Web + Service-to-Service App

This topic describes the Web + Service-to-Service app type for Pivotal Single Sign‑On.

Overview

The Web + Service-to-Service app type enables an app to use the following OAuth 2.0 grant types:

Web and Service-to-Service apps can use both of the above grant types to access resources for users and the app.

Authorization Code OAuth 2.0 Grant Type

The Authorization Code OAuth 2.0 grant type uses the following roles:

  • Resource Owner: A person or system capable of granting access to a protected resource.
  • Application: A client that makes protected requests using the authorization of the resource owner.
  • Authorization Server: The Pivotal Single Sign‑On server that issues access tokens to client apps after successfully authenticating the resource owner.
  • Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Apps access the server through APIs.

Authorization Code Flow

The following diagram describes the flow for the Authorization Code grant type:

Oauth auth code

  1. Access Application: The user accesses the app and triggers authentication and authorization.
  2. Authentication and Request Authorization: The app redirects the user to the authorization server where it prompts the user for their username and password. The first time the user goes through this flow for the app, the user sees an approval page. On this page, the user can choose permissions to authorize the app to access resources on their behalf.
  3. Authentication and Grant Authorization: The authorization server receives the authentication and authorization grant.
  4. Send Authorization Code: After the user authorizes the app, the authorization server sends an authorization code to the app using a redirect.
  5. Request Code Exchange for Token: The app uses the authorization code to request an access token from the authorization server. This gives the app access to the approved permissions.
  6. Issue Access Token: The authorization server validates the authorization code and issues an access token.
  7. Request Resource w/ Access Token: The app attempts to access the resource from the resource server by presenting the access token.
  8. Return Resource: If the access token is valid, the resource server returns the resources that the user authorized the app to receive.

The resource server runs in Pivotal Platform under a given space and org. Developers set the permissions for the resource server API endpoints. To do this, developers create resources that correspond to API endpoints secured by Pivotal Single Sign‑On. Apps can then access these resources on behalf of users.

Client Credentials OAuth 2.0 Grant Type

The Client Credentials OAuth 2.0 grant type uses the following actors:

  • Application: A client that makes protected requests using the authorization of the resource owner.
  • Authorization Server: The Pivotal Single Sign‑On server that issues access tokens to client apps after successfully authenticating the resource owner.
  • Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Apps access the server through APIs.

Client Credentials Flow

Oauth client credentials

The following diagram describes the flow for the Client Credentials grant type:

  1. Authenticate w/ Client ID and Secret: The app authenticates with the authorization server using its client ID and client secret.
  2. Issue Access Token: The authorization server validates the client ID and client secret and issues an access token.
  3. Request Resource w/ Access Token: The app attempts to access the resource from the resource server by presenting the access token.
  4. Return Resource: If the access token is valid, the resource server returns the resources to the app.

The resource server runs in Pivotal Single Sign‑On under a given space and org. Developers set the permissions for the resource server API endpoints. To do this, developers create resources that correspond to API endpoints secured by Pivotal Single Sign‑On. Administrators can create admin clients to perform automated management actions without a user. See Create Admin Client.