🎟️ Tickets vs 🪙 Tokens – What Changed in Modern Identity Protocols?

“If tickets still work, why is everyone obsessed with tokens?”
That was my honest question — as someone working on enterprise applications like 3DEXPERIENCE, where legacy systems like CAS still thrive.

This post is my reflection and breakdown of what changed from ticket-based authentication (like CAS) to token-based systems (like OAuth2/JWT), and why it matters — only where it actually matters.

🏁 Legacy Era: Ticket-Based Authentication

Systems like CAS (Central Authentication Service) were designed when:

Applications were monolithic
Users accessed systems via browser
Authentication and session handling happened mostly server-side

🔑 How It Works:

User logs in to CAS server.
CAS issues a login ticket, which is exchanged for a service ticket.
The ticket is passed to the application, which then validates it with CAS.
On success, the application creates its own session (e.g., cookies) and continues.

✅ Good for browser-based SSO
❌ Not great for APIs, mobile apps, or distributed microservices

🚀 Modern Shift: Token-Based Authentication

As applications became distributed, stateless, and API-heavy, ticket validation patterns didn’t scale well.

Enter OAuth 2.0 / OIDC with JWT (JSON Web Tokens).

🪙 How It Works:
1. 1. User (or app) authenticates via an Identity Provider (IdP).
    1. IdP issues a signed token — often a JWT.
    2. The application (or API gateway) verifies the token locally using a public key, with no call back to IdP.
    3. Token carries identity + claims. No session server required.

✅ Ideal for APIs, SPAs, mobile, microservices
✅ Decoupled, scalable, stateless
❌ Requires trust setup and secure key rotation

⚔️ Tickets vs Tokens – Key Differences

Feature	Ticket (CAS-style)	Token (JWT/OIDC)
Format	Random string	Self-contained JSON
Identity Data	Stored on server	Embedded in token
Verification	Central server (CAS)	Local public-key validation
Stateless?	❌ No	✅ Yes
Ideal For	Web SSO	API, microservices, mobile
Works Without Internet?	✅ Yes	⚠️ Requires cached keys
Expiry	Often session-based	Explicit expiry, often short-lived
Delegation Support	❌ Hard	✅ Built-in (OAuth scopes, etc.)

🧠 So Why Not Replace Tickets Everywhere?

Because tickets still work really well in specific contexts:

Web-based apps with session handling
Internal apps with single identity source
Systems like 3DEXPERIENCE that maintain legacy user context layers

And tokens aren’t magic either:

JWT misuse can expose identity data
Local validation can fail if keys aren’t rotated securely
Stateless systems still need consistent authorization logic

🧩 Can They Coexist?

Absolutely. In real-world enterprise systems:

Frontend may use CAS + ticket-based flow
API Gateway (e.g., Apigee) may enforce JWT validation
Backend apps may still use session context or even DB-auth logic

This hybrid is messy, but practical.

🧭 When Should You Use What?

Use Case	Preferred Auth
Browser-based legacy web app	CAS / ticket
API exposed over internet	OAuth2 / JWT
Microservices talking to each other	JWT with short expiry
External federation (Azure AD, Google)	SAML or OIDC
Internal monolith with DB auth	CAS or local session

🪪 Analogy – Passport vs Boarding Pass

A CAS ticket is like getting your passport stamped at a specific gate. You need to ask the gatekeeper each time.
A JWT token is like a boarding pass — once issued and verified, you can walk through multiple gates (as long as it’s valid and signed).

🧠 Final Thoughts

Modernization is not about replacing CAS with tokens blindly.
It’s about knowing where your app lives, how it communicates, and what trust model you need.

If you're in a legacy + modern mix (like I am with 3DEXPERIENCE), then the real skill is knowing when to use what.

How Tokens Replaced Tickets: A Journey Through Modern Identity Systems