Skip to content
On this page

Ticket

An authentication ticket is a signed (and possibly encrypted) assertion of a user's identity, that a client can use to authenticate the user without the need to ask it to re-enter its credentials.

Overview

Tickets MUST be issued by a session that was opened using an authentication method that is neither ticket nor anonymous authentication.

Claims

idstringIMMUTABLE
The unique identifier for the ticket
issued_bystringIMMUTABLE
Identifies the principal that issued the ticket. Most of the time this is an application identifier (a.k.a username or client_id) but sometimes it can be the WAMP session's username (a.k.a `authid`).
authidstringIMMUTABLE
identifies the principal that is the subject of the ticket. This is the WAMP session's username (a.k.a `authid').
authrealmstringIMMUTABLE
Identifies the recipients that the ticket is intended for. The value is a realm URI.
expires_atstringIMMUTABLE
Identifies the expiration time (a timestamp in seconds) on or after which the ticket MUST NOT be accepted for processing. The processing of this attribute requires that the current date/time MUST be before the value assigned to this attribute. Bondy considers a small leeway of 2 mins by default
issued_atstringIMMUTABLE
Identifies the time at which the ticket was issued. This claim can be used to determine the age of the ticket. Its value is a timestamp in seconds.
issued_onstringIMMUTABLE
The Bondy nodename in which the ticket was issued.
scopeobjectIMMUTABLECOMPUTED
The scope of the ticket.
realmstringIMMUTABLE
If undefined the ticket grants access to all realms the user has access to by the authrealm (an SSO realm). Otherwise, the value is the realm this ticket is valid on.

Ticket Scopes

A ticket can be issued using different scopes. The scope is determined based on the options used to issue the ticket.

Local scope

The ticket can be used to authenticate on the session's realm only.

The ticket was issued with allow_sso option set to false or when set to true the user did not have SSO credentials, and the option client_ticket was not provided.

Authorization

To be able to issue this ticket, the session must have been granted the permission bondy.issue on the bondy.ticket.scope.local resource.

SSO Scope

The ticket can be used to authenticate on any realm the user has access > to through SSO.

The ticket was issued with allow_sso option set to true and the user has SSO credentials, and the option client_ticket was not provided.

Authorization

To be able to issue this ticket, the session must have been granted the permission bondy.issue on the bondy.ticket.scope.sso resource.

Client-Local scope

The ticket can be used to authenticate on the session's realm only.

The ticket was issued with allow_sso option set to false or when set to true the user did not have SSO credentials, and the option client_ticket was provided having a valid ticket issued by a client (a local or sso ticket).

Authorization

To be able to issue this ticket, the session must have been granted the permission bondy.issue on the bondy.ticket.scope.client_local resource.

Client-SSO scope

The ticket can be used to authenticate on any realm the user has access to through SSO.

The ticket was issued with allow_sso option set to true and the user has SSO credentials, and the option client_ticket was provided having a valid ticket issued by a client ( a local or sso ticket).

Authorization

To be able to issue this ticket, the session must have been granted the permission bondy.issue on the bondy.ticket.scope.client_local resource.

Scope Summary

  • uri() in the following table refers to the scope realm (not the Authentication realm which is used in the prefix)

Permissions Summary

Issuing tickets requires the user to be granted certain permissions beyond the WAMP permission required to call the procedures.

ScopePermissionResource
Localbondy.issuebondy.ticket.scope.local
SSObondy.issuebondy.ticket.scope.sso
Client-Localbondy.issuebondy.ticket.scope.client_local
Client-SSObondy.issuebondy.ticket.scope.client_sso

Procedures

bondy.ticket.issue(realm_uri;expiry_time_secs=,...) -> []

Call

Positional Args

None.

Keyword Args
expiry_time_secsinteger
Default: The value of Bondy configuration parameter 'security.ticket.expiry_time'
allow_ssoboolean
Default: true
client_ticketstring
client_idstring
client_instance_idstring

Result

Positional Args

The call result is a single positional argument containing the encoded and signed ticket:

0stringREQUIRED
The ticket.
Keyword Args

None.

bondy.ticket.revoke_all(realm_uri, authid) -> []

Call

Positional Args
0stringREQUIRED
The realm uri we want to revoke the ticket from.
1stringREQUIRED
The authid of the user associated with the tickets we want to revoke.
Keyword Args

None.

Result

Positional Args
Keyword Args

None.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-ShareAlike (CC-BY-SA) 4.0 International license.
Bondy and Leapsight are registered trademarks.