Azure B2C returning token of a different user

[daivagna]

Hi Team,

We have an issue which is very intermittent, and we are not able to reproduce but here is what is happening

1. Our custom policy had the user session time set to 24 hours initially and there was rolling session
2. We wanted to have an infinite session so that user does not need to go through the painful process of entering OTP in custom policy flow and login again
3. So, we implemented a code that on every page refresh we are making a call to our custom API to validate token and checking JWT is expired or not, and if it is expired, we are making a call to oauth2/v2.0/authorize end point with all needed param of Nounce, scope, response_type=code and other things to get a new token and azure is returning us the token
4. We also have set ROLLING SESSION in policy now and extended the refresh token to 90 days and id token is 7 days expiry

What issue we are facing is, suddenly and intermittently azure return token of other user and whole user is replaced with other user's claim and data which is a nightmarish situation

We feel may be this is happening when someone's session is expired and if they are refreshing their page and at that time it gives another user's data, but we are unable to reproduce it on our end, it happens with some of the users and

We wanted to know from above context do you feel something is going wrong? and why that is happening