feat(auth): add BankID OAuth provider

2026-03-22 15:12:08 +01:00 · 2025-10-11 21:16:53 +02:00
parent 32764ab1b0
commit a91aea805f
5 changed files with 107 additions and 4 deletions
--- a/7project/backend/app/app.py
+++ b/7project/backend/app/app.py
@@ -56,6 +56,17 @@ fastApi.include_router(
    tags=["auth"],
 )

+fastApi.include_router(
+    fastapi_users.get_oauth_router(
+        app.services.user_service.get_oauth_provider("BankID"),
+        auth_backend,
+        "SECRET",
+        associate_by_email=True,
+    ),
+    prefix="/auth/bankid",
+    tags=["auth"],
+)
+

 # Liveness/root endpoint
@fastApi.get("/", include_in_schema=False)
--- a/7project/backend/app/models/user.py
+++ b/7project/backend/app/models/user.py
@@ -1,13 +1,12 @@
-from typing import List
-
 from sqlalchemy import Column, String
-from sqlalchemy.orm import relationship
+from sqlalchemy.orm import relationship, mapped_column, Mapped
 from fastapi_users.db import SQLAlchemyBaseUserTableUUID, SQLAlchemyBaseOAuthAccountTableUUID
 from app.core.base import Base


 class OAuthAccount(SQLAlchemyBaseOAuthAccountTableUUID, Base):
-    pass
+    # BankID token is longer than default
+    access_token: Mapped[str] = mapped_column(String(length=4096), nullable=False)


 class User(SQLAlchemyBaseUserTableUUID, Base):
--- a/7project/backend/app/oauth/bank_id.py
+++ b/7project/backend/app/oauth/bank_id.py
@@ -0,0 +1,49 @@
+import secrets
+from typing import Optional, Literal
+
+from httpx_oauth.clients.openid import OpenID
+from httpx_oauth.oauth2 import T
+
+
+class BankID(OpenID):
+    def __init__(self, client_id: str, client_secret: str):
+        super().__init__(
+            client_id,
+            client_secret,
+            "https://oidc.sandbox.bankid.cz/.well-known/openid-configuration",
+            "BankID",
+            base_scopes=["openid", "profile.email", "profile.name"],
+        )
+
+    async def get_user_info(self, token: str) -> dict:
+        info = await self.get_profile(token)
+
+        return {
+            "first_name": info.get("given_name"),
+            "last_name": info.get("family_name"),
+        }
+
+    async def get_authorization_url(
+            self,
+            redirect_uri: str,
+            state: Optional[str] = None,
+            scope: Optional[list[str]] = None,
+            code_challenge: Optional[str] = None,
+            code_challenge_method: Optional[Literal["plain", "S256"]] = None,
+            extras_params: Optional[T] = None,
+    ) -> str:
+        if extras_params is None:
+            extras_params = {}
+
+        # BankID requires random nonce parameter for security
+        # https://developer.bankid.cz/docs/security_sep
+        extras_params["nonce"] = secrets.token_urlsafe()
+
+        return await super().get_authorization_url(
+            redirect_uri,
+            state,
+            scope,
+            code_challenge,
+            code_challenge_method,
+            extras_params,
+        )
--- a/7project/backend/app/services/user_service.py
+++ b/7project/backend/app/services/user_service.py
@@ -12,11 +12,13 @@ from fastapi_users.authentication.strategy.jwt import JWTStrategy
 from fastapi_users.db import SQLAlchemyUserDatabase

 from app.models.user import User
+from app.oauth.bank_id import BankID
 from app.oauth.moje_id import MojeIDOAuth
 from app.services.db import get_user_db
 from app.core.queue import enqueue_email

 SECRET = os.getenv("SECRET", "CHANGE_ME_SECRET")
+
 FRONTEND_URL = os.getenv("FRONTEND_URL", "http://localhost:5173")
 BACKEND_URL = os.getenv("BACKEND_URL", "http://localhost:8000")

@@ -24,6 +26,10 @@ providers = {
    "MojeID": MojeIDOAuth(
        os.getenv("MOJEID_CLIENT_ID", "CHANGE_ME_CLIENT_ID"),
        os.getenv("MOJEID_CLIENT_SECRET", "CHANGE_ME_CLIENT_SECRET"),
+    ),
+    "BankID": BankID(
+        os.getenv("BANKID_CLIENT_ID", "CHANGE_ME_CLIENT_ID"),
+        os.getenv("BANKID_CLIENT_SECRET", "CHANGE_ME_CLIENT_SECRET"),
    )
 }