'What is the point of the Kerberos Service Ticket (ST) in CAS?

In CAS you have Ticket Granting Tickets (TGT) and Service Tickets (ST). I don't see why you need STs if you already have a TGT. You can simply validate the TGT and return a green light for authorization to the client for the owner of the TGT.

So why do we need an additonal ticket next to the TGT called ST ?

authenticationsingle-sign-onkerberoscasspnego


Solution 1:[1]

I suspect this 2-fold ticket generation process is a means to:

  • Refresh the authentication without repeatedly enter credentials (which are weak)

So TGT is much like refresh token in JWT.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 dz902

Related Questions

Rails authentication strategy

Login Failure: Pool is empty and connection creation failed

User Auth/Identity Service that takes care of social logins?

Logout from Keycloak does not logout Active Directory User

SNOWFLAKE - AZURE ACTIVE DIRECTORY Integration

Everytime I change my Microsoft Teams Tab's code the content of the tab does not change

React-router HashRouter When redirecting root URL with query parameters, route gets appended after params

Symfony 6 - CAS Bundle

Apache superset with Okta integration

Azure AD OIDC Single Sign-On with HashiCorp Vault - Interactive Login Prompt Not Appearing

How to enable sign-in with Google on Backstage?

How to enable sign-in with Google on Backstage?

SAML SP Metadata XML SSO, Recipient and Destination URLs

How to use the AWS Python SDK while connecting via SSO credentials

Best practice: Generate email link to bypass authentication