Ticket Parameter in Authorization Endpoint
Authlete's Authorization Endpoint APIs are backend APIs to implement an authorization endpoint. The APIs are comprised of two types of APIs:
- API that understands authorization requests and provides information that will be required in the next step, such as end-user authentication, and
- API that issues tokens or codes, or returns errors
These two APIs are linked using "ticket."
First, Authlete /auth/authorization API returns ticket in its response to authorization requests. Then, auth/authorization/issue or auth/authorization/fail API receives the ticket and process the authorization requests to issue tokens or codes or return errors.
- A ticket will be expired in 24 hours. Expired tickets will be deleted from Authlete's database.
- A ticket can only be used once. It will be removed from the database right after /auth/authorization/issue or /auth/authorization/fail API successfully processed a request including the ticket.
- When you use a ticket that has already been used or expired, you will get an error code like below:
[A041202] There is no entity having the ticket specified in the /api/auth/authorization/issue request (ticket = {Ticket}).- Please note that tickets are designed to be used only between an authorization server and Authlete server; It must thus not be used between an authorization server and user agent, such as web browser, to manage sessions, for example.
How did we do with this article?