We have a project in development that uses Azure AD B2C exclusively to authenticate users. I am in the process of preparing some documentation on how the login flow works, tracing it in Fiddler.
For a user that correctly submits their username and password to the form rendered by login.microsoftonline.com, I understand they get an id_token in response, which they then present to our website to have their authentication validated and establish a session.
In Fiddler, I see the POST to ourtenant.onmicrosoft.com which includes the correct username and password. The response body is "{"status":"200"}" with a bunch of set-cookie headers (content omitted for brevity).
x-ms-cpim-slice
x-ms-cpim-dc
x-ms-cpim-cache
x-ms-cpim-trans
Following this, I see a GET to ourtenant.onmicrosoft.com which includes the above cookies, and ourtenant.onmicrosoft.com responds with a blob of HTML which contains the id_token in a hidden field.
My question is, in simple terms, how does Azure AD B2C correlate the correct username/password entry in the first POST to the id_token provided in response to the proceeding GET?
My rookie guess is that it uses the x-ms-cpim-cache cookie and, if so, I just want to understand what it stores and how robustly it's protected.
