BankID Authentication Service
Component Detail
Description
Manages the BankID authentication lifecycle through a third-party BankID broker. Initiates the BankID session, validates the resulting assertion token server-side via Supabase Edge Function, and creates or links the authenticated Supabase user identity.
bankid-auth-service
Summaries
The BankID Authentication Service provides the highest level of legally recognized identity verification available in Norway, enabling the organization to onboard users with full trust in their stated identity. BankID is mandatory in many regulated contexts and its integration positions the platform to serve public-sector, financial, and compliance-sensitive use cases. By delegating assertion validation to a server-side Supabase Edge Function, the system ensures that identity claims cannot be tampered with on the client, reducing fraud liability and supporting regulatory audit trails. This component is a key enabler for accessing regulated markets and building institutional trust with enterprise and government customers.
High complexity component with a split execution model — the mobile client initiates the BankID session while the backend Edge Function performs server-side assertion validation. This creates a cross-team dependency: both the mobile developers and the backend/infrastructure team must coordinate for correct end-to-end delivery. The BankID broker integration requires vendor onboarding, test credentials, and sandbox access — these procurement steps should be started early to avoid blocking development. Testing must cover broker error codes, assertion token expiry, session cancellation, and Supabase user creation/linking edge cases.
Security and compliance review is non-negotiable. Deployment requires the Edge Function to be deployed and accessible before the mobile flow can complete, making infrastructure readiness a hard dependency.
Manages the BankID authentication lifecycle via a third-party broker. `initiateBankIdSession` contacts the broker to open a session scoped to the given org. The mobile client renders the broker's BankID UI and receives an assertion token on completion. `validateAssertionToken` forwards this token to a Supabase Edge Function which performs server-side cryptographic validation, returning a BankIdIdentity with verified claims.
`linkBankIdToSupabaseUser` either creates a new Supabase auth user or links the BankID identity to an existing account based on the verified claims. `cancelSession` handles user-initiated or timeout-driven cancellations. `getBankIdErrorMessage` maps broker error codes to localized user-facing strings. Depends on bankid-provider-client for broker HTTP transport and auth-session-manager for session state.
The Edge Function boundary is critical — all trust decisions must occur server-side. Monitor broker API versioning carefully as assertion token formats may evolve.
Responsibilities
- Initiate BankID authentication session with the configured broker
- Validate BankID assertion token via Supabase Edge Function for server-side trust
- Create or link Supabase auth user based on verified BankID identity
- Handle BankID error codes and map to user-facing messages
Interfaces
initiateBankIdSession(orgId: String): Future<BankIdSession>
validateAssertionToken(token: String): Future<BankIdIdentity>
linkBankIdToSupabaseUser(bankIdIdentity: BankIdIdentity): Future<void>
cancelSession(sessionId: String): Future<void>
getBankIdErrorMessage(errorCode: String): String
Relationships
Dependencies (2)
Components this component depends on
Dependents (2)
Components that depend on this component
Used Integrations (1)
External integrations and APIs this component relies on