BankIdCallbackHandler - Meander Platform - Likepersonsapp

Service Layer medium complexity backend

Dependencies

Dependents

Entities

Integrations

Description

Handles the OAuth redirect callback after the user authenticates with BankID. Verifies the state parameter to prevent CSRF, delegates token exchange to BankIdService, and establishes the Meander session upon success. Routes errors back to the login screen with an appropriate message.

Feature: BankID Authentication

bank-id-callback-handler

Sources & reasoning

Priority matrix line 144 assigns BankID/Vipps to phase 2 with MUST HAVE priority. Phase 2 maps to v1.0 by ordinal position. Line 42 explicitly defers it from MVP. All four organisations confirmed preference in workshops (line 40-42), making v1.0 the correct and evidence-backed target release.

docs/source/likeperson.md · line 40-42

Alle fire organisasjoner peker på BankID eller Vipps som foretrukket autentisering ved førstegangs innlogging
docs/source/likeperson.md · line 144

BankID / Vipps innlogging | ✓ | ✓ | ✓ | ✓ | ✓ | MUST HAVE | 2

Responsibilities

Receive and parse the OIDC callback request with code and state parameters
Verify the state parameter matches the value stored before the redirect
Delegate code exchange and identity linking to BankIdService
Create an authenticated Meander session for the resolved user
Redirect to the appropriate post-login destination or error route

Interfaces

handleCallback(code: string, state: string, redirectUri: string): SessionToken

verifyState(receivedState: string, expectedState: string): boolean

resolvePostLoginRedirect(user: User): string