Use API/Native Flow for both Web App and Native App: As we are using Flutter for our mobile and web apps it would be double the effort to implement both the native and the web app flow! Couldn’t we just use the

createNativeLoginFlow

for all platforms? —

Disclaimer: I’m aware of the potential security implications like CSRF and XSS.

CSRF: We should not / would not store _*the `session_token`*_ returned from the

updateLoginFlow

method in the cookies but in the `localStorage`/`indexedDB` which would not be automatically attached to all requests to our API and require JavaScript executed on OUR domain to access the session token, which theoretically could be exploited using Cross-site-scripting.

XSS: By default any user input would be handled by the Flutter framework which (when not doing any custom interaction with HTML/JS yourself) is escaped and protected by default.

Is the above evaluation of the security implications (especially regarding the CSRF) correct? Firebase Auth, for example, also does not store their refresh and ID tokens in the cookies and thus also do not have any CSRF protections, which makes the interaction with their APIs quite easy as only a single type of token is ever created and has to be handled across all platforms. Thanks for any tips and tricks 🙂

the browser flows issue cookies, whereas the native flows give you a token that you need to store and protect yourself. we believe that cookies are the best option for 90%+ of browser based use cases - but you can use the native flows if you prefer.

We use Ory in a react-native Mobile and Web App. We abstracted the Ory flows by using an interface with two implementations, one for native and one for web. It is a little extra effort, but works fine for us.