https://www.ory.sh/ logo
#talk-kratos
Title
# talk-kratos
h

hundreds-train-83112

04/28/2022, 11:22 AM
Hi everybody!!! Let's see if you can help me with this setup... Here's the thing... I want to provide my users the ability to login, register, etc. using a Identity Provider (implemented via Kratos) when they access some webapps I maintain (with domains such as foo.xxx.com or bar.xxx.com) and also when they use native apps (also maintained by me) in their phones. AFAIK, Kratos must be running in the same top level domain as the clients trying to use it. So, if my Kratos is running at at auth.xxx.com, all these webapps running under xxx.com domain can use is without problems. The thing is... How can I make the users of native apps to use my Kratos instance? Other restrictions I have on this environment are: • I cannot use OAuth2 flows: therefore using Hydra as OAuth2 provider that uses Kratos as Identity Provider is not a possibility. • No possibility for poping-up a browser, login/registration flows must occur within the app
I guess that I can use the API Flow on these native apps for iOS, Android, etc. but this warning is preventing me from using it:
Copy code
Never use API flows to implement Browser applications! Using API flows in Single-Page-Apps as well as server-side apps opens up several potential attack vectors, including Login and other CSRF attacks.
d

damp-sunset-69236

04/28/2022, 11:33 AM
Hello @User. Yep, API flow is what you need to solve your issue.
We have this warning to prevent users use API flows to implement login/registration flows for browser only. But in your case that’s the only option
To make it easier to understand cookies -> browsers tokens -> native mobile apps and better not mix it like tokens -> browsers and native mobile apps
h

hundreds-train-83112

04/28/2022, 11:35 AM
Thanks so much for the information @User
Are there any security concerns of using tokens vs cookies?
d

damp-sunset-69236

04/28/2022, 11:37 AM
This article explains almost everything you need to know about it
h

hundreds-train-83112

04/28/2022, 11:37 AM
Thanks!!
d

damp-sunset-69236

04/28/2022, 11:39 AM
BTW. Ory Cli is an example of how to use API flows. For your case I think that you need to use browser flows for browser (self-service-ui-node) is a great example of how to use them For mobile apps you need to use API flows and ory cli can be used as reference
h

hundreds-train-83112

04/28/2022, 11:39 AM
Awesome, I've already tried the self-service ui and it works smoothly
I'll give it a try to the Ory CLI now
d

damp-sunset-69236

04/28/2022, 11:40 AM
FYI: Ory cli is a tool that manages ory cloud instances 🙂
We don’t have examples for native mobile apps yet, unfortunately
3 Views