Single-Page JavaScript App

Warning: Single Sign‑On for Pivotal Cloud Foundry v1.6 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes the OAuth 2.0 implicit grant type supported by Pivotal Single Sign-On (SSO). The implicit grant type is for applications with a client secret that is not guaranteed to be confidential.

OAuth 2.0 Roles

  • Resource Owner: A person or system capable of granting access to a protected resource.
  • Application: A client that makes protected requests using the authorization of the resource owner.
  • Authorization Server: The Single Sign-On server that issues access tokens to client applications after successfully authenticating the resource owner.
  • Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Applications access the server through APIs.

Implicit Flow

Oauth implicit

  1. Access Application: The user accesses the application and triggers authentication and authorization.
  2. Authentication and Request Authorization: The application prompts the user for their username and password. The first time the user goes through this flow for the application, the user sees an approval page. On this page, the user can choose permissions to authorize the application to access resources on their behalf.
  3. Authentication and Grant Authorization: The authorization server receives the authentication and authorization grant.
  4. Issue Access Token: The authorization server validates the authorization code and returns an access token with the redirect URL.
  5. Request Resource w/ Access Token in: The application attempts to access the resource from the resource server by presenting the access token in the URL.
  6. Return Resource: If the access token is valid, the resource server returns the resources that the user authorized the application to receive.

The resource server runs in PCF under a given space and organization. Developers set the permissions for the resource server API endpoints. To do this, they create resources that correspond to API endpoints secured by the Single Sign-On service. Applications can then access these resources on behalf of users.