SessionID changes after redirecting from AAD #10
Description
No idea if you can help with this, but any ideas would be massively appreciated.
I am using your provider and all seems to be OK, except when it calls back into the provider after authenticating with AD it hits this:
var state = query["state"];
if (state != userSession.State)
{
session.IsAuthenticated = false;
throw new UnauthorizedAccessException("Mismatched state in code response.");
}
... and it always fails as .State is null, because the SessionId has changed. Interestingly, the new SessionId is exactly the same as the ID generated in RequestCode:
{
var state = Guid.NewGuid().ToString("N");
userSession.State = state;
At this point I figured maybe something was messed-up our side that was somehow using the 'State' property as the SessionId, so created a custom AuthUserSession with a different property to store the NewGuid() in, so that I could change the code to:
userSession.MyCustomProperty = state;
but STILL when I return from AD auth it changes the SessionID to that same guid!
Do you have any idea what we might be doing to cause that to happen, or even just an idea on things I can look at?
If I comment-out the check against the state BTW, it all works as expected.