BankID Authentication

high complexity v1.0 extracted Authentication & Access Control Confidence: 100%

Components

Shared

User Stories

Yes

Analyzed

Description

BankID authentication integrates Norwegian national identity verification as the preferred first-login method for all four organizations. The feature implements the BankID OIDC/OAuth 2.0 authorization code flow with PKCE, linking the returned national identifier to the user's Meander account on first use. Subsequent sessions use biometric unlock rather than re-authenticating via BankID each time. The feature targets Phase 2 after MVP email/password is stable and BankID Norway certification is complete, as formal production approval requires a separate application process that must begin early.

Sources & reasoning

§1.3 explicitly defers BankID to Fase 2, confirmed by the Fase column in the priority matrix (§4). Phase 2 is the second ordinal phase, mapping to v1.0. Despite being MUST HAVE across all organizations, the source doc clearly places delivery post-MVP.

No source references — this artifact was included based on reasoning alone (see above).

Analysis

Business Value

All four organizations flagged BankID as the preferred authentication method because it removes password management burden from volunteers and coordinators with varying digital skill levels. The national identifier returned in the identity token enables organizations to retrospectively fill membership records where this data is missing, directly improving reporting quality under Bufdir requirements. BankID compliance signals institutional trust to publicly funded organizations and reduces procurement friction with decision-makers. Delivering BankID in Phase 2 lets the team learn from MVP usage patterns before adding OAuth complexity to the auth module.

Implementation Notes

The Authentication Module adds a BankID OIDC provider record in the Auth Provider Config data component with a provider_type discriminator. The authorization code plus PKCE challenge is initiated by the Flutter app, which launches the BankID app via deep link and handles the callback URI. The national identifier (fødselsnummer) from the identity token is stored encrypted and never exposed in API responses or JWT claims. Per-tenant OAuth credentials (client_id, client_secret) are stored encrypted in Auth Provider Config. Production approval from BankID Norway requires formal certification; this application must start during Phase 1 to avoid blocking Phase 2 timelines.