Implement BankID session initiation and challenge request
epic-bankid-vipps-login-services-task-007 — Build the BankID Authentication Service session initiation: call the BankID Provider Client to start an authentication session, retrieve the challenge/reference and BankID app launch URL, handle the deep link to the BankID app, and persist the session reference for later assertion polling.
Acceptance Criteria
Technical Requirements
Execution Context
Tier 3 - 413 tasks
Can start after Tier 2 completes
Implementation Notes
BankID in Norway uses a REST-based OIDC flow. The initiation creates an 'order' server-side; the mobile client receives an autoStartToken used to launch the BankID app. Implement the Edge Function as POST /functions/v1/bankid-initiate, which calls the BankID API and returns {sessionId, autoStartToken, qrCodeUri} to the mobile client. On Flutter side: store sessionId → launch deep link → start 3-minute Dart Timer → navigate to a 'Waiting for BankID' screen.
The waiting screen should show an animated spinner and a cancel button. The QR code fallback is important for users who authenticate with BankID on a desktop browser — display the qrCodeUri via qr_flutter. Ensure the BankID autoStartToken deep link format matches the Norwegian BankID specification: bankid:///?autostarttoken={token}&redirect={encoded_redirect_uri}. The redirect URI after BankID completion should route back to the app and trigger task-008.
Testing Requirements
Unit tests (flutter_test): mock Edge Function response with a valid sessionId and autoStartToken, verify flutter_secure_storage.write() is called and url_launcher receives the correct BankID URI. Test QR code fallback: when url_launcher returns false (app not installed), verify QRCodeWidget receives the QR URI. Test timeout: advance timer mock past 3 minutes, verify AuthState.error and storage cleared. Test cancellation: tap cancel, verify Edge Function cancellation is called and storage cleared.
Integration tests: call the BankID Edge Function in sandbox environment, verify sessionId returned. Security tests: verify sessionId is not present in any debug logs or analytics events. Target 90%+ branch coverage.
The PKCE OAuth flow requires the code verifier to survive an app backgrounding during the Vipps redirect, which can trigger OS memory pressure and clear in-memory state. If the verifier is lost between authorization request and callback, the token exchange fails and the user is stranded with a confusing error.
Mitigation & Contingency
Mitigation: Store the PKCE code verifier in AuthTokenStore (Flutter Secure Storage) immediately after generation, before launching the Vipps redirect. Clear it only after a successful or explicitly failed token exchange.
Contingency: If state loss occurs in production, implement a retry flow that generates a new PKCE pair and restarts the authorization URL request, with a user-visible 'Try again' prompt rather than a generic error.
Resuming a Supabase session after biometric verification requires the session token to still be valid. If the session has expired in the background (e.g., after a long device offline period), biometric success will not produce a valid session, and the user will see a confusing 'Face ID worked but still logged out' experience.
Mitigation & Contingency
Mitigation: Before presenting the biometric prompt, check session token expiry. If expired, skip biometrics and route directly to full BankID/Vipps re-authentication. Only offer biometric re-auth if the stored refresh token is still within its validity window.
Contingency: If session expiry during biometric flow occurs in production, implement a graceful transition message ('Your session has expired — please log in again') that preserves the user's last-used authentication method preference.
BankID and Vipps may return different user identifiers (personnummer, phone number, sub claim) that must be correctly linked to an existing Supabase auth user. If the linking logic has edge cases (e.g., user previously registered via email/password), duplicate Supabase accounts may be created.
Mitigation & Contingency
Mitigation: Design the identity linking logic with explicit disambiguation: check for existing users by personnummer before creating a new Supabase identity. Implement the linking via Supabase Edge Function to keep the logic server-side and auditable.
Contingency: Implement an admin-facing account merge tool in the admin portal to resolve duplicate accounts if they occur. Add a Supabase unique constraint on the personnummer field to make duplicates fail loudly rather than silently.
The Vipps nin (personnummer) scope requires explicit approval from Vipps as part of the merchant agreement. If this scope approval is not in place before the production release, the Vipps flow will succeed but return no personnummer, making the primary business value (membership data gap fill) non-functional without user-visible error.
Mitigation & Contingency
Mitigation: Apply for Vipps nin scope approval as part of the merchant onboarding process, well before Phase 2 launch. Implement the service to gracefully handle absent nin claims and show users a clear message if personnummer could not be retrieved.
Contingency: If nin scope is delayed, ship the Vipps login flow without personnummer write-back first (delivering login value immediately) and add personnummer sync as a post-approval update with no UI changes required.