Web App

This topic describes the OAuth 2.0 Authorization Code grant type supported by Pivotal Single Sign‑On. The authorization code grant type is the most commonly used grant type. This grant type is for server-side apps.

OAuth 2.0 Roles

  • Resource Owner: A person or system capable of granting access to a protected resource.
  • Application: A client that makes protected requests using the authorization of the resource owner.
  • Authorization Server: The Pivotal Single Sign‑On server that issues access tokens to client apps after successfully authenticating the resource owner.
  • Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Apps access the server through APIs.

Authorization Code Flow

Oauth auth code

  1. Access Application: The user accesses the app and triggers authentication and authorization.
  2. Authentication and Request Authorization: The app redirects the user to the authorization server where it prompts the user for their username and password. The first time the user goes through this flow for the app, the user sees an approval page. On this page, the user can choose permissions to authorize the app to access resources on their behalf.
  3. Authentication and Grant Authorization: The authorization server receives the authentication and authorization grant.
  4. Send Authorization Code: After the user authorizes the app, the authorization server sends an authorization code to the app using a redirect.
  5. Request Code Exchange for Token: The app uses the authorization code to request an access token from the authorization server. This gives the app access to the approved permissions.
  6. Issue Access Token: The authorization server validates the authorization code and issues an access token.
  7. Request Resource w/ Access Token: The app attempts to access the resource from the resource server by presenting the access token.
  8. Return Resource: If the access token is valid, the resource server returns the resources that the user authorized the app to receive.

The resource server runs in Pivotal Platform under a given space and org. Developers set the permissions for the resource server API endpoints. To do this, they create resources that correspond to API endpoints secured by Pivotal Single Sign‑On. Apps can then access these resources on behalf of users.