Native application client

This page helps you determine if a native application is the right choice for the application you are integrating with Oten Identity and how to configure guiding.

Currently, the Quick Start guide and technical support for this client type are optimized for the Swift (iOS) framework.

Why am i here?

If this is your first time integrating with Oten Identity, start with:

  • Creating an integration app

  • Creating a regular web application client

  • Using quick start to integrate authentication into your Swift native application

What is a Native Application?

In the context of Oten Identity, a native application is an application installed directly on a user’s device, such as a mobile or desktop app.

Examples include:

  • iOS and Android mobile applications

  • Desktop applications running on user devices

Native applications cannot securely store client secrets, so they use authentication flows designed specifically for installed apps.

Choose a native application if your app:

  • Runs on a user’s device (mobile or desktop)

  • Does not have a secure backend for storing secrets

  • Uses system browsers or embedded web views for login

Key characteristics include:

  • Authentication is handled using OAuth 2.0 / OpenID Connect

  • Uses redirect-based authentication with custom schemes or loopback URLs

  • Integrates with Oten Identity using the authorization code flow with PKCE

  • Does not use a client secret

  • Client configuration is managed through the Oten Developer Portal

Prerequisites

Before you begin, ensure that you have:

  • An active Oten Developer account

  • An Integration App already created

  • A Native Application client selected

  • Xcode 14.0 or later

  • An Apple Developer account (for device testing)

  • Basic understanding of:

    • OAuth 2.0

    • OpenID Connect

    • iOS app development with Swift

I already understand. How do I process step by step?

Step 1: Open create client

  1. Sign in to the Oten Developer portal

  2. Navigate to: App management Integration app App detail

  3. Select Create app

You are now on the Create client screen.

Step 2: Select client type

Select Native application as the client type.

This client type is designed for mobile and desktop applications.

Step 3: Review client characteristics

Confirm that the Native Application client:

  • Is intended for mobile or desktop platforms

  • Uses redirect URIs for authentication

  • Does not require a client secret

Step 4: Configure redirect URIs

Under Configure client URIs, add your redirect URIs.

Examples:

  • Custom scheme URI for iOS

  • Local development callback URI

Only URIs listed here will be accepted during authentication.

https://your-app.com/callback, http://localhost:3000/callback

Step 5: Create client

Click Create client to generate the Native Application client.

You will be redirected to the Client detail page.

Step 6: Integrate application

6.1 Quick start

6.1.1 Select your technology

In the Quick Start tab, select Swift as your technology to receive tailored code samples.

6.1.2 Review prerequisites

Before you begin, ensure that you have the following:

  • Xcode 14.0 or later Required to build and run the iOS application.

  • An Apple Developer account Needed for running the app on a physical device and managing signing capabilities.

  • An Oten Identity account An Integration App and Native Application client must be created in the Oten Developer Portal (see Step 2).

iOS Version compatibility

This Quick Start supports:

  • iOS 16.0 or later

  • Swift 5.7 or later

6.1.3 Create a new iOS project

Create a new iOS project in Xcode:

  • File → New → Project

  • Select App under iOS

  • Choose Swift as the language

  • Select SwiftUI or Storyboard as the interface

  • Select Swift for Language

  • Click Next and choose location

6.1.4 Configure Oten IDP application

Create and configure a Native application client in the Oten Developer portal.

  1. Go to the Oten Developer portal

  2. Click Start integration → Create app

  3. Select Native application, then click Create client

  4. Open the Client details page

  5. Navigate to the Configure tab

  6. Copy the Client ID from the Client Credentials section (used in Step 4)

Redirect URI (custom URL scheme)

Configure a custom URL scheme for iOS redirect handling: yourapp://auth

The redirect URI must exactly match:

  • The value configured in the Oten Developer Portal

  • The URL scheme registered in the Xcode project

  • The redirect URI used in OtenAuthService

6.1.5 Add Oten authservice

Create a new Swift file named OtenAuthService.swift.

This service implements OAuth 2.0 Authorization Code Flow with PKCE using ASWebAuthenticationSession.

Responsibilities include:

  • Generating PKCE code verifier and challenge

  • Creating authorization requests

  • Handling redirect callbacks

  • Exchanging authorization codes for tokens

  • Managing authentication state

Security notes

  • PKCE (Proof Key for Code Exchange) is used to prevent authorization code interception

  • A random state parameter is generated for each login attempt to mitigate CSRF attacks

  • The callback validates that the returned state matches the original value

6.1.6 Configure app on launch

Update the application entry point to initialize OtenAuthService when the app launches.

This step configures the OAuth endpoints and binds the application to the Oten client created in the Developer Portal.

Provide the following values:

  • Client ID The Client ID obtained from the Client Credentials section in the Oten Developer Portal.

  • Redirect URI The custom URL scheme configured earlier (for example: yourapp://auth).

  • Authorize URL Oten authorization endpoint used to start the login flow.

  • Token URL Oten token endpoint used to exchange the authorization code.

This configuration must be completed before any authentication action is triggered.

6.1.7 Create login UI

Create the main user interface that allows users to authenticate using Oten.

This step defines a basic login experience that includes:

  • A Login with Oten action that initiates the OAuth flow

  • Handling authentication state

  • Displaying authenticated user information after successful login

  • Providing a logout option

The example implementation supports both:

  • SwiftUI (ContentView.swift)

  • UIKit (ViewController.swift)

Choose the UI framework that matches your project setup.

6.1.8 Run your app

Build and run the application using Xcode.

  1. Open the project in Xcode

  2. Select an iOS Simulator or a physical device

  3. Press ⌘R (Command + R) to run the app

Sign In

  1. Tap Login with Oten

  2. You will be redirected to the Oten login page

  3. Complete authentication

  4. After a successful login, you will be redirected back to the app and see your user information

Note: If the app does not return after login, verify that the Redirect URI is configured correctly in both the Oten Developer Portal and the Xcode project.

Step 7: Completion & next actions

Once authentication is working:

  • Test on real devices

  • Review security settings

  • Prepare for production deployment

Step 8: Additional configuration (optional)

8.1 Client credentials

The Client credentials section provides the information required to configure the SDK.

  • Client ID A public identifier for your application. Use this value when initializing the Oten SDK in your app.

  • Client ssecret A confidential value used for server-side authentication.

Important

  • Keep the Client Secret private

  • Do not expose it in mobile apps, frontend code, or public repositories

  • Only use the Client Secret in secure backend environments

For native iOS applications, authentication is handled using OAuth 2.0 with PKCE, and the client Secret is not required.

8.2 Configure client URIs

This section defines the application URLs used during authentication flows.

Redirect URIs List of allowed callback URLs where users are redirected after a successful login. Enter one or more URLs, separated by commas or new lines.

Allow origins (CORS) List of origins allowed to make cross-origin (CORS) requests to Oten Authentication APIs. This is typically required for browser-based applications.

Note:

  • Redirect URIs and Allowed Origins must exactly match your application URLs.

  • Requests from unlisted or invalid URLs will be rejected.

8.3 OpenID connect

This section provides OpenID Connect–related configuration for the client.

Back-channel logout URI Server endpoint that receives logout notifications from Oten Identity. When a logout event occurs, Oten calls this endpoint to invalidate user sessions without using browser redirects.

This setting is optional and is typically used for:

  • Server-managed session invalidation

  • Single Logout (SLO) across multiple applications

If your application does not require back-channel logout, this field can be left empty.

Additional OpenID onnect settings are optional and intended for advanced integration scenarios.

PreviousRegular web application clientNextSingle page application client

Last updated