Ticket Parameter in Authorization Endpoint

Authlete’s Authorization Endpoint APIs are backend APIs to implement an authorization endpoint. The APIs are comprised of two types of APIs:

1. API that understands authorization requests and provides information that will be required in the next step, such as end-user authentication, and

   • /auth/authorization

2. API that issues tokens or codes, or returns errors

   • /auth/authorization/fail , /auth/authorization/issue

These two APIs are linked using “ticket.”

First, Authlete /auth/authorization API returns ticket in its response to authorization requests. Then, auth/authorization/issue or auth/authorization/fail API receives the ticket and process the authorization requests to issue tokens or codes or return errors.

Here is a couple of nature of the ticket.

• A ticket will be expired in 24 hours. Expired tickets will be deleted from Authlete’s database.
• A ticket can only be used once. It will be removed from the database right after /auth/authorization/issue or /auth/authorization/fail API successfully processed a request including the ticket.
• When you use a ticket that has already been used or expired, you will get an error code like below:

[A041202] There is no entity having the ticket specified
in the /api/auth/authorization/issue request (ticket = {Ticket}).

• Please note that tickets are designed to be used only between an authorization server and Authlete server; It must thus not be used between an authorization server and user agent, such as web browser, to manage sessions, for example.