We have an MVC/AngularJS system with a Web API back-end that uses Azure ACS and AAD to authenticate our users. The authentication works well, and when the user first authenticates the claims from ACS are passed in in the token.
We override the ClaimsPrincipal Authenticate method and verify that this user is a user of our system and add role claims here too.
After this the user is directed to the home page and the next step of the process requires the user to select an item from a list (e.g. their current location).
This selection determines how certain settings are applied in the web application. When the user makes this selection we make an ajax call to the Web Api back-end and here we add another three claims to the token, reflecting the user's selection.
Now if I refresh the page after this selection has been made the whole process starts again, but different browsers behave differently.
For Chrome and Opera the 'ClaimsPrincipal Authenticate' is called again, the roles are added again and the user need to make the selection again to add the three claims (i.e. when the page is refreshed a copy of the token before our code modified it is used).
For Firefox and IE the refresh passes in a token with all the claims that we added programatically, so it didn't revert the token to the initial state.
The latter behaviour is what I would have expected and what I would prefer. Is there any documentation on this, and for Chrome and Opera is there a way to ensure the current token is used when the page is refreshed?
