Application types
For Trustdesk configuration sections and APIs, see App management.
cidaas supports several application types (client_type), each designed for specific use cases and platforms. The type you choose determines:
- Which OAuth2 flows are available (if any)
- How redirect URIs are validated
- Security requirements and best practices
- User experience patterns
Valid values are defined in the app configuration model: SINGLE_PAGE, REGULAR_WEB, NON_INTERACTIVE, ANDROID, IOS, WINDOWS_MOBILE, HYBRID_APP, DESKTOP, DEVICE, THIRD_PARTY, and SAML_SP.
SAML application type vs SAML login provider
SAML_SPis an application type for apps that act as a SAML Service Provider (SAML federation, not OAuth2/OIDC token flows). Enabling SAML as a login provider on an OAuth application is separate — configure that under Providers → Identity Providers and enable it on the app. See Identity providers.
Overview
Application type (client_type) | Primary use case | Key characteristics |
|---|---|---|
Single Page Application (SPA) SINGLE_PAGE | Modern browser-based apps (React, Vue, Angular) | Public client; Authorization Code + PKCE |
Regular Web App REGULAR_WEB | Traditional server-rendered web applications | Confidential client; Authorization Code with client secret |
Android ANDROID | Native Android mobile applications | Public client; custom URI schemes; package name validation |
iOS IOS | Native iOS mobile applications | Public client; custom URI schemes; bundle ID validation |
Windows Mobile WINDOWS_MOBILE | Native Windows mobile applications | Public client; ms-app:// redirect URIs |
Hybrid App HYBRID_APP | Cross-platform apps (React Native, Flutter, etc.) | Public client; deep links; stored as hybrid with optional original platform |
Desktop DESKTOP | Native desktop applications | Public client; Authorization Code + PKCE |
Non-Interactive Client NON_INTERACTIVE | Backend services, machine-to-machine | Client Credentials only; no user login UI |
Device DEVICE | Smart TVs, IoT, limited-input devices | Device Code flow; user authenticates on another device |
Third Party THIRD_PARTY | Untrusted external OAuth clients | Requires scope consent; public client patterns |
SAML Service Provider SAML_SP | Applications federating via SAML | Not an OAuth client — no grant types or response types |
THIRD_PARTY remains supported for existing integrations but is deprecated for new applications. Prefer explicit OAuth types (SPA, Regular Web, native types) where possible.Single Page Application (SPA) vs Regular Web App
Single Page Application (SPA)
- Architecture: Client-side JavaScript frameworks (React, Vue, Angular, etc.)
- Rendering: Content updates dynamically without full page reloads
- Security Model: Public client (cannot securely store client secrets)
- Recommended Flow: Authorization Code Flow with PKCE
- Redirect URI Validation: URLs using the
httpsscheme - Example: React dashboard, Vue.js admin panel
Regular Web App
- Architecture: Server-side rendering (PHP, Java, .NET, etc.)
- Rendering: Full page reloads, server generates HTML
- Security Model: Confidential client (backend can securely store client secrets)
- Recommended Flow: Authorization Code Flow (with client secret)
- Redirect URI Validation: URLs using the
httpsscheme - Example: Traditional e-commerce site, corporate portal
Native, hybrid, and desktop applications
Android, iOS, Windows Mobile, Hybrid App, and Desktop share similar OAuth characteristics but differ in platform-specific settings:
Common characteristics
- Native or cross-platform applications (not browser-only SPAs)
- Public clients — cannot securely store client secrets in the app bundle
- Custom URI schemes or deep links for redirects
- Recommended flow: Authorization Code with PKCE
Platform-specific differences
| Type | Redirect URI format | Validation |
|---|---|---|
Android ANDROID | Custom URI schemes (e.g., myapp://callback) | Package name |
iOS IOS | Custom URI schemes (e.g., myapp://callback) | Bundle ID |
Windows Mobile WINDOWS_MOBILE | ms-app://oauth/callback | Windows app package |
Hybrid App HYBRID_APP | Platform-specific deep links | Cross-platform framework; may retain original platform metadata |
Desktop DESKTOP | Custom URI schemes or localhost | Desktop app identifier |
Example redirect URIs
- Android:
com.myapp://oauth/callback - iOS:
myapp://oauth/callback - Windows Mobile:
ms-app://oauth/callback
Non-Interactive Client
Purpose: Machine-to-machine (M2M) communication, backend services, API-to-API calls
Key Characteristics:
- No user interface
- No user interaction required
- Server-to-server communication
- Can securely store client secrets
- Recommended Flow: Client Credentials Flow
- No Redirect URIs: Not applicable (no user redirects)
Use Cases:
- Microservices communication
- Scheduled jobs accessing APIs
- Backend services calling other backend services
- Automated data synchronization
Device (Limited Input Devices)
Purpose: Devices with limited or no input capabilities
Key Characteristics:
- Limited keyboard/input capabilities
- Examples: Smart TVs, gaming consoles, IoT devices, printers
- Recommended Flow: Device Code Flow
- Authentication Method: User authenticates on a separate device (phone/computer)
- User Experience: QR code or URL + code displayed on device
How It Works:
- Device requests authorization and receives
device_codeanduser_code - Device displays QR code or URL + code to user
- User scans QR code or visits URL on their phone/computer
- User enters
user_codeand authenticates - Device polls token endpoint until user completes authentication
- Device receives access token
Example Use Cases:
- Smart TV apps
- Gaming console applications
- IoT devices (smart home hubs)
- Printers with network access
Third Party
Purpose: OAuth clients operated by external parties where users must explicitly consent to requested scopes.
Key characteristics:
- Treated as a public client for most OAuth settings
- Scope consent is enforced during login
- Recommended flow: Authorization Code with PKCE
- Deprecated for new applications — prefer SPA, Regular Web, or the appropriate native type
SAML Service Provider (SAML_SP)
Purpose: Register an application that acts as a SAML Service Provider and federates with external SAML Identity Providers through cidaas.
Key characteristics:
- Not an OAuth2/OIDC client —
grant_typesandresponse_typesmust be empty - No OAuth redirect URI requirements for the SAML SP profile
- SAML metadata, assertion consumption, and provider linkage are configured on the application instead of OAuth flows
- Distinct from enabling SAML as a login provider on an interactive OAuth app (see Identity providers)
Typical use cases:
- Enterprise applications that authenticate users via SAML federation
- Legacy SAML SP integrations managed alongside OAuth applications in Trustdesk
Flow selection matrix
| Application type | Recommended flow | Grant type | Client secret required? | User authentication? |
|---|---|---|---|---|
Single Page App (SINGLE_PAGE) | Authorization Code + PKCE | authorization_code | ❌ No | ✅ Yes |
Regular Web App (REGULAR_WEB) | Authorization Code | authorization_code | ✅ Yes | ✅ Yes |
| Android / iOS / Windows Mobile / Hybrid / Desktop | Authorization Code + PKCE | authorization_code | ❌ No | ✅ Yes |
Non-Interactive (NON_INTERACTIVE) | Client Credentials | client_credentials | ✅ Yes | ❌ No |
Device (DEVICE) | Device Code | urn:ietf:params:oauth:grant-type:device_code | ❌ No | ✅ Yes |
Third Party (THIRD_PARTY) | Authorization Code + PKCE | authorization_code | ❌ No | ✅ Yes |
SAML Service Provider (SAML_SP) | SAML SSO | — (no OAuth grant types) | Depends on SAML setup | ✅ Yes (via SAML IdP) |
Availability by app type
| Section | Interactive OAuth apps (SPA, Web, native, Device, Third Party) | Non-Interactive (M2M) | SAML Service Provider (SAML_SP) |
|---|---|---|---|
| Branding & hosted pages | ✅ | ❌ | Partial |
| OAuth2 / OIDC (redirect URIs) | ✅ | Partial (no redirects) | ❌ |
| Authentication & MFA | ✅ | ❌ | SAML-specific |
| Registration & fields | ✅ | ❌ | Partial |
| Consent | ✅ | ❌ | Partial |
| Client authentication & scopes | ✅ | ✅ | Partial |
| Token settings | ✅ | ✅ | ❌ |
| Signing keys | ✅ | ✅ | ✅ |
See Configuration sections in App management for the full Trustdesk section map.