Overview
Complete the migration of self-identified (SI) user flows off SBL Bridge ahead of the decommission deadline (2026-06-19). This closes the SI-user portion of the gaps catalogued in #2006: credential validation (C) and provisioning (D/E).
Scope
C — SI-user credential validation (no toggle, no replacement)
authentication/api/siuser POST → UserProfileService.ValidateCredentialsAsync- Called by
SelfIdentifiedAuthenticationController (SI-user credential check).
- Currently has no feature toggle and no register-based replacement. A replacement and/or toggle is required before SBL Bridge can be turned off.
D/E — SI-user provisioning (partially gated)
profile/api/users/ POST → UserProfileService.GetUserprofile/api/users/create/ POST → UserProfileService.CreateUser- The register-based replacement (
RegisterUserProvisioningClient.GetOrCreateUser → register/api/v2/internal/parties/self-identified) is wired in only for OidcServerService (gated by RegisterSelfIdentifiedUserProvisioning at OidcServerService.cs:1514 and :1570).
- Gap:
AuthenticationController.IdentifyOrCreateAltinnUser (AuthenticationController.cs:1089-1116) still calls GetUser (:1096) and CreateUser (:1112) unconditionally — not behind the flag, not using the register replacement.
- Note (person lookup):
AuthenticationController.cs:830 calls GetUser(pid) for a PID/SSN person lookup. This is not SI provisioning — flag it for a decision on whether it belongs here or with the core A2 flows in the companion issue.
Tasks
References
Overview
Complete the migration of self-identified (SI) user flows off SBL Bridge ahead of the decommission deadline (2026-06-19). This closes the SI-user portion of the gaps catalogued in #2006: credential validation (C) and provisioning (D/E).
Scope
C — SI-user credential validation (no toggle, no replacement)
authentication/api/siuserPOST →UserProfileService.ValidateCredentialsAsyncSelfIdentifiedAuthenticationController(SI-user credential check).D/E — SI-user provisioning (partially gated)
profile/api/users/POST →UserProfileService.GetUserprofile/api/users/create/POST →UserProfileService.CreateUserRegisterUserProvisioningClient.GetOrCreateUser→register/api/v2/internal/parties/self-identified) is wired in only forOidcServerService(gated byRegisterSelfIdentifiedUserProvisioningatOidcServerService.cs:1514and:1570).AuthenticationController.IdentifyOrCreateAltinnUser(AuthenticationController.cs:1089-1116) still callsGetUser(:1096) andCreateUser(:1112) unconditionally — not behind the flag, not using the register replacement.AuthenticationController.cs:830callsGetUser(pid)for a PID/SSN person lookup. This is not SI provisioning — flag it for a decision on whether it belongs here or with the core A2 flows in the companion issue.Tasks
RegisterSelfIdentifiedUserProvisioning(or the register replacement) toAuthenticationController.IdentifyOrCreateAltinnUserso the unconditionalGetUser/CreateUsercalls no longer hit SBL Bridge when enabled.SelfIdentifiedAuthenticationController/ValidateCredentialsAsync.GetUser(pid)person lookup atAuthenticationController.cs:830.RegisterUserProvisioningClient(returnsnullon failure; OIDC path aborts sign-in on null) before enabling broadly.RegisterSelfIdentifiedUserProvisioningper environment (default isfalseinappsettings.json).References