Why do we need browser verification for authentication?

[sud0pacman]

Your use case

Summary

We had a problem while authenticating via browser due to differences of work mechanisms of browsers. I.e. when I try to login with Brave browser, it had different caching mechanisms and it caused crashing in the app or missing required tokens like CSRF.

Auth in the app without referring to webview

So we do realize that web mechanisms could be different and it creates more difficulty to handle those scenarios. In the end, my idea is here:

We could implement authentication within the app via REST or JWT tokens to avoid webview related problems like caching issues wheras CSRF goes missing with every load.

I do acknowledge that this may be a huge effort and as I'm only getting started to learn more about matrix and its components around it, I'd like to do my own research on this and somehow be able to help. I might be lacking references, so please can you give me some pointers to documentations?

Have you considered any alternatives?

A copy-pasta from above: "We could implement authentication within the app via REST or JWT tokens to avoid webview related problems like caching issues wheras CSRF goes missing with every load."

Additional context

Are you willing to provide a PR?

Yes

[bxdxnn]

I agree that the in-app login/registration is a better UX, but IIRC the motivation behind the OAuth 2.0 in-browser method was mostly security and reduced maintainance burden caused by auth logic code duplication in Matrix clients/servers.
You can read about it more in the original MSC.

[bmarty]

We had a problem while authenticating via browser due to differences of work mechanisms of browsers. I.e. when I try to login with Brave browser, it had different caching mechanisms and it caused crashing in the app or missing required tokens like CSRF.

I just tested to logging EXA on one of my accounts using Brave Browser (version 1.90.128 from F-Droid) without any issue.

Do you have any stack trace of a crash from EXA?

[sud0pacman]

we can see the problem that happened to us here

[watermelon0339]

I strongly support introducing an in‑app login mechanism. Many people in my community have given up on using Element‑X simply because the login process is too difficult for them. Users have very different browsers — some use Microsoft Edge or Chrome, which usually work fine, but many others use obscure or non‑Chromium browsers that frequently break the login flow.

In addition, many older users struggle with the browser‑based login steps and often fail to complete the process. A reliable in‑app login experience would significantly reduce friction and make Element‑X much more accessible for everyone.

[bmarty]

We will not implement other solution to login using Element X Android and Element X iOS. On Android, this requires a browser, and ideally compatible with ChromeCustomTab, that all the decent browsers are providing.

For the particular issue you're viewing CSRF token mismatch, I'll defer to @element-hq/mas-maintainers to get their POV. The issue could be moved to https://github.com/element-hq/matrix-authentication-service if they agree to.