Microsoft identity platform authentication libraries
The following tables show Microsoft Authentication Library support for several application types. They include links to library source code, where to get the package for your app's project, and whether the library supports user sign-in (authentication), access to protected web APIs (authorization), or both.
The Microsoft identity platform has been certified by the OpenID Foundation as a certified OpenID provider. If you prefer to use a library other than the Microsoft Authentication Library (MSAL) or another Microsoft-supported library, choose one with a certified OpenID Connect implementation.
If you choose to hand-code your own protocol-level implementation of OAuth 2.0 or OpenID Connect 1.0, pay close attention to the security considerations in each standard's specification and follow secure software design and development practices like those in the Microsoft SDL.
Single-page application (SPA)
A single-page application runs entirely in the browser and fetches page data (HTML, CSS, and JavaScript) dynamically or at application load time. It can call web APIs to interact with back-end data sources.
Because a SPA's code runs entirely in the browser, it's considered a public client that's unable to store secrets securely.
Language / framework | Project on GitHub |
Package | Getting started |
Sign in users | Access web APIs | Generally available (GA) or Public preview1 |
---|---|---|---|---|---|---|
Angular | MSAL Angular v22 | msal-angular | Quickstart | GA | ||
Angular | MSAL Angular3 | msal-angular | — | GA | ||
AngularJS | MSAL AngularJS3 | msal-angularjs | — | Public preview | ||
JavaScript | MSAL.js v22 | msal-browser | Tutorial | GA | ||
JavaScript | MSAL.js 1.03 | msal-core | — | GA | ||
React | MSAL React2 | msal-react | Quickstart | GA |
1 Universal License Terms for Online Services apply to libraries in Public preview.
2 Auth code flow with PKCE only (Recommended).
3 Implicit grant flow only (Not recommended).
Web application
A web application runs code on a server that generates and sends HTML, CSS, and JavaScript to a user's web browser to be rendered. The user's identity is maintained as a session between the user's browser (the front end) and the web server (the back end).
Because a web application's code runs on the web server, it's considered a confidential client that can store secrets securely.
Language / framework | Project on GitHub |
Package | Getting started |
Sign in users | Access web APIs | Generally available (GA) or Public preview1 |
|
---|---|---|---|---|---|---|---|
.NET | MSAL.NET | Microsoft.Identity.Client | — | GA | |||
.NET | Microsoft.IdentityModel | Microsoft.IdentityModel | — | 2 | 2 | GA | |
ASP.NET Core | Microsoft.Identity.Web | Microsoft.Identity.Web | Quickstart | GA | |||
Java | MSAL4J | msal4j | Quickstart | GA | |||
Spring | spring-cloud-azure-starter-active-directory | spring-cloud-azure-starter-active-directory | Tutorial | GA | |||
Node.js | MSAL Node | msal-node | Quickstart | GA | |||
Python | MSAL Python | msal | GA | ||||
Python | identity | identity | Quickstart | -- |
(1) Universal License Terms for Online Services apply to libraries in Public preview.
(2) The Microsoft.IdentityModel library only validates tokens - it can't request ID or access tokens.
Desktop application
A desktop application is typically binary (compiled) code that displays a user interface and is intended to run on a user's desktop.
Because a desktop application runs on the user's desktop, it's considered a public client that's unable to store secrets securely.
Language / framework | Project on GitHub |
Package | Getting started |
Sign in users | Access web APIs | Generally available (GA) or Public preview1 |
---|---|---|---|---|---|---|
Electron | MSAL Node.js | msal-node | — | Public preview | ||
Java | MSAL4J | msal4j | — | GA | ||
macOS (Swift/Obj-C) | MSAL for iOS and macOS | MSAL | Tutorial | GA | ||
UWP | MSAL.NET | Microsoft.Identity.Client | Tutorial | GA | ||
WPF | MSAL.NET | Microsoft.Identity.Client | Tutorial | GA |
1 Universal License Terms for Online Services apply to libraries in Public preview.
Mobile application
A mobile application is typically binary (compiled) code that displays a user interface and is intended to run on a user's mobile device.
Because a mobile application runs on the user's mobile device, it's considered a public client that's unable to store secrets securely.
Platform | Project on GitHub |
Package | Getting started |
Sign in users | Access web APIs | Generally available (GA) or Public preview1 |
---|---|---|---|---|---|---|
Android (Java) | MSAL Android | MSAL | Quickstart | GA | ||
Android (Kotlin) | MSAL Android | MSAL | — | GA | ||
iOS (Swift/Obj-C) | MSAL for iOS and macOS | MSAL | Tutorial | GA | ||
Xamarin (.NET) | MSAL.NET | Microsoft.Identity.Client | — | GA |
1 Universal License Terms for Online Services apply to libraries in Public preview.
Service / daemon
Services and daemons are commonly used for server-to-server and other unattended (sometimes called headless) communication. Because there's no user at the keyboard to enter credentials or consent to resource access, these applications authenticate as themselves, not a user, when requesting authorized access to a web API's resources.
A service or daemon that runs on a server is considered a confidential client that can store its secrets securely.
Language / framework | Project on GitHub |
Package | Getting started |
Sign in users | Access web APIs | Generally available (GA) or Public preview1 |
---|---|---|---|---|---|---|
.NET | MSAL.NET | Microsoft.Identity.Client | Quickstart | GA | ||
Java | MSAL4J | msal4j | — | GA | ||
Node | MSAL Node | msal-node | Quickstart | GA | ||
Python | MSAL Python | msal-python | Quickstart | GA |
1 Universal License Terms for Online Services apply to libraries in Public preview.
Next steps
For more information about the Microsoft Authentication Library, see the Overview of the Microsoft Authentication Library (MSAL).