Skip to main content

Application types

For Trustdesk configuration sections and APIs, see App management.

cidaas supports several application types (client_type), each designed for specific use cases and platforms. The type you choose determines:

  • Which OAuth2 flows are available (if any)
  • How redirect URIs are validated
  • Security requirements and best practices
  • User experience patterns

Valid values are defined in the app configuration model: SINGLE_PAGE, REGULAR_WEB, NON_INTERACTIVE, ANDROID, IOS, WINDOWS_MOBILE, HYBRID_APP, DESKTOP, DEVICE, THIRD_PARTY, and SAML_SP.

SAML application type vs SAML login provider
SAML_SP is an application type for apps that act as a SAML Service Provider (SAML federation, not OAuth2/OIDC token flows). Enabling SAML as a login provider on an OAuth application is separate — configure that under Providers → Identity Providers and enable it on the app. See Identity providers.

Overview

Application type (client_type)Primary use caseKey characteristics
Single Page Application (SPA) SINGLE_PAGEModern browser-based apps (React, Vue, Angular)Public client; Authorization Code + PKCE
Regular Web App REGULAR_WEBTraditional server-rendered web applicationsConfidential client; Authorization Code with client secret
Android ANDROIDNative Android mobile applicationsPublic client; custom URI schemes; package name validation
iOS IOSNative iOS mobile applicationsPublic client; custom URI schemes; bundle ID validation
Windows Mobile WINDOWS_MOBILENative Windows mobile applicationsPublic client; ms-app:// redirect URIs
Hybrid App HYBRID_APPCross-platform apps (React Native, Flutter, etc.)Public client; deep links; stored as hybrid with optional original platform
Desktop DESKTOPNative desktop applicationsPublic client; Authorization Code + PKCE
Non-Interactive Client NON_INTERACTIVEBackend services, machine-to-machineClient Credentials only; no user login UI
Device DEVICESmart TVs, IoT, limited-input devicesDevice Code flow; user authenticates on another device
Third Party THIRD_PARTYUntrusted external OAuth clientsRequires scope consent; public client patterns
SAML Service Provider SAML_SPApplications federating via SAMLNot an OAuth client — no grant types or response types
info
Note: THIRD_PARTY remains supported for existing integrations but is deprecated for new applications. Prefer explicit OAuth types (SPA, Regular Web, native types) where possible.

Single Page Application (SPA) vs Regular Web App

Single Page Application (SPA)

  • Architecture: Client-side JavaScript frameworks (React, Vue, Angular, etc.)
  • Rendering: Content updates dynamically without full page reloads
  • Security Model: Public client (cannot securely store client secrets)
  • Recommended Flow: Authorization Code Flow with PKCE
  • Redirect URI Validation: URLs using the https scheme
  • Example: React dashboard, Vue.js admin panel

Regular Web App

  • Architecture: Server-side rendering (PHP, Java, .NET, etc.)
  • Rendering: Full page reloads, server generates HTML
  • Security Model: Confidential client (backend can securely store client secrets)
  • Recommended Flow: Authorization Code Flow (with client secret)
  • Redirect URI Validation: URLs using the https scheme
  • Example: Traditional e-commerce site, corporate portal
warning
Important: The Implicit Flow is deprecated by OAuth2.1. Always use Authorization Code Flow (with PKCE for SPAs) instead.

Native, hybrid, and desktop applications

Android, iOS, Windows Mobile, Hybrid App, and Desktop share similar OAuth characteristics but differ in platform-specific settings:

Common characteristics

  • Native or cross-platform applications (not browser-only SPAs)
  • Public clients — cannot securely store client secrets in the app bundle
  • Custom URI schemes or deep links for redirects
  • Recommended flow: Authorization Code with PKCE

Platform-specific differences

TypeRedirect URI formatValidation
Android ANDROIDCustom URI schemes (e.g., myapp://callback)Package name
iOS IOSCustom URI schemes (e.g., myapp://callback)Bundle ID
Windows Mobile WINDOWS_MOBILEms-app://oauth/callbackWindows app package
Hybrid App HYBRID_APPPlatform-specific deep linksCross-platform framework; may retain original platform metadata
Desktop DESKTOPCustom URI schemes or localhostDesktop app identifier

Example redirect URIs

  • Android: com.myapp://oauth/callback
  • iOS: myapp://oauth/callback
  • Windows Mobile: ms-app://oauth/callback

Non-Interactive Client

Purpose: Machine-to-machine (M2M) communication, backend services, API-to-API calls

Key Characteristics:

  • No user interface
  • No user interaction required
  • Server-to-server communication
  • Can securely store client secrets
  • Recommended Flow: Client Credentials Flow
  • No Redirect URIs: Not applicable (no user redirects)

Use Cases:

  • Microservices communication
  • Scheduled jobs accessing APIs
  • Backend services calling other backend services
  • Automated data synchronization
info
Note: Non-interactive clients do not support user authentication flows, token conditions, or hosted pages since there is no user interaction.

Device (Limited Input Devices)

Purpose: Devices with limited or no input capabilities

Key Characteristics:

  • Limited keyboard/input capabilities
  • Examples: Smart TVs, gaming consoles, IoT devices, printers
  • Recommended Flow: Device Code Flow
  • Authentication Method: User authenticates on a separate device (phone/computer)
  • User Experience: QR code or URL + code displayed on device

How It Works:

  1. Device requests authorization and receives device_code and user_code
  2. Device displays QR code or URL + code to user
  3. User scans QR code or visits URL on their phone/computer
  4. User enters user_code and authenticates
  5. Device polls token endpoint until user completes authentication
  6. Device receives access token

Example Use Cases:

  • Smart TV apps
  • Gaming console applications
  • IoT devices (smart home hubs)
  • Printers with network access

Third Party

Purpose: OAuth clients operated by external parties where users must explicitly consent to requested scopes.

Key characteristics:

  • Treated as a public client for most OAuth settings
  • Scope consent is enforced during login
  • Recommended flow: Authorization Code with PKCE
  • Deprecated for new applications — prefer SPA, Regular Web, or the appropriate native type

SAML Service Provider (SAML_SP)

Purpose: Register an application that acts as a SAML Service Provider and federates with external SAML Identity Providers through cidaas.

Key characteristics:

  • Not an OAuth2/OIDC clientgrant_types and response_types must be empty
  • No OAuth redirect URI requirements for the SAML SP profile
  • SAML metadata, assertion consumption, and provider linkage are configured on the application instead of OAuth flows
  • Distinct from enabling SAML as a login provider on an interactive OAuth app (see Identity providers)

Typical use cases:

  • Enterprise applications that authenticate users via SAML federation
  • Legacy SAML SP integrations managed alongside OAuth applications in Trustdesk

Flow selection matrix

Application typeRecommended flowGrant typeClient secret required?User authentication?
Single Page App (SINGLE_PAGE)Authorization Code + PKCEauthorization_code❌ No✅ Yes
Regular Web App (REGULAR_WEB)Authorization Codeauthorization_code✅ Yes✅ Yes
Android / iOS / Windows Mobile / Hybrid / DesktopAuthorization Code + PKCEauthorization_code❌ No✅ Yes
Non-Interactive (NON_INTERACTIVE)Client Credentialsclient_credentials✅ Yes❌ No
Device (DEVICE)Device Codeurn:ietf:params:oauth:grant-type:device_code❌ No✅ Yes
Third Party (THIRD_PARTY)Authorization Code + PKCEauthorization_code❌ No✅ Yes
SAML Service Provider (SAML_SP)SAML SSO(no OAuth grant types)Depends on SAML setup✅ Yes (via SAML IdP)

Availability by app type

SectionInteractive OAuth apps (SPA, Web, native, Device, Third Party)Non-Interactive (M2M)SAML Service Provider (SAML_SP)
Branding & hosted pagesPartial
OAuth2 / OIDC (redirect URIs)Partial (no redirects)
Authentication & MFASAML-specific
Registration & fieldsPartial
ConsentPartial
Client authentication & scopesPartial
Token settings
Signing keys

See Configuration sections in App management for the full Trustdesk section map.