BankID login on same device failing

[CirruZZ]

I'm using the master branch and the example code from https://github.com/walle89/SwedbankJson/blob/master/docs/mobileBankIdSample.php

<?php
session_start();

require_once '../vendor/autoload.php';

if (!isset($_GET['authType']))
{
    echo '<strong>Select Mobile BankID Method</strong><br><a href="?authType=0">QR Code</a> - <a href="?authType=1">Same Device</a>';
    exit;
}

$bankApp    = 'swedbank';   // Select bank app
$auth       = null;
$sameDevice = (bool)$_GET['authType'];
try
{
    // Step 1 - Start the authentication process
    if (!isset($_SESSION['swedbankjson_auth']))
    {
        $appData = new SwedbankJson\AppData($bankApp, __DIR__.'/AppData.json');
        $auth    = new SwedbankJson\Auth\MobileBankID($appData);

        $auth->sameDevice($sameDevice);
        $auth->initAuth();

        if ($sameDevice)
        {
            // Automatic redirect back to script from BankID app, replace "null" with URL to this script. Eg. "http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}"
            $redirectURL = urlencode('null');

            $bankIdAppUrl = sprintf('https://app.bankid.com/?autostarttoken=%s&redirect=%s', $auth->getAutoStartToken(), $redirectURL);

            echo '<strong>Instructions: Sign in with Mobile BankID on same device</strong>';
            printf('
                <ol>
                    <li><a href="%s">Use this link to authenticate in BankID app</a></li>
                    <li>Go back to this page and reload it</li>
                </ol>',
                $bankIdAppUrl
            );
        }
        else
        {
            // Need to reload page
            echo '<meta http-equiv="refresh" content="0">';
        }
        exit;
    }

    // Step 2 - Verify authentication
    $auth = unserialize($_SESSION['swedbankjson_auth']);

    if (!$auth->verify())
    {
        if ($sameDevice)
        {
            echo '<p>Waiting for verification. This page will update automatically.</p>';
        }
        else
        {
            // Reload page once per 2 seconds.
            echo '<meta http-equiv="refresh" content="2">';

            echo '<strong>Instructions</strong>
                  <ol>
                      <li>Open the BankID app</li>
                      <li>Press "Scan QR code" and scan the QR code below.</li>
                      <li>Done, this page will update automatically.</li>
                  </ol>';
            printf(
                '<img src="data:image/png;base64,%s" style="max-width:100%%">',
                base64_encode($auth->getChallengeImage())
            );
        }
        exit;
    }

    // Step 3 - You are in!
    $bankConn = new SwedbankJson\SwedbankJson($auth);
} catch (Exception $e)
{
    exit($e->getMessage());
}

// Example of account details call. See documentation for details.
echo '<h1>Account details</h1><pre>';
print_r($bankConn->accountDetails());

// Sign out. If you want to keep the session to next page load, remove this line.
$bankConn->terminate();

The problem is that after entering my pin in the BankID app and then reloading the page I get the following in response.
general (1): LOGIN_FAILED - Något gick fel med ditt BankID. Vänligen försök igen.

Logging in remotely with QR-code do work.

How do I debug the issue?

[walle89]

I have managed to reproduce your issue on my end. It seems that Swedbank or BankID have changed something, but I haven't figured out what yet. In other words, I don't think there's anything wrong with your code as far as I can see.

I will continue to try to figure out a fix.

[CirruZZ]

Thanks, good to know.

I'm always thinking that it is me that is doing something wrong, at least it is so most of the time. :-)

[walle89]

Sorry for the slow response, I have haven't managed to figure out what's wrong with same device authentication.

I have checked both Bankind technical integration guide and the traffic in one of Swedbank's apps. But either have gave me a clue what's wrong my implementation of it or what have changed last time I tested it.

My current theory
The $redirectURL in the code above is based on BankID's documentation, it was my best guess how Swedbank created there Universal Link to open up the BankID app and redirect the user back to the app. My best guess is Swedbank somehow have restricted the callback URL to make sure it must be the same as the app is setting for redirectUrl. Or the redirectUrl is part of the verification process of opening the BankID app.

The thing is I don't know what this URL is. Universal Links is routed locally in Ios and doesn't show up in any logs as far as I can tell. I manged to figure out the base structure of it (Swedbank private app: 5NUR73FYP7.se.swedbank.iphonebanken, Sparbanken private app: 9RQ85E6NA2.se.sparbankerna.mobilbankenprivat).

If you or anyone can assist me in the investigation of this, I would appreciate it.

[CirruZZ]

I'm revisiting this issue, any news or clues?

Unfortunately I have nothing to come with, this is above my knowledge.

[walle89]

No, I haven't actively worked on this issue for a while now. I don't know how to currently move this issue forward. I need to understand how the Universal Links looks like or how the redirect URL:s are supposed to look like.