Service-to-Service App

For Service-to-Service applications, Pivotal Single Sign-On (SSO) supports the Client Credentials OAuth 2.0 grant type. The client credentials grant type is for applications that can request an access token and access resources on its own. This is often the case when there are services that call APIs without users.

OAuth 2.0 Actors

  • Application: A client that makes protected requests using the authorization of the resource owner.
  • Authorization Server: The Single Sign-On server that issues access tokens to client applications after successfully authenticating the resource owner.
  • Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Applications access the server through APIs.

Client Credentials Flow

Oauth client credentials

  1. Authenticate w/ Client ID and Secret: The application authenticates with the authorization server using its client ID and client secret.
  2. Issue Access Token: The authorization server validates the client ID and client secret and issues an access token.
  3. Request Resource w/ Access Token: The application attempts to access the resource from the resource server by presenting the access token.
  4. Return Resource: If the access token is valid, the resource server returns the resources to the application.

The resource server runs in PWS under a given space and organization. Developers set the permissions for the resource server API endpoints. To do this, they create resources that correspond to API endpoints secured by the Single Sign-On service. Administrators can create admin clients to perform automated management actions without a user. See Create Admin Client.