Direct Vipps login (without 3. party)

Sondre · April 21, 2023, 7:51am

Hi, we want to setup a direct vipps login not using a 3. party. our setup is as follows:

Upon login we get the vipps popup as expected but then get a “jwt token missing” error after phone check.

What are we missing?

kristian · April 21, 2023, 12:39pm

Hi! Do you have a screenshot (including the URL to the login page) from when this occurs?

Sondre · April 21, 2023, 1:09pm

ReodorMagnus · August 28, 2023, 11:04am

Hello

Trying to set up a direct vipps login not using a 3. party.

How did this go for you @Sondre?

Im stuck at getting this error:

Sondre · August 28, 2023, 12:00pm

Hey, this seems to be an error with the redirect URL in Vipps that is not pointing to your Appfarm solution. Let me know if that is the case

In addition we had to build a script outside Appfarm to fetch an email address to be able to create a user. I’m unsure if that is required in all cases.

ReodorMagnus · August 28, 2023, 1:39pm

Thanks that was the case! Had to add account.appfarm.io/callback to the URI list

Now im here with a test user phone number from vipps which is not working. Did you also experince this?

Sondre · August 28, 2023, 2:13pm

You can find documentation here: The Vipps MobilePay test environment | Vipps MobilePay Technical Documentation

In this case I think you are missing to download and login to the test app, maybe with a test user

ReodorMagnus · August 29, 2023, 11:39am

Thanks!

Now im at this point. I guess this is why you created the script? Any tips is to how you went about that is much appreciated

Sondre · August 29, 2023, 12:13pm

Yes that is the case. Our script decoded the initial token, then used Appfarms graphql API to fetch the email connected to the phone number from Vipps, then compiled a JSON including the email claim, then re-encoded the JSON as a signed jwt token and returned it to Appfarm as the signed in User

ReodorMagnus · August 29, 2023, 12:37pm

Thanks! @Sondre

@simon Please check out this thread regarding vipps login without 3rd party Why is this setup causing the “email” claim not to be included in the ID token when its in the scope? Is there anything you guys can do?

kgreodor · August 29, 2023, 12:50pm

Just to confirm. You had to put this script as a “middleman” between AppFarm and Vipps to ensure the id token were returned in the “right format”. Something like this if you add a lot of salt

| AppFarm | +++++++++ |   MW   | +++++++++ | Vipps |
     |                    |                    |
     |---login----------->|                    |
     |                    |---login----------->|
     |                    |<--token t1---------|
     |<--token t2---------|                    |

Or more concretely

Intercept step 6 and make sure the right state is returned. But don’t you then need to own the signing key as well. Seems like a lot to do to get things right?

I’m I missing something.

Sondre · August 29, 2023, 1:03pm

Yes we intercepted in step 6 and created a new ID token including email. Vipps/Bankid login does not require you to have an email attached to your user. So the email should be matched from somewhere else. In our case form Appfarm as it was required to login with a company email as a first login to create the User.

This also can be achieved by building a custom login in Appfarm btw.

kgreodor · August 29, 2023, 1:20pm

We actually were able to make Vipps require that email is added in order to login. But the email is not sent through the JWT token but one has to fetch it from the userinfo endpoint to get the data. But AppFarm does not seem to do the last step if email is not part of the token.

We will look a bit more into it. Thanks for taking the time to answer.