Vulnerability in EPiServer.Forms
We recently tried replacing our ADFS authentication with Azure AD in our on-prem Episerver installation (11.14 version). I followed the recipe in the documentation to the letter and copied the code for Startup.cs mostly unchanged. The authentication itself worked brilliantly, but I noticed the serverside page load time went from good to absolutely terrible. We're talking 20-40ms before the change to 400+ ms after, for no apparent reason. What makes it even more bizarre is that it only affected our servers that are not running the admin panel (we have separate servers for the publicly available site and "epiadmin" servers that are only accessible from inside our network, but both are running the same code although with slightly different web.configs). We're seing the same performance issue both in dev, test and production environments, but not when running the site locally. Error logs are empty as well.
Just in case, I've tried a few different major versions of Microsoft.Owin and Microsoft.Identitymodel packages since these were installed and/or upgraded at the same time, but it didn't change anything. I've also made sure we're on v1.0.4 of Microsoft.IdentityModel.Protocol.Extensions to avoid the thread hang bug, as the documentation warns about.
I'm all out of ideas at this point so I'm hoping some of you have brilliant suggestions to fixing this or even figuring out why it happens in the first place :)
Brainstorming a few:
Maybe some custom visitor group that checks roles / user per request?
Some caching that no longer works because users are now logged in with new solution? (Content Output cache only works if not logged in for example)