🏠 Overview 🧩 Components 🧩 BankID Provider Client

BankID Provider Client

Component Detail

Infrastructure high complexity mobilebackend
0
Dependencies
1
Dependents
0
Entities
1
Integrations

Description

Integration client for the third-party BankID broker service. Manages session initiation requests, WebView URL generation, and assertion token validation calls routed through a Supabase Edge Function for server-side trust establishment.

Feature: BankID and Vipps Login

bankid-provider-client

Summaries

The BankID Provider Client integrates Norway's national digital identity standard, enabling users to authenticate with the highest available trust level — equivalent to a legally recognized electronic signature. This unlocks access to regulated use cases, enterprise customers, and public-sector integrations that require verified identity. By routing assertion validation through a secure server-side function rather than the mobile client, the system protects against token forgery and satisfies compliance requirements for strong authentication, directly reducing legal and regulatory risk for the business.

This is the highest-complexity authentication component in the system, spanning both mobile and backend execution contexts and depending on a Supabase Edge Function for server-side trust establishment. Delivery requires coordination across the mobile team and backend infrastructure, plus a contractual relationship with a third-party BankID broker. Key risks include broker onboarding lead time, Edge Function deployment pipeline readiness, and WebView rendering across target devices. Testing must cover session creation, WebView redirect flows, assertion validation, cancellation, and all mapped error codes.

Plan for an extended integration testing phase against the BankID test environment.

This client orchestrates a multi-step BankID authentication flow across mobile and backend boundaries. `createSession` initiates a session with the configured broker (requires an `orgId`), returning a `BankIdSession` used by `getRedirectUrl` to produce a WebView URI for the native BankID UI. After the user completes identity verification, the assertion token is forwarded via `validateToken` to a Supabase Edge Function, which performs server-side cryptographic validation and returns a typed `BankIdValidationResult` — keeping private keys and trust logic off the device. `cancelSession` supports clean abort flows.

Error codes are mapped to structured types via `getErrorDescription`, decoupling UI error handling from raw broker responses.

Responsibilities

  • Request a new BankID session from the configured broker
  • Generate the WebView/redirect URL for the BankID UI
  • Forward assertion tokens to Supabase Edge Function for server-side validation
  • Map BankID error codes to structured error types

Interfaces

createSession(orgId: String): Future<BankIdSession>
getRedirectUrl(session: BankIdSession): Uri
validateToken(assertionToken: String): Future<BankIdValidationResult>
cancelSession(sessionId: String): Future<void>
getErrorDescription(code: String): String

Relationships

Dependents (1)

Components that depend on this component

service BankID Authentication Service

Used Integrations (1)

External integrations and APIs this component relies on

BankID OIDC / REST API API

API Contract

View full contract →
REST /api/v1/bankid 5 endpoints
GET /api/v1/bankid/sessions List BankID provider sessions
POST /api/v1/bankid/sessions Create a new BankID provider session
GET /api/v1/bankid/sessions/:session_id/redirect-url Get the BankID authentication redirect URL for a session
POST /api/v1/bankid/sessions/:session_id/validate Validate assertion token against BankID provider
DELETE /api/v1/bankid/sessions/:session_id Cancel a BankID provider session