Browser-based login
Native embedded login
If you prefer to embed your own login pages within your native/mobile app, you can implement our login widget, Lock, directly into your app with:Passwordless
Embedded Passwordless Login in Native ApplicationsConsiderations
When you implement native embedded login with a custom credential form, keep the following considerations in mind.- Phishing/security: An unauthorized party could decompile or intercept traffic to or from your application to get the and authentication URL. With this information, the unauthorized party could create a rogue application, upload it to an application store, and use it to phish for usernames, passwords, and . Mitigations include using DPoP and Passkey APIs to bind tokens and credentials to your client.
- (SSO): Cross-application SSO across native apps requires shared session state. Native to Web SSO lets a native app share a session with a web application. Sharing tokens directly across native apps via a shared keychain is not aligned with the OAuth 2.0 specifications.
- Implementation effort: A custom credential form can take more time to implement than the system browser flow that ships with the Auth0 native SDKs. Similarly, when we release new features that affect the login UI, you must add them to the app and ship the update to users.
- OAuth 2.0 best practices (RFC 8252): RFC 8252 recommends external user-agents for browser-mediated OAuth flows in native apps.