🏠 Overview 💾 Data Models 🗄️ Auth Provider

Auth Provider

Data Entity

configuration PK: id 8 required 1 unique

Description

Configuration records for external OAuth/OIDC identity providers (BankID, Vipps) and internal provider settings used by the Authentication Module to issue and validate credentials.

19
Attributes
3
Indexes
5
Validation Rules
10
CRUD Operations

Data Structure

Name Type Description Constraints
id uuid Primary key
PKrequiredunique
provider_type enum Identity provider type
required
name string Human-readable provider name (e.g. 'BankID Norway')
required
is_enabled boolean Whether this provider is currently active and available for authentication
required
is_global boolean True if provider applies platform-wide; false if scoped per organization
required
organization_id uuid Organization this provider is scoped to; NULL for global providers
-
client_id string OAuth client ID issued by the identity provider
-
client_secret_encrypted text AES-256 encrypted OAuth client secret; decrypted only at runtime by the auth service
-
discovery_url string OIDC discovery endpoint URL (/.well-known/openid-configuration) for the provider
-
authorization_endpoint string OAuth authorization endpoint URL; populated from discovery or set manually
-
token_endpoint string OAuth token exchange endpoint URL
-
scopes json Array of OAuth scopes to request (e.g. ['openid', 'profile', 'phone'])
-
extra_params json Additional provider-specific query parameters appended to the authorization request
-
redirect_uri string Registered OAuth callback URI for this provider
-
phase enum Roadmap phase when this provider becomes available
required
display_order integer Sort order for rendering provider buttons on the login screen
-
metadata json Provider-specific metadata (e.g. BankID environment tier: 'test'|'production', Vipps merchant serial number)
-
created_at datetime Record creation timestamp
required
updated_at datetime Last modification timestamp
required

Database Indexes

idx_auth_providers_type_enabled
btree

Columns: provider_type, is_enabled

idx_auth_providers_organization_id
btree

Columns: organization_id

idx_auth_providers_type_org
btree unique

Columns: provider_type, organization_id

Validation Rules

oauth_providers_require_credentials error

Validation failed

discovery_url_format error

Validation failed

scopes_valid_json_array error

Validation failed

webauthn_no_client_secret error

Validation failed

display_order_non_negative error

Validation failed

Business Rules

one_provider_type_per_org
on_create

Only one record per (provider_type, organization_id) pair may exist. Global providers (organization_id IS NULL) are unique by provider_type alone.

Enforced by: Auth Service
mvp_email_password_always_enabled
on_update

The email_password provider must always be enabled and cannot be disabled; it is the fallback for all organizations in MVP.

phase_gate
on_update

Providers with phase='v1.0' or later cannot be set is_enabled=true until the corresponding roadmap phase is active in platform configuration.

Enforced by: Auth Service
secret_always_encrypted
on_create

client_secret_encrypted must be stored encrypted at rest using AES-256; the auth service must decrypt at runtime only. Plaintext secrets must never be persisted.

disabled_provider_blocks_login
always

If is_enabled=false, the auth service must reject authentication attempts via that provider with a clear error before any external call is made.

CRUD Operations

create allowed
read allowed
update allowed
delete allowed

Storage Configuration

Storage Type
lookup_table
Location
main_db
Partitioning
No Partitioning
Retention
Permanent Storage

Components Managing This Entity

service Auth Service ["backend"] service Flutter Auth Client ["mobile"] data Auth Provider Config ["backend"] service BankID OAuth Flow ["mobile","backend"] service Vipps OAuth Flow ["backend","mobile"] service WebAuthn Service ["backend"] infrastructure Credential Encryption Handler ["backend"]