Not able to map SSN during first login

[mikaelkaron]

Describe the bug

Following the instructions in #57 I managed to get the user SSN mapped into the access_token, but not until the second login.

To Reproduce
Steps to reproduce the behavior:

1. Create a local account with the email [email protected], set password
2. Log on with BankID, say your email is [email protected]
3. When asked re-auth using password to link
4. Auth token does not contain SSN

Expected behavior
The second time I log in I have the SSN mapped an everything works. I'd expect this to work the first time as well

Environment:

• OS: [Alpine linux, dockerized]
• Keycloak version: [25.0.2]
• Version of BankID 4 Keycloak: [master]

Additional context

Could it be related to this redit thread?

[ullgren]

Thanks for the report.
Yes it could be the same issue as in the discussion you link to.
I will have a look and see if I can reproduce (should not be an issue with your details).

However also note that if/when you use only username/password to authenticate the SSN will not be present since it is taken from the login session we do with BankID. As such if you permit a user to choose to use username/password instead of BankID to login then it is expected behavior that the SSN is not present in the session notes.

[ullgren]

@mikaelkaron I think I managed to reproduce and fix the issue. Can you please build the PR #59 branch and check if this solves your issue ?

[mikaelkaron]

I see it's in master. I'll pull/build and report back.

[ullgren]

Thanks, you can also find precompile jar here https://github.com/sweid4keycloak/bankid4keycloak/packages/1828253

[mikaelkaron]

Did a local test but still able to reproduce. Did I mess it up? I built from master

[ullgren]

Yeah my changes should be in master.
But perhaps I was not able to reproduce the same issue as you see then.

[mikaelkaron]

Ok, now I'm sure I've tested with your version as I'm using the pre-built package:

sh-5.1$ ls -la /opt/keycloak/providers/
total 1312
drwxrwxr-x 1 keycloak root    4096 Sep 19 20:17 .
drwxr-xr-x 1 keycloak root    4096 Sep 19 20:18 ..
-rw-r--r-- 1 keycloak root 1324172 Sep 19 20:14 bankid4keycloak-25.1.0-20240919.104557-6.jar
-rw-rw-r-- 1 keycloak root     256 Jul 18 06:52 README.md

[mikaelkaron]

let's see if you're doing it the same way as I am.

• I already have an account with the email [email protected] as the email.
• I've installed the bankid provider and configured it for test

When doing this I get this access_token

{
  "exp": 1726778016,
  "iat": 1726777716,
  "auth_time": 1726777715,
  "jti": "6a1c4ee7-73de-4d81-af51-8540f472c5be",
  "iss": "https://keycloak.local/realms/elivery-b2c",
  "aud": "account",
  "sub": "3f585c40-68c1-4386-ae2f-ce1f4195a796",
  "typ": "Bearer",
  "azp": "elivery-auth",
  "sid": "02dd331c-b0eb-4683-b4e0-700838b06845",
  "acr": "1",
  "allowed-origins": [
    "*"
  ],
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid profile email",
  "email_verified": true,
  "roles": [
    "offline_access",
    "uma_authorization",
    "user",
    "default-roles-elivery-b2c"
  ],
  "name": "Mikael Karon",
  "preferred_username": "mikael",
  "given_name": "Mikael",
  "family_name": "Karon",
  "email": "[email protected]"
}

When you decode that you can see there's no SSN

So I log out/in and now this is my access_token (SSN obfuscated):

{
  "exp": 1726778221,
  "iat": 1726777921,
  "auth_time": 1726777921,
  "jti": "ee146cec-de28-4f7e-b823-cf13485f6ba3",
  "iss": "https://keycloak.local/realms/elivery-b2c",
  "aud": "account",
  "sub": "3f585c40-68c1-4386-ae2f-ce1f4195a796",
  "typ": "Bearer",
  "azp": "elivery-auth",
  "sid": "c339587e-b5a0-4826-9d16-af8fb8e5a8de",
  "acr": "1",
  "allowed-origins": [
    "*"
  ],
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid profile email",
  "email_verified": true,
  "roles": [
    "offline_access",
    "uma_authorization",
    "user",
    "default-roles-elivery-b2c"
  ],
  "name": "Mikael Karon",
  "preferred_username": "mikael",
  "given_name": "Mikael",
  "family_name": "Karon",
  "email": "[email protected]",
  "ssn": "197900000000"
}

[mikaelkaron]

I hope it helps with the screenshots. I don't know all the possible flows you can take when linking an account so I figured it could help with some clarification.

[ullgren]

Yes thanks, this is slightly different than the use case I tested.
In my case I did not start out with an existing user on the first login, rather the user was created by the initial bankid login.

I guess the second login, using password, that you perform will most likely clear the user session notes and this is why the information does not persist.
I will look into it but it might be that a User attribute mapper (see #12 ) will be needed to solve this.