Bilko Mobile Phase 0 Auth Bridge — Status 2026-06-05

Bilko Mobile Phase 0 Auth Bridge — Status 2026-06-05

Executive summary

Bilko mobile direction is native iPhone + Samsung/Android, with React Native + Expo as the implementation path. The PWA/mobile-web direction is superseded for the companion mobile app.

Phase 0 backend/auth work is implemented locally and targeted tests are green. The mobile app build should not be dispatched until the remaining gates below are closed.

What was changed

Documentation and architecture

Updated or created:

• docs/mobile/MOBILE-ARCHITECTURE.md
• docs/mobile/MOBILE-IMPL-SPEC-PHASE1.md
• docs/mobile/MOBILE-PRD.md
• docs/mobile/README.md
• docs/INDEX.md
• /Users/makinja/system/specs/bilko-tech-stack.md
• docs/architecture/ADR-037-BILKO-MOBILE-NATIVE-ENTRA-AUTH.md
• docs/backend/MOBILE-ENTRA-AUTH-BRIDGE-SPEC.md

Key doc decisions:

• Native iOS/Android app is the target, not PWA.
• React Native + Expo is the chosen native cross-platform path.
• Entra External ID + OIDC Authorization Code + PKCE is the target mobile/customer login model.
• Phase 1 uses existing /api/v1/* endpoints; a dedicated /mobile/* BFF is deferred.
• Mobile refresh must not depend on browser cookies.
• Email claims from Entra are not trusted for login mapping.

Backend/auth implementation

Added or changed:

• apps/api/src/main/kotlin/no/alai/bilko/auth/EntraExternalIdService.kt
  • Verifies Microsoft Entra External ID JWTs.
  • Fails closed if issuer/audience/JWKS config is missing.
  • Enforces RS256 and kid.
  • Verifies configured issuer and audience.
  • Extracts verified subject from sub, with oid fallback.
• apps/api/src/main/resources/db/migration/V64__entra_external_identities.sql
  • Adds entra_external_identities mapping table.
  • Maps verified issuer + subject to existing Bilko user.
  • Adds SECURITY DEFINER functions with fixed SET search_path = public, pg_temp:
    • bilko_auth.find_user_by_entra_identity(text, text)
    • bilko_auth.mark_entra_login(text, text)
• apps/api/src/main/kotlin/no/alai/bilko/db/AuthUserRepository.kt
  • Adds findByEntraIdentity(issuer, subject).
  • Adds markEntraLogin(issuer, subject).
• apps/api/src/main/kotlin/no/alai/bilko/auth/AuthService.kt
  • Adds createSessionFromEntraIdToken(idToken).
  • Maps verified Entra identity to active Bilko user/org/role.
  • Issues existing Bilko access + refresh tokens.
• apps/api/src/main/kotlin/no/alai/bilko/plugins/DI.kt
  • Wires EntraExternalIdService into AuthService.
• apps/api/src/main/kotlin/no/alai/bilko/routes/AuthRoutes.kt
  • Adds POST /api/v1/auth/entra/session.
  • Adds POST /api/v1/auth/mobile/refresh.
  • Preserves existing web cookie refresh endpoint POST /api/v1/auth/refresh.
  • Hardened bad-body handling by removing printStackTrace() and detailed parser error echo from register bad-body response.

Tests added or extended

• apps/api/src/test/kotlin/no/alai/bilko/auth/EntraExternalIdServiceTest.kt
  • valid token
  • wrong audience
  • wrong issuer
  • expired token
  • HS256 rejection
  • missing sub/oid
  • missing config fail-closed
• apps/api/src/test/kotlin/no/alai/bilko/db/AuthUserRepositoryTest.kt
  • Flyway migration execution on disposable PostgreSQL/Testcontainers DB, including V64.
  • mapped Entra identity returns user
  • unmapped identity returns null
  • inactive mapped user returns null
  • soft-deleted mapped user returns null
  • org/role/status assertions
  • markEntraLogin() metadata update
• apps/api/src/test/kotlin/no/alai/bilko/auth/AuthServiceTest.kt
  • refresh-token rotation/reuse rejection test
• apps/api/src/test/kotlin/no/alai/bilko/routes/AuthRoutesHttpIntegrationTest.kt
  • /auth/entra/session missing idToken returns 400
  • /auth/entra/session missing Entra config returns 503 CONFIGURATION_ERROR
  • /auth/mobile/refresh missing refreshToken returns 400
  • /auth/mobile/refresh with structurally valid but stale/non-DB refresh JTI returns 401
  • web cookie refresh/logout stale-token regression remains covered

Validation evidence

Evidence files:

• /Users/makinja/system/evidence/bilko-mobile-doc-review-20260604.md
• /Users/makinja/system/evidence/bilko-mobile-auth-local-security-audit-20260604.md
• /Users/makinja/system/evidence/securion-review-check-102962-20260605.md

Commands recorded as green in evidence:

• ./gradlew compileKotlin --no-daemon → BUILD SUCCESSFUL
• ./gradlew compileKotlin compileTestKotlin --no-daemon → BUILD SUCCESSFUL
• ./gradlew test --tests no.alai.bilko.auth.EntraExternalIdServiceTest --no-daemon → BUILD SUCCESSFUL
• ./gradlew integrationTest --tests no.alai.bilko.db.AuthUserRepositoryTest --no-daemon → BUILD SUCCESSFUL
• ./gradlew integrationTest --tests no.alai.bilko.auth.AuthServiceTest --no-daemon → BUILD SUCCESSFUL
• ./gradlew integrationTest --tests no.alai.bilko.routes.AuthRoutesHttpIntegrationTest --no-daemon → BUILD SUCCESSFUL
• Combined targeted run:
  • ./gradlew compileKotlin compileTestKotlin test --tests no.alai.bilko.auth.EntraExternalIdServiceTest integrationTest --tests no.alai.bilko.db.AuthUserRepositoryTest --tests no.alai.bilko.auth.AuthServiceTest --tests no.alai.bilko.routes.AuthRoutesHttpIntegrationTest --no-daemon → BUILD SUCCESSFUL

Where we stand

Done locally

• Mobile architecture direction cleaned up and made native-first.
• Entra External ID bridge implemented.
• Mobile-safe body refresh endpoint implemented.
• V64 migration implemented and executed via Testcontainers/Flyway integration test.
• Targeted local tests passed.
• Local security audit completed with no critical/high local findings; one route error-handling hygiene issue was fixed.

Still blocked

• No independent Securion/QA domain PASS has been received.
• MC #102962 was checked and is still open in /Users/makinja/system/evidence/securion-review-check-102962-20260605.md.
• Real Entra staging trigger substitutions are provisioned/verified, but the current Azure tenant is AAD (alemalai.onmicrosoft.com), not a separate CIAM customer tenant. Customer-facing CIAM tenant policy/MFA/passwordless configuration remains a later production gate.
• No live environment/browser/mobile-device verification has been performed for this auth bridge.

Decision

Do not dispatch mobile app build yet.

Next concrete step is to stop waiting for passive task pickup and run/obtain a real independent security/QA review, then provision/test real Entra External ID config. After those pass, dispatch the native React Native + Expo mobile build.

Stage deploy — substitution wiring (MC #102996, 2026-06-05)

infrastructure/gcp/cloudbuild-stage.yaml is now substitution-ready for Entra External ID metadata:

• Three substitutions added to the substitutions: block: _ENTRA_EXTERNAL_ID_ISSUER, _ENTRA_EXTERNAL_ID_AUDIENCE, _ENTRA_EXTERNAL_ID_JWKS_URL, all defaulting to __UNSET__.
• A conditional block in the deploy-api-no-traffic step builds ENTRA_ENV_VARS. If all three substitutions are non-__UNSET__ and non-empty, they are appended to --set-env-vars as ;ENTRA_EXTERNAL_ID_ISSUER=...;ENTRA_EXTERNAL_ID_AUDIENCE=...;ENTRA_EXTERNAL_ID_JWKS_URL=.... Otherwise ENTRA_ENV_VARS="" — the env-vars string is unchanged and current stage behaviour is preserved exactly.
• Values are provisioned in the bilko-stage-auto-deploy trigger as of 2026-06-05:
  • _ENTRA_EXTERNAL_ID_ISSUER=https://login.microsoftonline.com/3454a03f-20b4-4bda-a116-2293c459aecd/v2.0
  • _ENTRA_EXTERNAL_ID_AUDIENCE=95b2a55f-8f48-4c9c-b4f8-eb455e3bdfd7
  • _ENTRA_EXTERNAL_ID_JWKS_URL=https://login.microsoftonline.com/3454a03f-20b4-4bda-a116-2293c459aecd/discovery/v2.0/keys
• No stage smoke has been run against Entra yet. Stage will only receive these env vars after the committed Cloud Build wiring is pushed/merged and the trigger deploys a new API revision.

Immediate next actions

1. Force active review path for MC #102962 or run a direct independent Securion/QA validation with evidence.
2. Push/merge the clean Phase 0 branch through the gated path.
3. Trigger a stage build and confirm MC#102996: Entra metadata present log line appears and the three vars are visible in the Cloud Run revision env.
4. Run /api/v1/auth/entra/session against a real Entra test tenant token.
5. Run /api/v1/auth/mobile/refresh with real issued mobile refresh token.
6. Close Securion MC #102989 with passing evidence.
7. Only after PASS evidence, dispatch native mobile implementation.