> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/integration/integration-document/idp-integration/native-application-client.md).

# Native application client

This section is part of OAuth 2.0 / OpenID Connect (OIDC) integration.\
Currently, the Quick Start guide and technical support for this client type are optimized for the **Swift (iOS)** framework.

### Why am i here? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

If this is your first time integrating with Oten Identity, start with:

* **Creating an** [**integration app**](/identity-support/integration/integration-document.md)
* **Creating a regular web application client**
* **Using quick start to integrate authentication into your Swift native application**

**What is a Native Application?**

In the context of Oten Identity, a native application is an application installed directly on a user’s device, such as a mobile or desktop app.

Examples include:

* iOS and Android mobile applications
* Desktop applications running on user devices

Native applications cannot securely store client secrets, so they use authentication flows designed specifically for installed apps.

Choose a native application if your app:

* Runs on a user’s device (mobile or desktop)
* Does not have a secure backend for storing secrets
* Uses system browsers or embedded web views for login

#### Key characteristics include:

* Authentication is handled using OAuth 2.0 / OpenID Connect
* Uses redirect-based authentication with custom schemes or loopback URLs
* Integrates with Oten Identity using the authorization code flow with PKCE
* Does not use a client secret
* Client configuration is managed through the Oten Developer Portal

**Prerequisites**

Before you begin, ensure that you have:

* An active **Oten Developer account**
* An **Integration App** already created
* A **Native Application client** selected
* **Xcode 14.0 or later**
* An **Apple Developer account** (for device testing)
* Basic understanding of:
  * OAuth 2.0
  * OpenID Connect
  * iOS app development with Swift

### I already understand. How do I process step by step?

#### Step 1: Open create client

1. Sign in to the [**Oten Developer portal**](https://developer.oten.live/)
2. Navigate to: **App management** → **Integration app** → **App detail**
3. Select **Create app**<br>

   <figure><img src="/files/XC9US8U23ynzjw1Y71cW" alt=""><figcaption></figcaption></figure>

You are now on the **Create client** screen.

#### Step 2: Select client type <a href="#step-2-select-client-type" id="step-2-select-client-type"></a>

Select **Native application** as the client type.

<figure><img src="/files/AO9pZUfeyYUvbgc26pA0" alt=""><figcaption></figcaption></figure>

This client type is designed for mobile and desktop applications.

#### Step 3: Review client characteristics

Confirm that the Native Application client:

* Is intended for mobile or desktop platforms
* Uses redirect URIs for authentication
* Does not require a client secret

#### Step 4: Configure redirect URIs

Under **Configure client URIs**, add your redirect URIs.

Examples:

* Custom scheme URI for iOS
* Local development callback URI

Only URIs listed here will be accepted during authentication.

`https://your-app.com/callback, http://localhost:3000/callback`\ <br>

<figure><img src="/files/XTYc4g87bjLkqBabBBtH" alt=""><figcaption></figcaption></figure>

#### Step 5: Create client <a href="#step-5-create-the-client" id="step-5-create-the-client"></a>

Click **Create client** to generate the Native Application client.

<figure><img src="/files/Wefz196qRrFQ1jAyOlSX" alt=""><figcaption></figcaption></figure>

You will be redirected to the **Client detail** page.

#### Step 6: Integrate application <a href="#step-6-integrate-your-application" id="step-6-integrate-your-application"></a>

**6.1 Quick start**

**6.1.1 Select your technology**

In the **Quick Start** tab, select **Swift** as your technology to receive tailored code samples.

<figure><img src="/files/odZNCnGmTh0jmeu4IU4d" alt=""><figcaption></figcaption></figure>

**6.1.2 Review prerequisites**

Before you begin, ensure that you have the following:

* **Xcode 14.0 or later**\
  Required to build and run the iOS application.
* **An Apple Developer account**\
  Needed for running the app on a physical device and managing signing capabilities.
* **An Oten Identity account**\
  An Integration App and Native Application client must be created in the Oten Developer Portal (see Step 2).

**iOS Version compatibility**

This Quick Start supports:

* **iOS 16.0 or later**
* **Swift 5.7 or later**

\
**6.1.3 Create a new iOS project**

<figure><img src="/files/NTmn2P26Y0lt55JuDZd8" alt=""><figcaption></figcaption></figure>

Create a new iOS project in Xcode:

* File → New → Project
* Select **App** under iOS
* Choose **Swift** as the language
* Select **SwiftUI** or **Storyboard** as the interface
* Select **Swift** for Language
* Click **Next** and choose location

**6.1.4 Configure Oten IDP application**

Create and configure a Native application client in the Oten Developer portal.

<figure><img src="/files/iniIJuAHsTPYQNNyYHwC" alt=""><figcaption></figcaption></figure>

1. Go to the **Oten Developer portal**
2. Click **Start integration → Create app**
3. Select **Native application**, then click **Create client**
4. Open the **Client details** page
5. Navigate to the **Configure** tab
6. Copy the **Client ID** from the Client Credentials section (used in Step 4)

**Redirect URI (custom URL scheme)**

Configure a custom URL scheme for iOS redirect handling: `yourapp://auth`

The redirect URI must exactly match:

* The value configured in the Oten Developer Portal
* The URL scheme registered in the Xcode project
* The redirect URI used in `OtenAuthService`

**6.1.5 Add Oten authservice**

Create a new Swift file named `OtenAuthService.swift`.

This service implements OAuth 2.0 Authorization Code Flow with PKCE using `ASWebAuthenticationSession`.

<figure><img src="/files/GvuYgJgdgc64QQl0MOzy" alt=""><figcaption></figcaption></figure>

Responsibilities include:

* Generating PKCE code verifier and challenge
* Creating authorization requests
* Handling redirect callbacks
* Exchanging authorization codes for tokens
* Managing authentication state

**Security notes**

* **PKCE (Proof Key for Code Exchange)** is used to prevent authorization code interception
* A random **state parameter** is generated for each login attempt to mitigate CSRF attacks
* The callback validates that the returned state matches the original value

\
**6.1.6 Configure app on launch**

Update the application entry point to initialize `OtenAuthService` when the app launches.

This step configures the OAuth endpoints and binds the application to the Oten client created in the Developer Portal.

<figure><img src="/files/KlmYti3s8CtQbviFlrfY" alt=""><figcaption></figcaption></figure>

Provide the following values:

* **Client ID**\
  The Client ID obtained from the Client Credentials section in the Oten Developer Portal.
* **Redirect URI**\
  The custom URL scheme configured earlier (for example: `yourapp://auth`).
* **Authorize URL**\
  Oten authorization endpoint used to start the login flow.
* **Token URL**\
  Oten token endpoint used to exchange the authorization code.

This configuration must be completed before any authentication action is triggered.<br>

**6.1.7 Create login UI**

Create the main user interface that allows users to authenticate using Oten.

<figure><img src="/files/rnSfHCpT35QGsaBwIK1D" alt=""><figcaption></figcaption></figure>

This step defines a basic login experience that includes:

* A **Login with Oten** action that initiates the OAuth flow
* Handling authentication state
* Displaying authenticated user information after successful login
* Providing a logout option

The example implementation supports both:

* **SwiftUI** (`ContentView.swift`)
* **UIKit** (`ViewController.swift`)

Choose the UI framework that matches your project setup.

**6.1.8 Run your app**\ <br>

<figure><img src="/files/A2fHGLDin50tyi0LUsy5" alt=""><figcaption></figcaption></figure>

Build and run the application using Xcode.

1. Open the project in **Xcode**
2. Select an **iOS Simulator** or a **physical device**
3. Press **⌘R (Command + R)** to run the app

**Sign In**

1. Tap **Login with Oten**
2. You will be redirected to the [**Oten login page**](https://account.oten.com/)
3. Complete authentication
4. After a successful login, you will be redirected back to the app and see your user information

**Note**: If the app does not return after login, verify that the Redirect URI is configured correctly in both the Oten Developer Portal and the Xcode project.

#### Step 7: Completion & next actions

Once authentication is working:

* Test on real devices
* Review security settings
* Prepare for production deployment

<figure><img src="/files/9EMoS6ZD7OdsLgj1b45c" alt=""><figcaption></figcaption></figure>

#### Step 8: Additional configuration (optional)

**8.1 Client credentials**

The **Client credentials** section provides the information required to configure the SDK.

<figure><img src="/files/A6Dap570Q6Bg7F42NWgr" alt=""><figcaption></figcaption></figure>

* **Client ID**\
  A public identifier for your application. Use this value when initializing the Oten SDK in your app.
* **Client ssecret**\
  A confidential value used for server-side authentication.

**Important**

* Keep the Client Secret private
* Do not expose it in mobile apps, frontend code, or public repositories
* Only use the Client Secret in secure backend environments

For **native iOS applications**, authentication is handled using **OAuth 2.0 with PKCE**, and the **client Secret is not required**.

**8.2 Configure client URIs**

This section defines the application URLs used during authentication flows.

<figure><img src="/files/n4wOG2fxqIrnEtwDG5NJ" alt=""><figcaption></figcaption></figure>

**Redirect URIs**\
List of allowed callback URLs where users are redirected after a successful login.\
Enter one or more URLs, separated by commas or new lines.

**Allow origins (CORS)**\
List of origins allowed to make cross-origin (CORS) requests to Oten Authentication APIs.\
This is typically required for browser-based applications.

**Note**:

* Redirect URIs and Allowed Origins must exactly match your application URLs.
* Requests from unlisted or invalid URLs will be rejected.

**8.3 OpenID connect**

This section provides OpenID Connect–related configuration for the client.

<figure><img src="/files/LuXnVfJJhdFoOv6IujGv" alt=""><figcaption></figcaption></figure>

**Back-channel logout URI**\
Server endpoint that receives logout notifications from Oten Identity.\
When a logout event occurs, Oten calls this endpoint to invalidate user sessions without using browser redirects.

**This setting is optional and is typically used for:**

* Server-managed session invalidation
* Single Logout (SLO) across multiple applications

If your application does not require back-channel logout, this field can be left empty.

**Additional OpenID** **onnect** settings are optional and intended for advanced integration scenarios.

<figure><img src="/files/y1RTIPKv6aEfcJwOlTgH" alt=""><figcaption></figcaption></figure>
