Our app is a desktop app (Electron) and we want to implement email/pwd + Social sign-in flows. Our Kratos instance is self-hosted in our public cloud provider. I’m wondering if we should use Browser flows or API Flows for our use case? The Kratos documentation states that Browser Flows for Client-Side Apps should be hosted on the same domain as our Kratos instance. I don’t think this is going to be feasible, since our Kratos instance (e.g.

<http://kratos.ourdomain.com|kratos.ourdomain.com>

) does not share the same domain as the app (which is a desktop app) Also, the docs say that API Flows should not interact with the browser for security reasons. I’m assuming that Social sign-in will happen through. Given this assumption, I’m thinking that implemention API Flows in our Electron app is going to create a security issue. (I eliminated Browser Flows for Server-Side Apps because it does not seem to apply to our desktop app use case) As an example, I tried to login with Google on my Spotify app on my Mac, and the social login happens in the browser. This worked well, and I’m wondering which flows of Kratos I should use to replicate this user experience. Thanks a lot for your help in advance 🙏

I think this might help: https://developers.onelogin.com/api-authorization/using-the-appauth-pkce-to-authenticate-to-your-electron-application

Thanks for the suggestion, I think this is closer to what I want though https://www.ory.sh/login-react-native-authentication-example-api/

No sorry .. I'm working mainly with non-SPA web and mobile apps that have a backend server. But for electron I thought looking for PKCE would be a good starting point

However, I have found this part of the Kratos docs saying that API-Based flows are appropriate for Electron apps. Is that the case? I just want to make sure that before going down the API Based Flows + Electron road, I’m not exposing myself to permanent security flaws