HttpContext.GetOwinContext().Get<string>("Policy") is a global setting, not a per user session setting

[willfiddes]

The OwinContext appears to be a global setting or at least it impacts the next users session.

1. User A goes to sign in and HttpContext.GetOwinContext().Get("Policy") gets set with Policy A
2. User A gets redirected to B2C to sign in.
3. User B goes to sign in and HttpContext.GetOwinContext().Get("Policy") gets set with Policy B
4. User B gets redirected to B2C to sign in.
5. User A completes signin and gets redirected back to app
6. notification.OwinContext.Get("Policy"); is now set to Policy B

This causes problems when multiple users are signing in at the same time when there are different B2C policies being used.

So when we try to pass the Policy ID as part of the authority to MSAL acquireTokenByAuthorizationCode you get this error:
AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : xxx and Expected Value : yyy'

Suggestion would be to instead grab the tfp/acr claim from the users id_token and pass that as part of the B2C authority

For example one suggestion would be this…

private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification) 
        { 
            try 
            { 
                /* 
                        The `MSALPerUserMemoryTokenCache` is created and hooked in the `UserTokenCache` used by `IConfidentialClientApplication`. 
                        At this point, if you inspect `ClaimsPrinciple.Current` you will notice that the Identity is still unauthenticated and it has no claims, 
                        but `MSALPerUserMemoryTokenCache` needs the claims to work properly. Because of this sync problem, we are using the constructor that 
                        receives `ClaimsPrincipal` as argument and we are getting the claims from the object `AuthorizationCodeReceivedNotification context`. 
                        This object contains the property `AuthenticationTicket.Identity`, which is a `ClaimsIdentity`, created from the token received from 
                        Azure AD and has a full set of claims. 
                        */ 

 
                var cp = new ClaimsPrincipal(notification.AuthenticationTicket.Identity); 
                var policy = cp.FindFirst("tfp") != null ? cp.FindFirst("tfp") : cp.FindFirst("acr"); 

 
                var B2CAuthority = string.Format(Globals.AadInstance, Globals.Tenant, policy); 

 
                IConfidentialClientApplication confidentialClient = MsalAppBuilder.BuildConfidentialClientApplication(); 

 
                System.Diagnostics.Debug.WriteLine($"OnAuthorizationCodeReceived::confidentialClient.Authority::{confidentialClient.Authority}"); 

 
                // Upon successful sign in, get & cache a token using MSAL 
                AuthenticationResult result = await confidentialClient.AcquireTokenByAuthorizationCode(Globals.Scopes, notification.Code).WithB2CAuthority(B2CAuthority).ExecuteAsync(); 
            } 
            catch (Exception ex) 
            { 
                throw new HttpResponseException(new HttpResponseMessage 
                { 
                    StatusCode = HttpStatusCode.BadRequest, 
                    ReasonPhrase = $"Unable to get authorization code {ex.Message}." 
                }); 
            } 
        }

[jmprieur]

@jennyf19 : FYI for Id.Web 2.x OWIN b2c web apps