Authenticate with BankID on First Login

• Given a user on the login screen, when they tap 'Log in with BankID', then an in-app browser opens to the BankID authorization URL with a valid PKCE code challenge
• Given a user who completes the BankID authentication flow, when the provider redirects with an authorization code, then the app exchanges the code for tokens and creates a valid Supabase session
• Given a successful BankID authentication, when the session is established, then the authenticated user's name and verified identity are stored and the user is navigated to the appropriate home screen
• Given a user who cancels the BankID flow in the browser, when the browser returns without a code, then the app returns to the login screen with a user-friendly cancellation message and no error crash
• Given BankID provider unavailability, when the authorization endpoint returns an error, then the app displays a localized error message explaining the provider is temporarily unavailable and offers a retry action
• Given a completed BankID login, when the app processes the ID token, then it validates the token signature, issuer, and expiry before accepting it as authentic

BankID is the dominant national e-ID in Norway and is explicitly required by all three workshop organizations (NHF, Blindeforbundet, HLF). It provides verified identity assurance needed for regulatory compliance, protects sensitive volunteer and beneficiary data, and establishes user trust that the app is a professional-grade tool appropriate for handling personal information. Without BankID authentication, the app cannot be deployed in production for these organizations.

• BankID Login Screen ui
• BankID Integration Service service
• Auth Token Repository data
• BankID API Gateway infrastructure