Vipps Authentication Service
Component Detail
Description
Orchestrates the full Vipps Login OAuth 2.0 PKCE flow. Generates authorization URLs, exchanges authorization codes for tokens, extracts the personnummer from the userinfo endpoint, and persists the identity data to Supabase. Coordinates cost sharing across organizations.
vipps-auth-service
Summaries
The Vipps Authentication Service enables frictionless, trusted identity verification by leveraging Norway's most widely adopted mobile payment and identity platform. By integrating Vipps Login, the organization eliminates the need for manual identity onboarding, reduces fraud risk through government-grade identity assurance, and accelerates user activation. Retrieving the personnummer directly from Vipps allows automatic membership validation and cross-organization cost sharing, which reduces administrative overhead and improves revenue accuracy. This directly improves user experience, lowers support costs, and strengthens regulatory compliance around identity verification.
This component is high complexity and spans both the mobile client and backend, requiring coordinated delivery across both layers. It depends on the Vipps API Client, Auth Session Manager, and User Identity Repository, meaning delays in any of those components will block this service. The PKCE OAuth 2.0 flow requires careful handling of authorization codes, code verifiers, and token exchange timing — all of which need thorough integration testing against the Vipps sandbox environment. Security review is mandatory before release.
Plan for at least one full sprint for implementation and a dedicated testing cycle. Deployment requires Vipps merchant credentials configured per organization, which is an operational dependency that must be coordinated with stakeholders ahead of go-live.
Implements the full OAuth 2.0 Authorization Code flow with PKCE for Vipps Login. The `buildAuthorizationUrl` method constructs the authorization URI with scopes: openid, address, phoneNumber, and nin. After redirect, `exchangeCodeForTokens` POSTs the code and code_verifier to the Vipps token endpoint and returns a VippsTokenSet. `fetchUserInfo` calls the Vipps userinfo endpoint using the access token to retrieve the nin claim (personnummer).
`persistPersonnummer` writes the nin to Supabase user profile and triggers membership system updates. Token revocation via `revokeTokens` and per-org configuration checks via `isVippsConfiguredForOrg` round out the interface. Depends on vipps-api-client for HTTP transport, auth-session-manager for PKCE state management, and user-identity-repository for Supabase writes. High maintenance surface — Vipps API changes require prompt updates to token parsing and userinfo field mapping.
Responsibilities
- Build Vipps OAuth 2.0 PKCE authorization URL with correct scopes (openid, address, phoneNumber, nin)
- Exchange authorization code for access and ID tokens via Vipps token endpoint
- Call Vipps userinfo endpoint to retrieve personnummer (nin claim)
- Persist retrieved personnummer to Supabase user profile and trigger membership system update
- Handle token refresh and error responses from Vipps API
Interfaces
buildAuthorizationUrl(orgId: String): Uri
exchangeCodeForTokens(code: String, codeVerifier: String): Future<VippsTokenSet>
fetchUserInfo(accessToken: String): Future<VippsUserInfo>
persistPersonnummer(userId: String, nin: String): Future<void>
revokeTokens(accessToken: String): Future<void>
isVippsConfiguredForOrg(orgId: String): bool
Relationships
Dependencies (3)
Components this component depends on
Dependents (3)
Components that depend on this component