Native Mobile, Desktop, or Command Line App
For Native Mobile and Desktop apps, Pivotal Single Sign‑On supports the Resource Owner Password OAuth 2.0 grant type. This password grant type is for highly trusted apps where resource owners share their credentials directly with the app.
The following roles are available in an OAuth 2.0 scenario:
- Resource Owner: A person or system capable of granting access to a protected resource.
- Application: A client that makes protected requests using the authorization of the resource owner.
- Authorization Server: The Single Sign‑On server that issues access tokens to client apps after successfully authenticating the resource owner.
- Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Apps access the server through APIs.
The following diagram shows the authentication flow used by mobile apps. In this scenario, the app is backed by a resource server and both are secured by the UAA authorization server.
- Authenticate w/ Username and Password: The user authenticates with the app using their username and password.
- Send Username/Password: The app sends the username and password to the authorization server for validation.
- Issue Access Token: The authorization server validates the username and password and issues an access token.
- Request Resource w/ Access Token: The app attempts to access the resource from the resource server by presenting the access token.
- Return Resource: If the access token is valid, the resource server returns the resources that the user authorized the app to receive.
The resource server runs in Pivotal Platform under a given space and orgn. Developers set the permissions for the resource server API endpoints. To do this, they create resources that correspond to API endpoints secured by Single Sign‑On. Apps can then access these resources on behalf of users.