Skip to main content

Runbook — LumisCare "Unable to load your account" (Entra B2B + JIT/DB mapping) — 2026-06-02

Runbook — LumisCare "Unable to load your account" (Entra B2B + JIT/DB user mapping)

Date: 2026-06-02 · Evidence: /tmp/evidence-session-fe5379ce/ · Env: ALAI demo (Azure tenant 3454a03f, rg-lumiscare-demo) · App: app.lumiscare.com, appId e422174a-24a6-4889-b66c-f6c483b8631f

Symptom

After login, the backoffice shows "Unable to load your account — We could not retrieve your user information." Rendered by frontend/packages/shared-ui/src/components/layout/AccountInfoLoader.tsx when the GET /users/about-me query (in useAccountStore.ts) errors.

Root cause (NOT a password problem)

A Microsoft Entra B2B / admin-consent / backend user-mapping problem. A logged-in guest ([email protected], Entra OID f9275cf4-…) authenticated, but was not correctly provisioned/mapped to a LumisCare DB user + org, so /users/about-me could not return a usable account.

What is NOT the cause (verified, do not chase again)

  • Backend GET /api/v1/users/about-me returns HTTP 200 with a valid shape for a correct token.
  • CORS is fine — CorsConfig uses allowedHeaders("*"), app.lumiscare.com allowed, credentials true; OPTIONS preflight → 200.
  • Frontend env is correct — LUMISCARE_CLIENT_ID / LUMISCARE_BACKEND_CUSTOMER_CLIENT_ID = e422174a, scope api://e422174a/api.
  • Data exists/service-users = 15, /hr/employees = 10 for org f714cc2f.
  • Deployed tree = frontend/packages/backoffice + shared-ui (NOT legacy frontend/web/).

Fix (live, in order)

  1. Entra B2B invite (re)issued for [email protected]lumiscare-b2b-invite.json / alem-fresh-invite.txt.
  2. MSAL config confirmed correct for app.lumiscare.comuat-login-diagnosis.md.
  3. Admin consent grant repaired for the LumisCare app:
    • scope: api openid profile offline_access, consentType=AllPrincipals
    • Grant ID: Tucgg8C0XUKt_DONAFF0Tk7nIIPAtF1CrfwzjQBRdE4
  4. Backend BFF/JIT + DB user mapping (the decisive step — frontend deploy/JIT merge alone was NOT enough):
    • [email protected] promoted directly in Postgres: DB id eccfeb0c-0b12-4439-9b99-33a12f9110c5, status ACTIVE, org f714cc2f-a0fc-4e47-9164-baa540fd820f (Sunshine Home Care LLC), role system_admin.
    • JWT linkage: Entra OID f9275cf4-… → DB user UUID (via JIT).
    • Backend revs: identity --0000008 (issuer URI + audience GUID match), web-bff --0000032 (audience-permissive + /users alias), Hibernate ddl-auto=update for schema drift.

Proof

  • bff-about-me-success.txtHTTP=200, org f714cc2f, account eccfeb0c…, email mapped from OID.
  • alem-user-record-promoted.txt → promoted DB record.

Key lesson

For a new Entra guest, a frontend deploy / JIT merge is not sufficient. A working login requires the backend chain: Entra B2B membership + admin consent + identity-service JIT + an ACTIVE DB user mapped to an org. When "Unable to load account" recurs for a new user → check the DB user + org mapping and admin consent, not the password or the frontend.

  • Demo enablement temporarily relaxed identity-service security; track revert + proper app-roles (MC #102747).

No comments to display

Back to top