiencing an issue. Sign in with B2C would complete correctly (and be logged as a success in the audit trail), but the user identity would remain unauthenticated. This has now spread, with many users affected, signing in with social providers and/or the linked external AD, but with some users not affected at all (suggesting perhaps an issue with new cookies, whereas old unexpired ones are good?).
The issue can be replicated in testing, and a clean browser will fail to log in multiple times, then succeed perhaps once, or twice, before returning to failing. The success rate is perhaps 1/20, and seems higher with VS 2019 in debugging mode, suggesting perhaps some kind of timing issue.
The fact that it does work very occasionally seems to suggest there isn't anything wrong with the configuration. All traces to Application Insights, as well as the B2C audit log, show successful logins, but the user identity in the Asp.NET site remains unauthenticated. We've tried stepping back in Git as far as the middle of last year, and those older builds experience the same issue, although the code has been functioning in production all this time.
One further oddity. When I inspected the Azure B2C tenant to confirm no keys had expired and no other changes had been made (none had), I discovered it was no longer associated with our subscription - a warning message directed me to attach it. We had certainly done this previously, as we could not have used the Identity Experience Framework otherwise. We don't understand how it could have been removed from our subscription - no such action appears in the activity log. Reattaching it, however, has not fixed the issue above.
What could be happening here? Why would a previously solid app begin malfunctioning in mid-January? How can we debug this when all the logs show a successful authentication? How did the tenant remove itself from our subscription?
Happy to post code if it will help, but I would emphasise that a) this was working previously; and b) it still does work intermittently.
Update A long and helpful screen-share with Azure support has confirmed that the B2C login process is working correctly, but something (unknown) is going wrong when redirecting back to the application. The JWT looks good. What could this be?
Further Update Two escalations and further long debugging, and this still isn't fixed. It seems the login completes absolutely correctly, but then the Asp.Net application somehow doesn't trust the result. The JWT looks good, but the user in the app remains unauthenticated (or somehow loses authenticated status at once). Has anyone else hit this kind of issue? What could be going wrong?
