Native Mobile, Desktop, or Command Line App
For Native Mobile and Desktop applications, Pivotal Single Sign-On (SSO) supports the Resource Owner Password OAuth 2.0 grant type. This password grant type is for highly trusted applications where resource owners share their credentials directly with the application.
OAuth 2.0 Roles
The following roles are available in an OAuth 2.0 scenario:
- Resource Owner: A person or system capable of granting access to a protected resource.
- Application: A client that makes protected requests using the authorization of the resource owner.
- Authorization Server: The Single Sign-On server that issues access tokens to client applications after successfully authenticating the resource owner.
- Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Applications access the server through APIs.
Native Mobile App Flow
The following diagram shows the authentication flow used by mobile apps. In this scenario, the application is backed by a resource server and both are secured by the UAA authorization server.
- Authenticate w/ Username and Password: The user authenticates with the application using their username and password.
- Send Username/Password: The application sends the username and password to the authorization server for validation.
- Issue Access Token: The authorization server validates the username and password and issues an access token.
- Request Resource w/ Access Token: The application attempts to access the resource from the resource server by presenting the access token.
- Return Resource: If the access token is valid, the resource server returns the resources that the user authorized the application to receive.
The resource server runs in PCF under a given space and organization. Developers set the permissions for the resource server API endpoints. To do this, they create resources that correspond to API endpoints secured by the Single Sign-On service. Applications can then access these resources on behalf of users.