Direct Vipps login (without 3. party)

Hi, we want to setup a direct vipps login not using a 3. party. our setup is as follows:

Upon login we get the vipps popup as expected but then get a “jwt token missing” error after phone check.

What are we missing? :slight_smile:

Hi! Do you have a screenshot (including the URL to the login page) from when this occurs?

Hello :slight_smile:

Trying to set up a direct vipps login not using a 3. party.

How did this go for you @Sondre?

Im stuck at getting this error:

Hey, this seems to be an error with the redirect URL in Vipps that is not pointing to your Appfarm solution. Let me know if that is the case :slight_smile:

In addition we had to build a script outside Appfarm to fetch an email address to be able to create a user. I’m unsure if that is required in all cases.

Thanks that was the case! Had to add to the URI list :slight_smile:

Now im here with a test user phone number from vipps which is not working. Did you also experince this?

You can find documentation here: The Vipps MobilePay test environment | Vipps MobilePay Technical Documentation

In this case I think you are missing to download and login to the test app, maybe with a test user :slight_smile:

1 Like


Now im at this point. I guess this is why you created the script? Any tips is to how you went about that is much appreciated

Yes that is the case. Our script decoded the initial token, then used Appfarms graphql API to fetch the email connected to the phone number from Vipps, then compiled a JSON including the email claim, then re-encoded the JSON as a signed jwt token and returned it to Appfarm as the signed in User :slight_smile:

1 Like

Thanks! @Sondre

@simon Please check out this thread regarding vipps login without 3rd party :slight_smile: Why is this setup causing the “email” claim not to be included in the ID token when its in the scope? Is there anything you guys can do?

1 Like

Just to confirm. You had to put this script as a “middleman” between AppFarm and Vipps to ensure the id token were returned in the “right format”. Something like this if you add a lot of salt

| AppFarm | +++++++++ |   MW   | +++++++++ | Vipps |
     |                    |                    |
     |---login----------->|                    |
     |                    |---login----------->|
     |                    |<--token t1---------|
     |<--token t2---------|                    |

Or more concretely

Intercept step 6 and make sure the right state is returned. But don’t you then need to own the signing key as well. Seems like a lot to do to get things right?

I’m I missing something.

Yes we intercepted in step 6 and created a new ID token including email. Vipps/Bankid login does not require you to have an email attached to your user. So the email should be matched from somewhere else. In our case form Appfarm as it was required to login with a company email as a first login to create the User.

This also can be achieved by building a custom login in Appfarm btw.

1 Like

We actually were able to make Vipps require that email is added in order to login. But the email is not sent through the JWT token but one has to fetch it from the userinfo endpoint to get the data. But AppFarm does not seem to do the last step if email is not part of the token.

We will look a bit more into it. Thanks for taking the time to answer.

1 Like