| title | Microsoft identity platform authentication libraries |
|---|---|
| description | List of client libraries and middleware compatible with the Microsoft identity platform. Use these libraries to add support for user sign-in (authentication) and protected web API access (authorization) to your applications. |
| author | cilwerner |
| manager | pmwongera |
| ms.author | cwerner |
| ms.custom | |
| ms.date | 10/28/2022 |
| ms.reviewer | jmprieur |
| ms.service | identity-platform |
| ms.topic | reference |
The following tables show Microsoft Authentication Library support for several application types. They include links to library source code, where to get the package for your app's project, and whether the library supports user sign-in (authentication), access to protected web APIs (authorization), or both.
The Microsoft identity platform has been certified by the OpenID Foundation as a certified OpenID provider. If you prefer to use a library other than the Microsoft Authentication Library (MSAL) or another Microsoft-supported library, choose one with a certified OpenID Connect implementation.
If you choose to hand-code your own protocol-level implementation of OAuth 2.0 or OpenID Connect 1.0, pay close attention to the security considerations in each standard's specification and follow secure software design and development practices like those in the Microsoft SDL.
A single-page application runs entirely in the browser and fetches page data (HTML, CSS, and JavaScript) dynamically or at application load time. It can call web APIs to interact with back-end data sources.
Because a SPA's code runs entirely in the browser, it's considered a public client that's unable to store secrets securely.
[!INCLUDE active-directory-develop-libraries-spa]
A web application runs code on a server that generates and sends HTML, CSS, and JavaScript to a user's web browser to be rendered. The user's identity is maintained as a session between the user's browser (the front end) and the web server (the back end).
Because a web application's code runs on the web server, it's considered a confidential client that can store secrets securely.
[!INCLUDE develop-libraries-webapp]
A desktop application is typically binary (compiled) code that displays a user interface and is intended to run on a user's desktop.
Because a desktop application runs on the user's desktop, it's considered a public client that's unable to store secrets securely.
[!INCLUDE develop-libraries-desktop]
A mobile application is typically binary (compiled) code that displays a user interface and is intended to run on a user's mobile device.
Because a mobile application runs on the user's mobile device, it's considered a public client that's unable to store secrets securely.
[!INCLUDE develop-libraries-mobile]
Services and daemons are commonly used for server-to-server and other unattended (sometimes called headless) communication. Because there's no user at the keyboard to enter credentials or consent to resource access, these applications authenticate as themselves, not a user, when requesting authorized access to a web API's resources.
A service or daemon that runs on a server is considered a confidential client that can store its secrets securely.
[!INCLUDE develop-libraries-daemon]
For more information about the Microsoft Authentication Library, see the Overview of the Microsoft Authentication Library (MSAL).