Application Types and Scenarios - KundanaP/EDU-SSO GitHub Wiki

EDU Applications typically use one of the five primary application scenarios:

Web Browser to Web Application An application authenticates a user in a web browser to a web application. In this scenario, the web application directs the user’s browser to sign them in to Azure AD. Azure AD returns a sign-in response through the user’s browser, which contains claims about the user in a security token. This scenario supports sign-on using the WS-Federation, SAML 2.0, and OpenID Connect protocols.

Single Page Application (SPA) A Single Page Application uses Azure AD and the OAuth 2.0 implicit authorization grant to secure its web API back end. Single Page Applications are typically structured as a JavaScript presentation layer (front end) that runs in the browser and a Web API back end that runs on a server and implements the application’s business logic.

Native Application to Web API A native application that calls a web API on behalf of a user. This scenario is built on the OAuth 2.0 authorization code grant type with a public client. The native application obtains an access token for the user by using the OAuth 2.0 protocol. This access token is then sent in the request to the web API, which authorizes the user and returns the desired resource.

Web Application to Web API A web application that needs to get resources from a web API. In this scenario, there are two identity types that the web application can use to authenticate and call the web API:

  • Application identity: This scenario uses OAuth 2.0 client credentials grant to authenticate as the application and access the web API.
  • Delegated user identity: This scenario can be accomplished in two ways: OpenID Connect, and OAuth 2.0 authorization code grant with a confidential client.

Daemon or Server Application to Web API A daemon or server application that needs to get resources from a web API. There are two sub-scenarios that apply to this section:

  • A daemon that needs to call a web API, built on OAuth 2.0 client credentials grant type;
  • A server application (such as a web API) that needs to call a web API, built on OAuth 2.0 On-Behalf-Of draft specification.