MarkNefedov•2mo ago

Authentication flow without WebView/Redirect in the native app.

HI, I was looking through the docs, and failed to find any information. Is it possible to implement an login/registration screen in the native apps without browser redirect or webview in a B2C scenario? When user is not coming from other source like Google/Facebbok account but is directly registered with ZITADEL?

7 Replies

Ask Inkeep•2mo ago

Hi @MarkNefedov, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer, here are some relevant sources: 1. Authenticate users with OpenID Connect (1) : This covers the standard OIDC flows for native applications using PKCE, which typically require browser-based authentication flows. 2. Available authentication flows? (2) : A community discussion confirming that ZITADEL is designed for OIDC/OAuth2 flows rather than custom authentication implementations. To learn more, see the sources I considered: [1] Authenticate users with OpenID Connect [2] Available authentication flows? Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.

MarkNefedovOP•2mo ago

Have looked at it a bit more, it looks like the Session Api is what I need? Do I understand correctly that I'll need to front Zitadel Session api with my backend, that will forward authentication/registration requirests, and as CAPTCHA is not yet present I'll also will be able to add it there?

Rajat•2mo ago

hey @MarkNefedov Yes,Session API v2 is exactly what you need for a browser-free, web-view-free native login / registration screen. Your backend sits in front of the Session API (ZITADEL never sees the raw password from the device). Device posts username + password → your backend forwards it to POST /v2/sessions and returns the session Token to the device. also, because you own the backend you can put CAPTCHA before you hit ZITADEL.

SebastianB•5w ago

@Rajat if you do it like you just proposed you will get a session token, but how do you get an access/refresh token this way? How do scopes fit into the Session API?

Rajat•5w ago

hey @SebastianB
Session API != OAuth tokens session api v2 lets you do username/password/MFA without a browser and create a zitadel session. for getting the access/refresh tokens, you can read about it here

SebastianB•4w ago

Thanks for the response. So scopes are only attached to access/refresh tokens, and not sessions?

Rajat•4w ago

hey @SebastianB good morning! yes, this is v2 sessions api and these are scopes they both are unrelated

Authentication flow without WebView/Redirect in the native app.

Did you find this page helpful?