Ticket
An authentication ticket is a signed (and possibly encrypted) assertion of a user's identity, that a client can use to authenticate the user without the need to ask it to re-enter its credentials.
Description
Tickets MUST be issued by a session that was opened using an authentication method that is neither ticket
nor anonymous
authentication.
Claims
id
stringIMMUTABLEThe unique identifier for the ticket
issued_by
stringIMMUTABLEIdentifies the principal that issued the ticket. Most of the time this is an application identifier (a.k.a username or client_id) but sometimes it can be the WAMP session's username (a.k.a authid
).
authid
stringIMMUTABLEidentifies the principal that is the subject of the ticket. This is the WAMP session's username (a.k.a `authid').
authrealm
stringIMMUTABLEIdentifies the recipients that the ticket is intended for. The value is a realm URI.
expires_at
stringIMMUTABLEIdentifies the expiration time (a timestamp in seconds) on or after which the ticket MUST NOT be accepted for processing. The processing of this attribute requires that the current date/time MUST be before the value assigned to this attribute. Bondy considers a small leeway of 2 mins by default
issued_at
stringIMMUTABLEIdentifies the time at which the ticket was issued. This claim can be used to determine the age of the ticket. Its value is a timestamp in seconds.
issued_on
stringIMMUTABLEThe Bondy nodename in which the ticket was issued.
scope
objectIMMUTABLECOMPUTEDThe scope of the ticket.
realm
stringIMMUTABLEIf undefined the ticket grants access to all realms the user has access to by the authrealm (an SSO realm). Otherwise, the value is the realm this ticket is valid on.
Ticket Scopes
A ticket can be issued using different scopes. The scope is determined based on the options used to issue the ticket.
Local scope
The ticket can be used to authenticate on the session's realm only.
The ticket was issued with allow_sso
option set to false
or when set to true
the user did not have SSO credentials, and the option client_ticket
was not provided.
Authorization
To be able to issue this ticket, the session must have been granted the permission bondy.issue
on the bondy.ticket.scope.local
resource.
SSO Scope
The ticket can be used to authenticate on any realm the user has access > to through SSO.
The ticket was issued with allow_sso
option set to true
and the user has SSO credentials, and the option client_ticket
was not provided.
Authorization
To be able to issue this ticket, the session must have been granted the permission bondy.issue
on the bondy.ticket.scope.sso
resource.
Client-Local scope
The ticket can be used to authenticate on the session's realm only.
The ticket was issued with allow_sso
option set to false
or when set to true
the user did not have SSO credentials, and the option client_ticket
was provided having a valid ticket issued by a client (a local or sso ticket).
Authorization
To be able to issue this ticket, the session must have been granted the permission bondy.issue
on the bondy.ticket.scope.client_local
resource.
Client-SSO scope
The ticket can be used to authenticate on any realm the user has access to through SSO.
The ticket was issued with allow_sso
option set to true
and the user has SSO credentials, and the option client_ticket
was provided having a valid ticket issued by a client ( a local or sso ticket).
Authorization
To be able to issue this ticket, the session must have been granted the permission bondy.issue
on the bondy.ticket.scope.client_local
resource.
Scope Summary
uri()
in the following table refers to the scope realm (not the Authentication realm which is used in the prefix)
Permissions Summary
Issuing tickets requires the user to be granted certain permissions beyond the WAMP permission required to call the procedures.
Scope | Permission | Resource |
---|---|---|
Local | bondy.issue | bondy.ticket.scope.local |
SSO | bondy.issue | bondy.ticket.scope.sso |
Client-Local | bondy.issue | bondy.ticket.scope.client_local |
Client-SSO | bondy.issue | bondy.ticket.scope.client_sso |
Procedures
bondy.ticket.issue(realm_uri;expiry_time_secs=,...) -> []
Call
Positional Args
None.
Keyword Args
expiry_time_secs
integerallow_sso
booleanclient_ticket
stringclient_id
stringclient_instance_id
stringResult
Positional Args
The call result is a single positional argument containing the encoded and signed ticket:
0
stringREQUIREDThe ticket.
Keyword Args
None.
bondy.ticket.revoke_all(realm_uri, authid) -> []
Call
Positional Args
0
stringREQUIREDThe realm uri we want to revoke the ticket from.
1
stringREQUIREDThe authid of the user associated with the tickets we want to revoke.
Keyword Args
None.
Result
Positional Args
Keyword Args
None.