# Native application client This section is part of OAuth 2.0 / OpenID Connect (OIDC) integration.\ Currently, the Quick Start guide and technical support for this client type are optimized for the **Swift (iOS)** framework. ### Why am i here? If this is your first time integrating with Oten Identity, start with: * **Creating an** [**integration app**](/identity-support/integration/integration-document.md) * **Creating a regular web application client** * **Using quick start to integrate authentication into your Swift native application** **What is a Native Application?** In the context of Oten Identity, a native application is an application installed directly on a user’s device, such as a mobile or desktop app. Examples include: * iOS and Android mobile applications * Desktop applications running on user devices Native applications cannot securely store client secrets, so they use authentication flows designed specifically for installed apps. Choose a native application if your app: * Runs on a user’s device (mobile or desktop) * Does not have a secure backend for storing secrets * Uses system browsers or embedded web views for login #### Key characteristics include: * Authentication is handled using OAuth 2.0 / OpenID Connect * Uses redirect-based authentication with custom schemes or loopback URLs * Integrates with Oten Identity using the authorization code flow with PKCE * Does not use a client secret * Client configuration is managed through the Oten Developer Portal **Prerequisites** Before you begin, ensure that you have: * An active **Oten Developer account** * An **Integration App** already created * A **Native Application client** selected * **Xcode 14.0 or later** * An **Apple Developer account** (for device testing) * Basic understanding of: * OAuth 2.0 * OpenID Connect * iOS app development with Swift ### I already understand. How do I process step by step? #### Step 1: Open create client 1. Sign in to the [**Oten Developer portal**](https://developer.oten.live/) 2. Navigate to: **App management** → **Integration app** → **App detail** 3. Select **Create app**

You are now on the **Create client** screen. #### Step 2: Select client type Select **Native application** as the client type.

This client type is designed for mobile and desktop applications. #### Step 3: Review client characteristics Confirm that the Native Application client: * Is intended for mobile or desktop platforms * Uses redirect URIs for authentication * Does not require a client secret #### Step 4: Configure redirect URIs Under **Configure client URIs**, add your redirect URIs. Examples: * Custom scheme URI for iOS * Local development callback URI Only URIs listed here will be accepted during authentication. `https://your-app.com/callback, http://localhost:3000/callback`\

#### Step 5: Create client Click **Create client** to generate the Native Application client.

You will be redirected to the **Client detail** page. #### Step 6: Integrate application **6.1 Quick start** **6.1.1 Select your technology** In the **Quick Start** tab, select **Swift** as your technology to receive tailored code samples.

**6.1.2 Review prerequisites** Before you begin, ensure that you have the following: * **Xcode 14.0 or later**\ Required to build and run the iOS application. * **An Apple Developer account**\ Needed for running the app on a physical device and managing signing capabilities. * **An Oten Identity account**\ An Integration App and Native Application client must be created in the Oten Developer Portal (see Step 2). **iOS Version compatibility** This Quick Start supports: * **iOS 16.0 or later** * **Swift 5.7 or later** \ **6.1.3 Create a new iOS project**

Create a new iOS project in Xcode: * File → New → Project * Select **App** under iOS * Choose **Swift** as the language * Select **SwiftUI** or **Storyboard** as the interface * Select **Swift** for Language * Click **Next** and choose location **6.1.4 Configure Oten IDP application** Create and configure a Native application client in the Oten Developer portal.

1. Go to the **Oten Developer portal** 2. Click **Start integration → Create app** 3. Select **Native application**, then click **Create client** 4. Open the **Client details** page 5. Navigate to the **Configure** tab 6. Copy the **Client ID** from the Client Credentials section (used in Step 4) **Redirect URI (custom URL scheme)** Configure a custom URL scheme for iOS redirect handling: `yourapp://auth` The redirect URI must exactly match: * The value configured in the Oten Developer Portal * The URL scheme registered in the Xcode project * The redirect URI used in `OtenAuthService` **6.1.5 Add Oten authservice** Create a new Swift file named `OtenAuthService.swift`. This service implements OAuth 2.0 Authorization Code Flow with PKCE using `ASWebAuthenticationSession`.

Responsibilities include: * Generating PKCE code verifier and challenge * Creating authorization requests * Handling redirect callbacks * Exchanging authorization codes for tokens * Managing authentication state **Security notes** * **PKCE (Proof Key for Code Exchange)** is used to prevent authorization code interception * A random **state parameter** is generated for each login attempt to mitigate CSRF attacks * The callback validates that the returned state matches the original value \ **6.1.6 Configure app on launch** Update the application entry point to initialize `OtenAuthService` when the app launches. This step configures the OAuth endpoints and binds the application to the Oten client created in the Developer Portal.

Provide the following values: * **Client ID**\ The Client ID obtained from the Client Credentials section in the Oten Developer Portal. * **Redirect URI**\ The custom URL scheme configured earlier (for example: `yourapp://auth`). * **Authorize URL**\ Oten authorization endpoint used to start the login flow. * **Token URL**\ Oten token endpoint used to exchange the authorization code. This configuration must be completed before any authentication action is triggered.
**6.1.7 Create login UI** Create the main user interface that allows users to authenticate using Oten.

This step defines a basic login experience that includes: * A **Login with Oten** action that initiates the OAuth flow * Handling authentication state * Displaying authenticated user information after successful login * Providing a logout option The example implementation supports both: * **SwiftUI** (`ContentView.swift`) * **UIKit** (`ViewController.swift`) Choose the UI framework that matches your project setup. **6.1.8 Run your app**\

Build and run the application using Xcode. 1. Open the project in **Xcode** 2. Select an **iOS Simulator** or a **physical device** 3. Press **⌘R (Command + R)** to run the app **Sign In** 1. Tap **Login with Oten** 2. You will be redirected to the [**Oten login page**](https://account.oten.com/) 3. Complete authentication 4. After a successful login, you will be redirected back to the app and see your user information **Note**: If the app does not return after login, verify that the Redirect URI is configured correctly in both the Oten Developer Portal and the Xcode project. #### Step 7: Completion & next actions Once authentication is working: * Test on real devices * Review security settings * Prepare for production deployment

#### Step 8: Additional configuration (optional) **8.1 Client credentials** The **Client credentials** section provides the information required to configure the SDK.

* **Client ID**\ A public identifier for your application. Use this value when initializing the Oten SDK in your app. * **Client ssecret**\ A confidential value used for server-side authentication. **Important** * Keep the Client Secret private * Do not expose it in mobile apps, frontend code, or public repositories * Only use the Client Secret in secure backend environments For **native iOS applications**, authentication is handled using **OAuth 2.0 with PKCE**, and the **client Secret is not required**. **8.2 Configure client URIs** This section defines the application URLs used during authentication flows.

**Redirect URIs**\ List of allowed callback URLs where users are redirected after a successful login.\ Enter one or more URLs, separated by commas or new lines. **Allow origins (CORS)**\ List of origins allowed to make cross-origin (CORS) requests to Oten Authentication APIs.\ This is typically required for browser-based applications. **Note**: * Redirect URIs and Allowed Origins must exactly match your application URLs. * Requests from unlisted or invalid URLs will be rejected. **8.3 OpenID connect** This section provides OpenID Connect–related configuration for the client.

**Back-channel logout URI**\ Server endpoint that receives logout notifications from Oten Identity.\ When a logout event occurs, Oten calls this endpoint to invalidate user sessions without using browser redirects. **This setting is optional and is typically used for:** * Server-managed session invalidation * Single Logout (SLO) across multiple applications If your application does not require back-channel logout, this field can be left empty. **Additional OpenID** **onnect** settings are optional and intended for advanced integration scenarios.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oten.gitbook.io/identity-support/integration/integration-document/idp-integration/native-application-client.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.