Microsoft identity platform authentication libraries

The following tables show Microsoft Authentication Library support for several application types. They include links to library source code, where to get the package for your app's project, and whether the library supports user sign-in (authentication), access to protected web APIs (authorization), or both.

The Microsoft identity platform has been certified by the OpenID Foundation as a certified OpenID provider. If you prefer to use a library other than the Microsoft Authentication Library (MSAL) or another Microsoft-supported library, choose one with a certified OpenID Connect implementation.

If you choose to hand-code your own protocol-level implementation of OAuth 2.0 or OpenID Connect 1.0, pay close attention to the security considerations in each standard's specification and follow secure software design and development practices like those in the Microsoft SDL.

Single-page application (SPA)

A single-page application runs entirely in the browser and fetches page data (HTML, CSS, and JavaScript) dynamically or at application load time. It can call web APIs to interact with back-end data sources.

Because a SPA's code runs entirely in the browser, it's considered a public client that's unable to store secrets securely.

Language / framework Project on
GitHub
Package Getting
started
Sign in users Access web APIs Generally available (GA) or
Public preview1
Angular MSAL Angular v22 msal-angular Tutorial Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Angular MSAL Angular3 msal-angular Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
AngularJS MSAL AngularJS3 msal-angularjs Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. Public preview
JavaScript MSAL.js v22 msal-browser Tutorial Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
JavaScript MSAL.js 1.03 msal-core Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
React MSAL React2 msal-react Tutorial Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA

1 Universal License Terms for Online Services apply to libraries in Public preview.

2 Auth code flow with PKCE only (Recommended).

3 Implicit grant flow only.

Web application

A web application runs code on a server that generates and sends HTML, CSS, and JavaScript to a user's web browser to be rendered. The user's identity is maintained as a session between the user's browser (the front end) and the web server (the back end).

Because a web application's code runs on the web server, it's considered a confidential client that can store secrets securely.

Language / framework Project on
GitHub
Package Getting
started
Sign in users Access web APIs Generally available (GA) or
Public preview1
.NET MSAL.NET Microsoft.Identity.Client Library cannot request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
.NET Microsoft.IdentityModel Microsoft.IdentityModel Library cannot request ID tokens for user sign-in.2 Library cannot request access tokens for protected web APIs.2 GA
ASP.NET Core ASP.NET Core Microsoft.AspNetCore.Authentication Quickstart Library can request ID tokens for user sign-in. Library cannot request access tokens for protected web APIs. GA
ASP.NET Core Microsoft.Identity.Web Microsoft.Identity.Web Quickstart Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Java MSAL4J msal4j Quickstart Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Spring spring-cloud-azure-starter-active-directory spring-cloud-azure-starter-active-directory Tutorial Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Node.js MSAL Node msal-node Quickstart Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Python MSAL Python msal Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Python identity identity Quickstart Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. --

(1) Universal License Terms for Online Services apply to libraries in Public preview.

(2) The Microsoft.IdentityModel library only validates tokens - it can't request ID or access tokens.

Desktop application

A desktop application is typically binary (compiled) code that displays a user interface and is intended to run on a user's desktop.

Because a desktop application runs on the user's desktop, it's considered a public client that's unable to store secrets securely.

Language / framework Project on
GitHub
Package Getting
started
Sign in users Access web APIs Generally available (GA) or
Public preview1
Electron MSAL Node.js msal-node Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. Public preview
Java MSAL4J msal4j Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
macOS (Swift/Obj-C) MSAL for iOS and macOS MSAL Tutorial Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
UWP MSAL.NET Microsoft.Identity.Client Tutorial Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
WPF MSAL.NET Microsoft.Identity.Client Tutorial Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA

1 Universal License Terms for Online Services apply to libraries in Public preview.

Mobile application

A mobile application is typically binary (compiled) code that displays a user interface and is intended to run on a user's mobile device.

Because a mobile application runs on the user's mobile device, it's considered a public client that's unable to store secrets securely.

Platform Project on
GitHub
Package Getting
started
Sign in users Access web APIs Generally available (GA) or
Public preview1
Android (Java) MSAL Android MSAL Quickstart Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Android (Kotlin) MSAL Android MSAL Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
iOS (Swift/Obj-C) MSAL for iOS and macOS MSAL Tutorial Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Xamarin (.NET) MSAL.NET Microsoft.Identity.Client Library can request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA

1 Universal License Terms for Online Services apply to libraries in Public preview.

Service / daemon

Services and daemons are commonly used for server-to-server and other unattended (sometimes called headless) communication. Because there's no user at the keyboard to enter credentials or consent to resource access, these applications authenticate as themselves, not a user, when requesting authorized access to a web API's resources.

A service or daemon that runs on a server is considered a confidential client that can store its secrets securely.

Language / framework Project on
GitHub
Package Getting
started
Sign in users Access web APIs Generally available (GA) or
Public preview1
.NET MSAL.NET Microsoft.Identity.Client Quickstart Library cannot request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Java MSAL4J msal4j Library cannot request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Node MSAL Node msal-node Quickstart Library cannot request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA
Python MSAL Python msal-python Quickstart Library cannot request ID tokens for user sign-in. Library can request access tokens for protected web APIs. GA

1 Universal License Terms for Online Services apply to libraries in Public preview.

Next steps

For more information about the Microsoft Authentication Library, see the Overview of the Microsoft Authentication Library (MSAL).