Yes, there is a supported and recommended way to use Ory Kratos’s OIDC provider logic in your native scenario—without building a custom backend to verify the Google ID token and manage users via the admin API. Kratos supports direct submission of the Google ID token from your native app to its self-service registration or login flows. This means you do not need to build a custom backend for token verification or user management. Here’s how it works: 1. Configure Google as an OIDC provider in Kratos using the same

client_id

as your native app. If your Android app uses different audiences (e.g., debug/release), you can specify them in the

additional_id_token_audiences

field in the Kratos provider config. This ensures Kratos will accept ID tokens issued for your app’s audience, not just the web client ID [see official guidance](https://www.ory.sh/docs/kratos/social-signin/google#using-the-google-sdk-on-native-apps) and [discussion](https://github.com/ory/kratos/discussions/4223). 2. Obtain the ID token on the device using the

google_sign_in

Flutter package. 3. Submit the ID token directly to Kratos as part of the self-service registration or login flow. You do this by calling the appropriate Kratos endpoint (e.g.,

updateRegistrationFlow

or

updateLoginFlow

) and passing the ID token (and optionally a nonce) in the payload. Kratos will then: - Validate the ID token using Google’s public keys. - Create or update the user identity as needed. - Issue a session if configured. Example (from the docs, using Flutter):

dart    var body = UpdateRegistrationFlowWithOidcMethod(      (b) => b        ..idToken = idToken        ..method = 'oidc'        ..provider = 'google',    );    ory.getFrontendApi().updateRegistrationFlow(      flow: flowId,      updateRegistrationFlowBody: UpdateRegistrationFlowBody(          (b) => b..oneOf = OneOf.fromValue1(value: body)),    );

[See full example and explanation](https://www.ory.sh/docs/kratos/social-signin/google#using-the-google-sdk-on-native-apps) 4. Account linking is supported: If you enable the

oidc

method in the settings flow, users can link or unlink their Google account to an existing Kratos identity (e.g., one created with email/password). This is handled by Kratos’s self-service settings flow, not by your backend. See [linking/unlinking documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#link-and-unlink-from-google-facebook-github--openid-connect--oauth-20). Summary: You do not need a custom backend for this scenario. Kratos is designed to accept and validate ID tokens from native Google sign-in flows directly, as long as you configure the provider correctly. All identity logic and account linking can remain in Kratos, keeping it as your source of truth. If you need to support multiple Google client IDs (e.g., for web, iOS, Android), you can use the

additional_id_token_audiences

config option to allow Kratos to accept tokens for all your app variants, so you don’t need to define multiple providers for each platform [see discussion](https://github.com/ory/kratos/discussions/4223). References: - [Google SDK on native apps with Kratos](https://www.ory.sh/docs/kratos/social-signin/google#using-the-google-sdk-on-native-apps) - [OIDC provider configuration for multiple audiences](https://github.com/ory/kratos/discussions/4223) - [Account linking in Kratos](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#link-and-unlink-from-google-facebook-github--openid-connect--oauth-20)