First Broker Login only creates one account & all other log ins get that user info

I am setting up our legacy application as an IdP. When a user goes to the new site (Angular 13), it sends them to Keycloak, which immediately redirects the user to the legacy site for authentication. Once the user is authenticated, it redirects them back to Keycloak, which creates a local account and then everything is fine.

The problem is whatever account is first created is the only account that will ever exist. If I open the app in incognito, the same flow happens. The new app redirects to Keycloak which immediately redirects to the legacy app. The user logs in, I create a code, send that back to Keycloak, it calls for that token & I return a new object with the JWT in it.

Then the pages redirect, but Keycloak only sends me the first account information. It never creates a 2nd account, and it doesn’t matter who I log in as, I’m always going to be the first account.

I assume this is because I’ve set something up incorrectly (or the Keycloak angular plug in I’m using is bad), but I don’t know how to trouble shoot this.


Figured out my own issue.

When I was setting the token, I was applying the issuer to the subject claim. The sub is supposed to be the unique user ID from the OD side. Because it was being set to a url, every account that came across was linked by a fixed string, thus, only 1 account.