Permission Ticket


Permission Ticket is a short-lived opaque structure whose form is determined by the Authorization Server as described within the User-Managed Access (UMA) Profile of OAuth 2.0

The Permission Ticket value MUST be securely random (for example, not merely part of a predictable sequential series), to avoid denial-of-service attacks.

Since the Permission Ticket is an opaque structure from the point of view of the OAuth Client, the Authorization Server is free to include information regarding expiration time or any other information within the opaque ticket for the Authorization Server's own consumption. When the OAuth Client subsequently uses the authorization API to ask the Authorization Server for authorization data to be associated with its Requesting Party Token, it will submit this Permission Ticket back to the Authorization Server.

More Information#

There might be more information for this subject on one of the following: