LC Labs
LC Labs6h ago

Flutter - auth without WebView?

Can I build in-app authentication screens in Flutter rather than opening web-based login pages?
3 Replies
Ask Inkeep
Ask Inkeep6h ago
Hi @LC Labs, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer, here are some relevant sources: 1. Custom Login UI (1) : This discussion clarifies that ZITADEL's new session API requires a service user token and a confidential environment to create or update sessions, meaning a backend is required for custom login implementations. 2. ZITADEL with Flutter (2) : The Flutter documentation explains that the RFC 8252 specification does not allow third party apps to use an embedded web view for the login process - the app must open the login page within the default browser. ​ To learn more, see the sources I considered: [1] Custom Login UI [2] ZITADEL with Flutter ​ Feel free to tag @Ask Inkeep with additional questions.
ianmuhia
ianmuhia5h ago
i have the same issue too , can i use the session token to validate the user just like how i would use the jwt token if using oidc ? @Ask Inkeep i have the same issue too , can i use the session token to validate the user just like how i would use the jwt token if using oidc ?
Ask Inkeep
Ask Inkeep5h ago
Thanks for the follow-up, @ianmuhia. I'll get back to you soon. Answer No, you cannot use session tokens the same way as JWT tokens for user validation. Session tokens from ZITADEL's Session API are opaque tokens that don't contain user information and cannot be introspected like JWT tokens (1) (2) (3) (4) . The session token is only meant for session state management and is supposed to be exchanged to an OIDC access and ID token (5) . Currently, there is no way to exchange a session token for a JWT token - this functionality is tracked in an open GitHub issue (1) (3) . If you're building a custom login UI and need JWT tokens for user validation, you'll need to implement the OIDC flow. You can finalize the auth request with your session token and get a callback URL that contains the authorization code, which can then be exchanged for JWT tokens through the standard OAuth token endpoint (6) . For backend validation, you would need to either: 1. Use the session token to query ZITADEL's Session API for user information on each request 2. Implement the full OIDC flow to obtain JWT tokens that can be introspected ​ To learn more, see the sources I considered: [1] How to exchange session token(session api) for a JWT? [2] Can I use JWT as Session Token? [3] Trade session token for JWT [4] How to use the session token to obtain user info? (custom login ui) [5] Issue JWT or Bearer token for specific user programmatically with management API [6] Support for the OpenID Connect(OIDC) Standard in a Custom Login UI ​ Feel free to tag @Ask Inkeep with additional questions.

Did you find this page helpful?