The "happens only the first time" error was because this is done by ProfileModule, which only kicks in if you log in. The next request, you're already authenticated then it won't happen anymore.

However it's very strange. Quicksilver is currently using AspNetIdentity and we have no such problem. Would you mind posting your web.config here?

https://github.com/episerver/Quicksilver/blob/master/Sources/EPiServer.Reference.Commerce.Shared/Identity/SiteUser.cs 

Web.config is quite big. Something specific I should look at?

Probably no - I wanted to make sure everything is correct. But it seems that for commerce site you should/must have the SiteUser as I posted above. My suspicion is this method

public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<SiteUser> manager)
{
// Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);

// Add custom user claims here
userIdentity.AddClaim(new Claim(ClaimTypes.Email, Email));

if (!String.IsNullOrEmpty(FirstName))
{
userIdentity.AddClaim(new Claim(ClaimTypes.GivenName, FirstName));
}

if (!String.IsNullOrEmpty(LastName))
{
userIdentity.AddClaim(new Claim(ClaimTypes.Surname, LastName));
}
return userIdentity;
}

is needed. 

Haven't tried it, thought 

Besides adding the SiteUser class a couple of things needs to be in place in order to get ASP.NET identity to work with Commerce Manager, which are currently (3/3-2018) not mentioned in the documentation on "Support for OpenID Connect in Episerver Commerce" (https://world.episerver.com/documentation/developer-guides/commerce/security/support-for-openid-connect-in-episerver-commerce/).

So the full recipie to get ASP.NET with Commerce Manager is the following:

1. Follow the documentation on "Support for OpenID Connect in Episerver Commerce" (https://world.episerver.com/documentation/developer-guides/commerce/security/support-for-openid-connect-in-episerver-commerce/).
2. Add the SiteUser class to your project (https://github.com/episerver/Quicksilver/blob/master/Sources/EPiServer.Reference.Commerce.Shared/Identity/SiteUser.cs)
3. Add the files Login.aspx.cs, Login.aspx.designer.cs and Logout.aspx.cs from the Quicksilver EPiServer.Reference.Commerce.Manager project (https://github.com/episerver/Quicksilver/tree/master/Sources/EPiServer.Reference.Commerce.Manager) 
4. Add the UpdateLoginPage build task from the EPiServer.Reference.Commerce.Manager.csproj to your Commerce Manager project csproj file.
5. If you are not using version 11.8.1 it may be necessary to remove the panel with id RegisterPanel from the Apps\Shell\Pages\Login.aspx file. At least it is necessary for version 10.8 and below. One way of removing the panel is to extend the UpdateLoginPage build task with the following lines.

// Remove RegisterPanel in order to avoid Membership provider not found error when using OWIN authentication 
var pageFile = File.ReadAllText(pagePath); 
var panelRegEx = new Regex("<asp:Panel ID=\"RegisterPanel\".*?</asp:Panel>", RegexOptions.Singleline); 
pageFile = panelRegEx.Replace(pageFile, string.Empty, 1); 
File.WriteAllText(pagePath, pageFile);

I have written the Episerver support and suggested the official documentation is updated.

@rfj Having the same issue, I got it working with ApplicationUser, and without going through the OpenID Connect steps (minus cleaning out the membership/role providers in Web.config). But I would still be spinning on it without your write up. Thank you!