Migrating from Forms Authentication to Azure ADB2C

We are currently in the process of transitioning from forms authentication to Azure AD B2C (ADB2C). Our web application is developed using the MVC C# framework and .NET Standard. We have successfully integrated ADB2C login into the application utilising OWIN; however, we seek further clarification to ensure we proceed correctly with this implementation. (Our primary objective is to incrementally upgrade our web application to .NET Core. For the time being, we are focused on integrating ADB2C into the existing MVC application, with plans to migrate to .NET Core in the future.)

During our integration with OWIN, we have encountered challenges in obtaining the access token during the OpenID Connect authorization code receive event. Our preliminary research indicates that the access token may not be necessary for the login process. Additionally, we have effectively utilised the Graph API to update and create user accounts while correctly acquiring the endpoint. We would appreciate your insight on whether this approach is suitable for a .NET MVC application.

In addition, our research has revealed that MSAL (Microsoft Authentication Library) is capable of managing access tokens and session expiry. We would like to understand whether MSAL can be effectively utilised in a standard .NET MVC application or if it is preferable to continue utilising OWIN.

Finally, we are currently implementing custom claims; however, we have noticed that the middleware is rewrapping these claims with each request. We have concerns that our reliance on custom claims may lead to complications in the future.