Service-to-Service App

For Service-to-Service apps, Pivotal Single Sign‑On supports the Client Credentials OAuth 2.0 grant type. The client credentials grant type is for apps that can request an access token and access resources on its own. This is often the case when there are services that call APIs without users.

OAuth 2.0 Actors

  • Application: A client that makes protected requests using the authorization of the resource owner.
  • Authorization Server: Single Sign‑On server that issues access tokens to client apps after successfully authenticating the resource owner.
  • Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. apps access the server through APIs.

Client Credentials Flow

Oauth client credentials

  1. Authenticate w/ Client ID and Secret: The app authenticates with the authorization server using its client ID and client secret.
  2. Issue Access Token: The authorization server validates the client ID and client secret and issues an access token.
  3. Request Resource w/ Access Token: The app attempts to access the resource from the resource server by presenting the access token.
  4. Return Resource: If the access token is valid, the resource server returns the resources to the app.

The resource server runs in Pivotal Platform under a given space and org. Developers set the permissions for the resource server API endpoints. To do this, they create resources that correspond to API endpoints secured by Single Sign‑On. Administrators can create admin clients to perform automated management actions without a user. See Create Admin Client.