App management

Overview

App management in cidaas provides a central place to configure and manage OAuth2/OIDC clients. These clients may represent portals, mobile applications, backend services, or third-party clients.

cidaas implements OAuth2 and OpenID Connect (OIDC), ensuring secure, standards-based authentication and authorization for all applications.

Prerequisites

Before creating an app in cidaas, ensure the following:

Access to the cidaas Admin UI with App Management permissions.
Redirect URLs and logout URLs are prepared.
Required scopes and API resources are already created.
Hosted page group or login providers are configured (if needed).
Company details such as Terms & Conditions and Privacy Policy URLs are available.
For mobile apps: package name / bundle ID and redirect scheme are ready.

Key benefits

Standardized and secure authentication using OAuth2/OIDC.
Centralized permission and scope management for all apps.
Separation of authentication from applications, with cidaas acting as the authorization server.

Note
App settings define the authentication behavior, UI customization, system rules, permissions, and required user information for an application.

App-overview

App details

Setting	Description	More information
App name	Internal name displayed in the app overview.	–
App display name	Shown on hosted pages during login and registration.	Hosted Pages Management
App logo URL	Logo displayed on overview and hosted pages.	Hosted Pages Management
Logo position	Sets alignment of the logo (`left`, `center`, `right`).	Hosted Pages Management
Login form position	Aligns the login form on hosted pages.	Hosted Pages Management
Media type	Selects image or video for background.	–
App background URL	Public URL of the custom background.	Hosted Pages Management
App primary color	Primary accent used in UI elements.	Hosted Pages Management
App accent color	Secondary highlight color.	Hosted Pages Management
App type	Determines available configuration options.	See application types

Application Types Overview

cidaas supports several application types, each designed for specific use cases and platforms. The application type you choose determines:

Which OAuth2 flows are available
How redirect URIs are validated
Security requirements and best practices
User experience patterns

Application Type	Primary Use Case	Key Characteristics
Single Page Application (SPA)	Modern browser-based apps (React, Vue, Angular)	Dynamic content updates, no full page reloads
Regular Web App	Traditional server-rendered web applications	Server-side rendering, backend can securely store secrets
Android	Native Android mobile applications	Custom URI schemes, package name validation
iOS	Native iOS mobile applications	Custom URI schemes, bundle ID validation
Windows	Microsoft Windows applications	Windows API integration
Non-Interactive Client	Backend services, machine-to-machine	No user interface, server-to-server communication
Device	Smart TVs, IoT devices, limited input devices	QR code or URL + code authentication
Third Party	Untrusted external clients	Requires user consent for scopes

Single Page Application (SPA) vs Regular Web App

Single Page Application (SPA)

Architecture: Client-side JavaScript frameworks (React, Vue, Angular, etc.)
Rendering: Content updates dynamically without full page reloads
Security Model: Public client (cannot securely store client secrets)
Recommended Flow: Authorization Code Flow with PKCE
Redirect URI Validation: URLs using the https scheme
Example: React dashboard, Vue.js admin panel

Regular Web App

Architecture: Server-side rendering (PHP, Java, .NET, etc.)
Rendering: Full page reloads, server generates HTML
Security Model: Confidential client (backend can securely store client secrets)
Recommended Flow: Authorization Code Flow (with client secret)
Redirect URI Validation: URLs using the https scheme
Example: Traditional e-commerce site, corporate portal

Important: The Implicit Flow is deprecated by OAuth2.1. Always use Authorization Code Flow (with PKCE for SPAs) instead.

Android vs iOS vs Windows (Native Mobile Apps)

All three native application types share similar characteristics but differ in platform-specific requirements:

Common Characteristics:

Native applications running on mobile/desktop platforms
Cannot securely store client secrets (public clients)
Use custom URI schemes for redirects
Recommended Flow: Authorization Code Flow with PKCE

Platform-Specific Differences:

Platform	Redirect URI Format	Validation
Android	Custom URI schemes (e.g., `myapp://callback`)	Package name validation
iOS	Custom URI schemes (e.g., `myapp://callback`)	Bundle ID validation
Windows	Custom URI schemes `ms-app://oauth/callback`	Windows app package validation

Example Redirect URIs:

Android: com.myapp://oauth/callback
iOS: myapp://oauth/callback
Windows: ms-app://oauth/callback

Non-Interactive Client

Purpose: Machine-to-machine (M2M) communication, backend services, API-to-API calls

Key Characteristics:

No user interface
No user interaction required
Server-to-server communication
Can securely store client secrets
Recommended Flow: Client Credentials Flow
No Redirect URIs: Not applicable (no user redirects)

Use Cases:

Microservices communication
Scheduled jobs accessing APIs
Backend services calling other backend services
Automated data synchronization

Note: Non-interactive clients do not support user authentication flows, token conditions, or hosted pages since there is no user interaction.

Device (Limited Input Devices)

Purpose: Devices with limited or no input capabilities

Key Characteristics:

Limited keyboard/input capabilities
Examples: Smart TVs, gaming consoles, IoT devices, printers
Recommended Flow: Device Code Flow
Authentication Method: User authenticates on a separate device (phone/computer)
User Experience: QR code or URL + code displayed on device

How It Works:

Device requests authorization and receives device_code and user_code
Device displays QR code or URL + code to user
User scans QR code or visits URL on their phone/computer
User enters user_code and authenticates
Device polls token endpoint until user completes authentication
Device receives access token

Example Use Cases:

Smart TV apps
Gaming console applications
IoT devices (smart home hubs)
Printers with network access

Flow Selection Matrix

Application Type	Recommended Flow	Grant Type	Client Secret Required?	User Authentication?
Single Page App	Authorization Code + PKCE	`authorization_code`	❌ No	✅ Yes
Regular Web App	Authorization Code	`authorization_code`	✅ Yes	✅ Yes
Android	Authorization Code + PKCE	`authorization_code`	❌ No	✅ Yes
iOS	Authorization Code + PKCE	`authorization_code`	❌ No	✅ Yes
Windows	Authorization Code + PKCE	`authorization_code`	❌ No	✅ Yes
Non-Interactive	Client Credentials	`client_credentials`	✅ Yes	❌ No
Device	Device Code	`urn:ietf:params:oauth:grant-type:device_code`	❌ No	✅ Yes
Third Party	Authorization Code + PKCE	`authorization_code`	❌ No	✅ Yes

App settings

Setting	Description
Client ID	Unique identifier generated during app creation.
Client secret	Secret used in flows such as Client Credentials. See Client secret rotation.
Scope	Defines which resources and APIs the client can access.
Hosted page group	Hosted page group used during login and registration.
Redirect URLs	Allowed URLs for returning tokens or authorization codes.
Allowed logout URLs	Allowed redirect URLs after logout.

Company details

Setting	Description
Company name	Internal reference name.
Company address	Internal reference address.
Website URL	Internal reference website.
Terms and conditions URL	Displayed on hosted and profile pages.
Privacy policy URL	Displayed on hosted and profile pages.
Imprint URL	Displayed on hosted and profile pages.
Description	Additional company-related information.

Advanced settings

Category	Description	More information
OAuth2/OIDC settings	Configure grant types, response types, and flow options.	OAuth2 basics and flows
Token settings	Configure token expiry and add custom claims.	Token settings
Consent management	Ensure that required consents are collected during login.	Consent management
Login providers	Configure social, SAML, OAuth2, or AD login providers.	Login provider
Registration fields	Fields required during registration and progressive profiling.	Field settings
Allowed fields	Fields included during registration and token generation.	–
Required fields	Mandatory fields users must complete.	–
Communication medium verification	Configure verification settings for email/SMS.	Account verification
Password policy settings	Enforce password rules via password policies.	Password policy
Template group settings	Select notification template groups.	Communication management
Authentication	Configure allowed authentication and MFA methods.	Authentication process
Remember me	Keeps the user logged in and enables SSO.	–
Success page	Redirect users to a custom success page after login.	Success Information
Mobile settings	Platform-specific settings for Android, iOS, and Windows apps.	–
Groups and role settings	Restrict login based on groups/roles or assign defaults.	Permission management
Encryption settings	Enable JWE token encryption.	–
App custom fields	Add custom metadata fields to tokens.	–
Flow settings	Configure auto login, social login behaviors, and allowed user identifiers.	–

Developer Reference

API	Description	Link
Create app	Creates an app and provisions all clients automatically.	View API
Update app	Updates an existing application.	View API
Get app by client ID	Retrieves an application by its Client ID.	View API
Delete app by client ID	Deletes an application.	View API

Need help?

For assistance, visit our Support Portal.

Overview​

Prerequisites​

Key benefits​

App details​

Application Types Overview​

Single Page Application (SPA) vs Regular Web App​

Android vs iOS vs Windows (Native Mobile Apps)​

Non-Interactive Client​

Device (Limited Input Devices)​

Flow Selection Matrix​

App settings​

Company details​

Advanced settings​

Developer Reference​

Explore Related Topics​

Need help?​