UI Layer Overview#

The UI Layer is the top of the HAAPI client stack. It ships prebuilt, themable authentication screens — view controllers on iOS (IdsvrHaapiUIKit), fragments and a HaapiFlowActivity on Android (IdsvrHaapiUIWidget) — that render every step of a HAAPI flow automatically. You wire the configuration, launch the flow, and receive an OAuth token model when the user finishes. The framework composes the SDK Layer internally and inherits its DCR fallback, DPoP token binding, and risk assessment surfaces.

Most apps that authenticate against the Curity Identity Server start here.

When to Choose This Layer#

• You want the fastest path to a working authentication flow. Drop in a configuration object, launch the flow, handle the result callback. No view-rendering code.
• The prebuilt screens fit your product. Login, BankID, polling, problem screens, selector screens, WebAuthn / Passkeys, forms — all rendered by the framework.
• You’re willing to theme rather than rebuild. Theming controls colors, typography, spacing, and component styles; ui-extensibility lets you swap individual view controllers when theming isn’t enough.
• You want native platform idioms. UIKit feels like UIKit; UIWidget feels like Android Views. Both integrate with Jetpack-Compose / SwiftUI hosts.

If you need full control over screen layout and navigation, drop to the SDK Layer . If you need full control over transport, drop to the Driver Layer .

What the UI Layer Handles For You#

• Screen rendering for every flow step — login forms, BankID launch, polling indicators, error/problem screens, authenticator selectors, WebAuthn / Passkeys.
• Presentation and navigation — modal vs stack presentation, back-button confirmation, in-app browser session via ASWebAuthenticationSession or system browser.
• Flow result delivery — a typed OAuthTokenModel on success, a typed error on failure, surfaced through a single result protocol/listener.
• Composition of the SDK and Driver Layers — attestation, DCR fallback, DPoP, token binding, and risk assessment all configured on the UI Layer builder and threaded through automatically.

What You Provide#

• The configuration object — HaapiUIKitConfiguration on iOS, WidgetConfiguration on Android. Required parameters: client ID, base URL, token endpoint, authorization endpoint, app redirect.
• The flow-start trigger — HaapiFlow.start(...) from the presenting view controller on iOS; HaapiFlowActivity.newIntent(...) launched via the Activity Result API on Android.
• The result handler — HaapiFlowResult (iOS) receives didReceiveOAuthTokenModel and didReceiveError; the Activity Result handler (Android) receives an OauthModel.Token or OauthModel.Error.
• Optional customization — theming (colors, fonts, plist / XML styles), view-controller / fragment replacements when prebuilt screens aren’t a fit, and presentation-mode tuning.

Topic Pages#

Configuration knobs and operational concerns are documented on shared topic pages with iOS and Android code shown side-by-side in <Tabs>:

Foundational#

• Configuration — HaapiUIKitConfigurationBuilder / WidgetConfiguration.Builder foundational wiring
• Flow Lifecycle — starting the flow, receiving the result, handling interruption

Configuration#

• Presentation Options — presentation modes, polling, selector style, auto-error feedback
• Theming — colors, typography, component styles
• UI Extensibility — swap individual view controllers / fragments
• Passkeys and WebAuthn Fallback — native flow + browser fallback

Operational#

• Preview Tools — Xcode Preview canvas (iOS), Compose @Preview and Previewer Host Activity (Android)
• Logging — HaapiLogger with Driver + SDK + UI tags

Security configuration (DCR, Token Binding, Client Authentication, Risk Assessment) is wired on the UI-Layer builder using the same parameter types as the SDK Layer; see DCR , Token Binding , Client Authentication , and Risk Assessment at the SDK Layer for parameter depth. Configuration shows the UI-Layer call sites.

Platform Landing Pages#