Authenticating mobile applications using policy files

What is claimed is: 1. A method, comprising: receiving, via a first server, a key pair and a policy file associated with a mobile service from a second server, the policy file comprising a list of: a plurality of security objects to be authenticated, a plurality of computing devices to authenticate the security objects, and an order of authentication; distributing the key pair and the policy file; receiving an authentication request from a mobile application; authenticating the mobile application based in part on the key pair and the policy file; generating a scope token with an application scope in response to authenticating the mobile application, the scope token comprising a signature based in part on the key pair; authenticating a client device corresponding to the mobile application and a user to generate a doubly-authenticated scope token comprising a device scope and application authenticity scope; sending the doubly-authenticated scope token to a security gateway for user authentication; receiving a trebly-authenticated scope token with a grant token request and sending a grant token to the mobile application, the trebly authenticated scope token to include a user scope; receiving the grant token from the mobile application; and generating and sending an access token to the mobile application. 2. The method of claim 1 , wherein a service server is accessible by the mobile application using the access token. 3. The method of claim 1 , wherein the key pair comprises a private key and a public key. 4. The method of claim 3 , wherein the policy file comprises instructions defining types of security checks associated with a service, an order in which the authentications are to be executed, and a device responsible for each authentication. 5. The method of claim 1 , wherein the application scope, the user scope, and the device scope comprise an expiration time. 6. The method of claim 1 , further comprising a mobile enterprise application platform (MEAP) executable by the processor to validate the access token. 7. The method of claim 1 , wherein the scope token further comprises a device identification and a user name. 8. A computer program product for authenticating mobile applications, the computer program product comprising a computer-readable storage medium having program code embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program code executable by a processor to cause the processor to: receive, via a first server, a key pair and a policy file associated with a mobile service from a second server, the policy file comprising a list of: a plurality of security objects to be authenticated, a plurality of computing devices to authenticate the security objects, and an order of authentication; distribute the key pair and the policy file; receive an authentication request from a mobile application; authenticate the mobile application based in part on the key pair and the policy file; generate a scope token with an application scope in response to authenticating the mobile application, the scope token comprising a signature based in part on the key pair; authenticate a client device corresponding to the mobile application and a user to generate a doubly-authenticated scope token comprising a device scope and application authenticity scope; send the doubly-authenticated scope token to a security gateway for user authentication; receive a trebly-authenticated scope token with a grant token request and send a grant token to the mobile application, the trebly authenticated scope token to include a user scope; receive the grant token from the mobile application; and generate and send an access token to the mobile application. 9. The computer program product of claim 8 , wherein a service server is accessible by the mobile application using the access token. 10. The computer program product of claim 8 , wherein the key pair comprises a private key and a public key. 11. The computer program product of claim 10 , wherein the policy file comprises instructions defining types of security checks associated with a service, an order in which the authentications are to be executed, and a device responsible for each authentication. 12. The computer program product of claim 8 , wherein the application scope, the user scope, and the device scope comprise an expiration time. 13. The computer program product of claim 8 , wherein a mobile enterprise application platform (MEAP) is executable by the processor to validate the access token. 14. The computer program product of claim 8 , wherein the scope token further comprises a device identification and a user name. 15. The computer program product of claim 8 , wherein the program code executable by the processor further causes the processor to provide access to a service server for the mobile application using the access token. 16. The method of claim 1 , further comprising: providing access to a service server for the mobile application using the access token.