Biometric Authentication in Flutter App with Keycloak (Access & Refresh Token Integration)

Getting advice
1

Hello everyone,

I’m working on a mobile app built with Flutter and currently using Keycloak as the identity provider. I would like to integrate biometric authentication (fingerprint/FaceID) directly in my mobile app.

My main question is:

  • Does Keycloak provide any ready-to-use API for mobile apps to exchange biometric authentication results for Access Token and Refresh Token?

  • Or is it mandatory to use Keycloak’s built-in login UI (via WebAuthn / Passkeys / Passwordless) in order to perform authentication?

  • Ideally, I just want to use the biometric authentication UI provided from mobile app and then obtain the tokens from Keycloak without showing Keycloak’s web login screen. Is this possible?

I have already checked the Passkey and Passwordless with WebAuthn ( Passwordless Authentication with WebAuthn on Keycloak | Cloud-IAM | DOCS ) feature in Keycloak. It looks promising, but from what I can see, it requires going through the Keycloak login UI rather than providing a direct API that a mobile app can call.

So my questions boil down to:

  1. Can Keycloak support a pure API-based flow for biometric authentication?

  2. If not, is there any recommended approach to integrate Flutter biometric authentication with Keycloak token issuance (Access & Refresh)?

Thanks in advance for any clarification or guidance!

2
  1. No, it requires the Keycloak UI
  2. Don’t know.
1 Like
3

Thank you for sharing!
I’m really eager to find the most suitable solution for implementing biometric authentication in a Flutter mobile app that retrieves both access and refresh tokens from Keycloak. If anyone has already done this before, it would be amazing to hear about your experience. :face_blowing_a_kiss:

4

Has anyone here worked with Flutter and Keycloak? I’m looking for advice or best practices on integrating them — is using Keycloak’s built-in login UI the only way?

5

@xgp already answered your question…

If your decision is to use Keycloak, you want to use OIDC, which is based on OAuth2, which relies on browser redirections and an UI from the AS, resp. IdP.
If you want to use an API base authentication, you don’t want to use Keycloak.
Learn about the basics first.

While there is something like OAuth2 for First-Pary-Apps, this still isn’t for biometric authentication, it’s still OAuth2/OIDC and relies on the usage of passkeys. Additionally, this is still draft and not implemented by Keycloak.