This topic describes the OAuth 2.0 Authorization Code grant type supported by Pivotal Single Sign-On (SSO). The authorization code grant type is the most commonly used grant type. This grant type is for server-side applications.
OAuth 2.0 Roles
- Resource Owner: A person or system capable of granting access to a protected resource.
- Application: A client that makes protected requests using the authorization of the resource owner.
- Authorization Server: The Single Sign-On server that issues access tokens to client applications after successfully authenticating the resource owner.
- Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Applications access the server through APIs.
Authorization Code Flow
- Access Application: The user accesses the application and triggers authentication and authorization.
- Authentication and Request Authorization: The application prompts the user for their username and password. The first time the user goes through this flow for the application, the user sees an approval page. On this page, the user can choose permissions to authorize the application to access resources on their behalf.
- Authentication and Grant Authorization: The authorization server receives the authentication and authorization grant.
- Send Authentication Code: After the user authorizes the application, the authorization server sends an authorization code to the application.
- Request Code Exchange for Token: The application receives the authorization code and requests an access token from the authorization server. This gives the application access to the approved permissions.
- Issue Access Token: The authorization server validates the authorization code and issues an access token.
- Request Resource w/ Access Token: The application attempts to access the resource from the resource server by presenting the access token.
- Return Resource: If the access token is valid, the resource server returns the resources that the user authorized the application to receive.
The resource server runs in PCF under a given space and organization. Developers set the permissions for the resource server API endpoints. To do this, they create resources that correspond to API endpoints secured by the Single Sign-On service. Applications can then access these resources on behalf of users.