A while back I needed a summary of which protocols were supported/recommended in different situations by Azure Active Directory while I was researching the “When To Use Which (OAuth2) Grants and (OIDC) Flows” post. So, I am summarizing it here.
Per the information provided here, the following application types can use the following OAuth2, OIDC, WS-Federation or SAML2 authentication methods.
Web Browser to Web Application
- Can be done with OIDC, WS-Federation, or SAML2.
SPA Application (authentication of end user and invoking an API)
- OAuth 2.0 implicit authorization grant
Native Application to Web API (desktop and mobile apps)
- OAuth 2.0 authorization code grant type with a public client
Web Application to Web API
- OAuth2 Client credentials grant
- OpenID Connect, and OAuth 2.0 authorization code grant with a confidential client.
Daemon or Server Application to Web API
Scenario #1: Use an application identity
- Maybe a daemon that needs to call a web API; use OAuth 2.0 client credentials grant type
Scenario #2: Use an authenticated end user identity
- a server application that needs to call a web API; use OAuth 2.0 On-Behalf-Of (OAuth2 Token Exchange) draft RFC
Image: Pattern / XoMEoX