Azure AD B2C 仅注册自定义策略不会在 .net MVC 应用程序中创建 session cookie

Question

I have .net mvc application which is integrated with Azure B2C using Owin Middleware. Azure AD B2C is setup with a custom signup only policy.

After Signup, id_token is been returned to the .net application. But session cookie is not created. I noticed If click on login again and redirect user B2C,session cookie is created and logged in to the application.

My policy includes following user journey. Do I need to include any additional steps to pass the session cookie to the application after Signup?

<UserJourney Id="SignUp">
      <OrchestrationSteps>   
        <OrchestrationStep Order="1" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>
         <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />    
      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>

Answer 1

"state" property was the key to the solution. Owin middleware maintains the state=OpenIdConnect.AuthenticationProperties%3dHxxxx in the URL.

When the user clicked on the signup link. it was a JavaScript redirect to b2c signup page without the state properties. We had ignored the state property that was auto-generated by the middleware.

After signup when the user was redirected back to the home page. Owin middleware will not create the session as it did not find the original state property it had added in the request.

Its nowhere mentioned that's how OpenIdConnect middleware creates a cookie session. This comment was a bit of clue