Authenticate Using Vipps

The Vipps authentication screen initiates the Vipps Login OAuth flow. The app calls the Vipps API client to get an authorization URL, opens it (or deep links into the Vipps app), and waits for the callback. Upon successful Vipps Login, the app receives an access token and optionally the user's personnummer if the required Vipps scope was requested. The personnummer retrieval is a key business benefit — many organizations in the partner group are missing this for active members. A confirmation widget asks the user to acknowledge that their personnummer will be shared if applicable.

CRITICAL story-bankid-vipps-login-peer-mentor-003 8 pts

Story Points

Critical

Priority

BankID and Vipps Login

Feature

User Story

As a Peer Mentor (Likeperson)

I want to log in using Vipps Login

So that I can authenticate quickly with an app most Norwegians already have installed, and optionally share my personnummer with my organization

Audience Summaries

Vipps Login taps into Norway's most widely adopted mobile payment app — 4.2 million users — to deliver frictionless onboarding for peer mentors without requiring new account creation. For organizations struggling with volunteer retention, removing the password barrier is a direct lever on activation rates. The strategic differentiator is Vipps's ability to return the user's personnummer via OAuth scope, solving a data quality problem that has persisted across all three partner organizations without any manual intervention. This single capability justifies the integration cost by eliminating ongoing administrative reconciliation work.

The per-login cost tracking configuration at the organization level also enables accurate billing and cost allocation for multi-tenant deployments, supporting commercial scalability as the platform expands to additional partner organizations.

Vipps Login is a critical-priority story with OAuth 2.0 flow complexity and a notable UX-sensitive step: the personnummer confirmation widget, which requires legal review and copy approval before release. Dependencies include the Vipps API client setup, organization-level Vipps cost configuration, and the secure storage adapter. Cross-functional stakeholders include legal (for data consent language), finance (for per-login cost tracking), and partner organization IT teams (for member record sync). QA scope covers six acceptance criteria scenarios including OAuth happy path, cancellation, personnummer confirmation, storage, error handling, and org-level cost tracking — requiring both emulator and real-device testing with the Vipps test environment.

The consent widget must meet accessibility standards. Coordinate with the BankID story (dependency: story-bankid-vipps-login-peer-mentor-001) to ensure the auth method selector is delivered first.

Implementation involves calling the Vipps Login OAuth 2.0 authorization endpoint via the Vipps API client, constructing the authorization URL with the correct scopes (including the personnummer scope where org config permits), and opening it either as a deep link into the Vipps app or as an in-app browser session. The redirect URI must be registered in the Vipps merchant portal and handled via the app's deep link router. On callback, parse the authorization code, exchange it for an access token via the token endpoint, then extract the personnummer from the ID token claims if present. The personnummer confirmation widget must gate the storage call — only persist after explicit user acknowledgment.

Store via the secure storage adapter and sync to the member record backend. Implement org-level Vipps cost config lookup to apply per-login cost tracking. Handle Vipps app not installed, token exchange failures, scope denial, and network errors with typed error states surfaced to the UI layer.

Acceptance Criteria

Given I have selected Vipps on the auth method selector, When the Vipps screen loads, Then the Vipps API client initiates a login session and opens the Vipps app or authorization URL
Given the Vipps login flow is in progress in the Vipps app, When I approve the login request, Then the deep link handler receives the Vipps callback and returns me to the peer mentor app
Given Vipps login succeeds and personnummer is available in the response, When the identity is received, Then the personnummer confirmation widget is displayed asking for acknowledgment before storing
Given I confirm personnummer sharing, When the data is saved, Then it is stored securely and linked to my organization member record
Given the Vipps login fails or I cancel, When the error is returned, Then I see a descriptive error and can retry or choose BankID instead
Given the Vipps cost configuration is set for my organization, When I authenticate, Then any per-login cost tracking is applied per the org-level Vipps config

Business Value

Vipps has approximately 4.2 million users in Norway and is one of the most recognized mobile apps in the country. Vipps Login eliminates the need for the user to create yet another username and password, reducing onboarding friction significantly. The killer feature for the partner organizations is that Vipps Login can return the user's personnummer — this single capability solves a persistent data quality problem across all three organizations without any manual data collection.

Components

Vipps Authentication Screen ui
Vipps Authentication Service service
Vipps API Client infrastructure
Deep Link / OAuth Redirect Handler infrastructure
Personnummer Confirmation Widget ui
Authentication Session Manager service
User Identity Repository data
Auth Token Store data
Secure Storage Adapter infrastructure
Vipps Organization Cost Configuration infrastructure

Dependencies

Select Authentication Method on First Login critical

BankID and Vipps Login

Related Feature

Peer Mentor (Likeperson)

User Role