Applications overview
Learn the core concepts of applications in SecureAuth.
What is an application?
An application in the SecureAuth CIAM platform is defined as a Client and a Service:
-
Client – An OAuth 2.0 Client or a SAML Service Provider that consumes tokens and assertions issued by the SecureAuth platform. Applications use these tokens for user authentication or service consumption.
-
Service – The OAuth 2.0 Resource Server in a SecureAuth workspace, which which groups APIs into services for fine-grained access control.
Services also include microservices, which have their own identities for internal access control. Unlike resource servers, microservices do not rely on access tokens when communicating with each other.
Client application types
SecureAuth applies different default settings based on the client application type:
OAuth
| Type | Grant types | Response yypes | Auth method | Notes |
|---|---|---|---|---|
| Single Page App | Authorization Code Flow | Code, Token, ID | None | Public client with no client secret |
| Server-Side Web App | Authorization Code Flow | Code, Token | client_secret_post | Private client |
| Mobile/Desktop App | Authorization Code Flow | Code, Token, ID | None | Public client with no client secret |
| Service App | Client Credentials Flow | Token | client_secret_post | Private client |
| Single Page (Legacy) | Implicit Flow | Token | None | Public client with no client secret |
SAML
- SAML Service Provider – Accepts and processes SAML assertions for authentication.
Adding applications
SecureAuth lets you add and manage applications and services:
-
Add OAuth or SAML clients manually
-
Add services:
-
Using automatic service discovery via API gateways or service meshes
-
Dynamic registration – Enable developers to register apps dynamically using OAuth DCR or SecureAuth developer portals
SAML applications expose SSO login and metadata endpoints. SecureAuth protects their resources by enforcing policies such as MFA requirements.