BankID OIDC / REST API
Authentication Provider Integration by Bits AS (on behalf of Norwegian banks)
Description
BankID is Norway's national electronic identity solution used for high-assurance first-time user authentication and identity verification. It allows the app to verify the legal identity of peer mentors and coordinators at onboarding, enabling population of national identity numbers (personnummer) in member systems and satisfying Norwegian data integrity requirements for voluntary organisation reporting.
Detailed Analysis
BankID is Norway's national electronic identity infrastructure, operated by Bits AS on behalf of Norwegian banks, and represents the gold standard for digital identity verification in the Norwegian market. By integrating BankID OIDC, the platform can verify the legal identity of peer mentors and coordinators at onboarding with full legal certainty — enabling accurate population of national identity numbers (personnummer) in member systems and satisfying mandatory Norwegian data integrity requirements for voluntary organisation reporting to government bodies. This eliminates identity fraud risk at onboarding and provides a trusted, familiar authentication experience that Norwegian users expect. The per-transaction pricing model with Bits AS means authentication costs scale directly with new user onboarding volume, making cost predictable.
From a compliance standpoint, BankID processing of personnummer is governed by GDPR, requiring a documented Data Processing Agreement and explicit lawful basis — establishing a compliant foundation for government reporting obligations. With 99.9% availability targets and Vipps Login as automatic fallback, the platform's authentication reliability is industry-grade.
Integrating BankID requires upfront establishment of a merchant agreement with Bits AS — a contractual and administrative step that can take several weeks and must be prioritised early in the project timeline. Technical prerequisites include OIDC client registration, configuration of BANKID_CLIENT_ID, BANKID_CLIENT_SECRET, BANKID_REDIRECT_URI, and environment selection (test/prod), plus PKCE flow implementation for mobile security. Five components depend on this integration: the BankID auth screen (018), auth service (022), provider client (028), auth method selector (016), and personnummer confirmation widget (020). Testing must cover the BankID app redirect flow on physical iOS and Android devices, session timeout handling, user cancellation paths, and fallback activation to Vipps Login.
The GDPR requirement for a documented lawful basis for personnummer processing adds a legal workstream that must be coordinated with the organisations' data protection officers. Ongoing maintenance includes monitoring authentication success rates (alert threshold: below 90%) and tracking BankID service degradation via status.bankid.no.
BankID uses OIDC 1.0 over REST with an OAuth 2.0 authorization code flow plus PKCE — mandatory for mobile to prevent authorization code interception on deep links. Required scopes are openid, profile, and nnin (national identity number). Configuration requires BANKID_CLIENT_ID, BANKID_CLIENT_SECRET, and BANKID_ISSUER_URL environment variables, with separate test and prod environments. The OIDC discovery endpoint must be polled for availability as a health check.
Authentication flows through components 028 (BankID provider client) → 022 (BankID auth service) → 018 (BankID auth screen), with the personnummer confirmation widget (020) consuming the returned nnin claim. Error handling covers three scenarios: session timeout (retry prompt), user cancellation (graceful return to auth selector without error state), and BankID unavailability (automatic fallback to Vipps Login, component 021). Personnummer is never stored in plaintext — encrypted at rest, and BankID session tokens are not persisted; only derived application JWTs are retained. Latency requirement is under 10 seconds for the full flow including app redirect.
Monitor authentication success rate and time-to-authenticate; alert on success rate dropping below 90% or OIDC discovery endpoint failure.
Using Components (5)
Dependencies (3)
Authentication
| Type | Oauth |
| Requirements | BankID OIDC client registration with Bits AS, Client ID and client secret, Redirect URI registered for mobile deep link, PKCE flow for mobile security |
| Scopes | openidprofilennin (national identity number) |
Configuration
BANKID_CLIENT_ID
BANKID_CLIENT_SECRET
BANKID_ISSUER_URL
Error Handling
Monitoring
Performance
| Latency | < 10s for full BankID authentication flow including app redirect |
| Availability | BankID targets 99.9% availability; fallback to Vipps Login required |
Cost Implications
| Pricing Model | Per-transaction fee negotiated with Bits AS merchant agreement |