I am using Social-SignIn/Generic OAuth2 (Microsoft AD and 'common' tenant') to authenticate users.
During Post-Authentication I use APEX_UTIL.ENABLE_DYNAMIC_ROLES to set the users roles as checked from an internal table against the authenticated user details.
The application authorization has 'Source for Role or Group Schemes' set to 'Custom Code', the authorization schemes are of the form 'Is in Role or Group', 'Custom' and then a role as created by ENABLE_DYNAMIC_ROLES.
The Authorization Scheme for the application checks for the user having an 'ApplicationUser' role and the error message uses '&APP_USER.' so that I can see 'who' has been refused.
This works as expected for 'known' users.
If an 'unknown' user logs in, they are authenticated by MS but the post-authentication process doesn't assign any roles. The Authorization Scheme then 'fails' and the user is refused access and gets the standard 'Access denied by Application security check' box with the OK button.
They are then returned to the MS 'Trying to log you in/Pick an account'. If they then login as a 'known' user, they still get a 'not authorised' error showing the previous user. It appears that this is because they are using the same APEX session (although the authorization is set to no-cache / per page view) or maybe I've mis-configured something on the AD authentication process and the failed user is 'persisting'?
This is probably an edge-case as not many people will try to access the application with multiple MS accounts, but I'd like to know how to deal with this cleanly.
Any ideas?