Interactive Brokers, how to get a consumer key from registration API? - interactive-brokers

I'm trying to create a web server that allow users to oauth their IB accounts. To obtain a request token, you first need to get a consumer key. I tried to follow their instruction, but there is no details on how to make a call to get the consumer_key.
What exactly should the endpoint be? Is it a POST or GET call? how do params / body looks like?

Even though you registered your consumer_key in InteractiveBroker settings page, OAuth flow for the consumer_key will not be worked because IB Web API OAuth flow is not ready to work.
Their customer service doesn't have the ability to solve the problem because the OAuth flow should be ready by the developers for IB Service Provider.
All of documents for the OAuth flow of InteractiveBroker is not correct and the customer service said they don't know about the issues.
It will be the losing of the time if you are going to solve the problem for OAuth flow of InteractiveBroker.
InteractiveBroker Web API is not ready yet.
Don't lose your time.

The answer from Daniel is still right (it just doesn't work) there are however a few projects that can alleviate the pain:
https://github.com/Cloudmative/cp-webapi-gateway
https://github.com/Voyz/ibeam
Both of them require to run a docker service that will do the authentication and proxy the requests to IB gateway service.
You can avoid 2FA if you create an additional user to access your account.

I'm getting 501 HTTP error, it seems that OAuth is not ready yet for InteractiveBrokers developers:
Direct link to the OAuth configuration: https://www.interactivebrokers.co.uk/oauth

There is no API call to get the consumer_key. There is an OAuth settings page (best I know there is no direct link to it) in the IB web portal that lets you
enable OAuth access
upload the public Signing/Encryption keys and the DH param files
set your own consumer_key
Edit: here is the direct link to the OAuth settings page

If your talking about the web trading API you have to submit several things to IB in order to get your application registered. Onboarding instructions can be found in their OAuth document at: https://www.interactivebrokers.com/webtradingapi/oauth.pdf

Related

Using OAuth to secure my own API and getting confused over Authorisation

I'm trying to get my head around OAuth from the context of having an API that I want to secure and a javascript based single page app made in Vue.js that will consume this API. I've been told that OAuth is the industry standard for this type of thing.
I want to let other clients like a mobile app also use the same API.
From what I can gather the right flow is Authorization Code Flow with Proof Key for Code Exchange (PKCE) https://oauth.net/2/pkce/
The bit I am confused over is how I seem to need to get users to approve access. For example you don't have Twitter saying "Would you like Twitter to use Twitter". If I was in the position of people using the account to create another account I wouldn't have any confusion but when the client is your own website what is supposed to happen?
I can sort of imagine that I could automatically approve the website or just bypass the part where the user approves but then I feel like I'm going off script. Then I think to myself, have I completely got the wrong end of the stick- is OAuth not designed for this?
If anyone can see where my ignorance is I'd be more than happy to be corrected!
Thanks!
OAuth and OpenID Connect enable you to authenticate users in many ways, for web and mobile clients. Each app implements a code flow and redirects to an authorization server (AS).
Each client is configured with an entry in the AS, and consent can be disabled when required. It is typically only enabled when personal assets are involved. Eg to grant a security code scanning service access to my GitHub repositories.
From asking around a bit and reading a bunch more found searching for "first party" providers: it is okay to just have the main website bypass the bit where they approve access and just send over the token.

Azure Api management with Oauth - Without a client app registration

I currently have an API that I am opening up to our business partners to call, and I want it secured with OAuth.
I've set up an Azure API management (consumption plan right now) that points to our API in azure.
I can call it and get valid results in the test console.
So I was following the Microsoft documentation for this, and it had me :
Register my backend API in app registrations;
Register a client app in app registrations;
In azure AD grand the permissions for this client app;
Configure the APIM with a validate-jwt policy.
So now my APIM is returning a 403 as expected.
My question is this. I do not know the clients that will be using this API. Or rather, do I HAVE to register a client app registration? Or can I leave that part out, and just provide the URLS that I have for the OAUTH side, which are like :
https://login.microsoftonline.com/GUID/oauth2/v2.0/authorize
https://login.microsoftonline.com/GUID/oauth2/v2.0/token
I am very new to Oauth and APIM, so I am not even sure how all this works.
But it seems odd that I am registering an app for a client, when I have no information on them or how they are calling my API.
I kinda get that I need to know who is requesting the token and authorizing. But the clients will be using a javascript snippet that we give them to embed on their site, so I dont really know what their site is like, what their URL is or anything.
Hope that makes sense.
The client registration is what represents the entity (web app, mobile app, etc.) that requests for tokens from Azure AD for your API.
The docs walk you through a process where the developer portal is registered as the client.
The snippet in your case would also require a Client ID (of an app) to fetch the token with. For this, you would have to register a new app registration and share the Client ID as part of the snippet.

Several question on Oauth2 on ADFS Server 2016

I'm used to working with ADFS for a long time already and recenlty I was asked to do a proof of concept with Oauth2 on ADFS. Struggling through terminology I managed to set most things up, but still I do have some unanswered questions. Hope someone can shed some light on these...
For SAML / WS-Fed relying parties, it is possible to set custom web content, using Set-AdfsRelyingPartyWebContent. Is this also possible for web api relying parties created in an application group?
Would it be possible to add claims to a client authenticated with client_id / client_secret (server application in ADFS terms) when using the client credentials grant flow?
Even after setting the 'IssueOAuthRefreshTokensTo' 'AllDevices' on the web api application, I still don't receive refresh tokens. What am I missing here?
When posting a token issued by our ADFS on e.g. jwt.io I receive an 'signature validation' error. How can we resolve that?
We would like to set an audience for the access tokens, so applications can use the audience instead of using the appid to verify if they can consume the token. Can we modify the audience?
What does add-adfsclient do? Does it create a client_id, which can then be linked to a relying party (with Grant-AdfsApplicationPermission), thus enabling OAuth2 for an existing relying party?
When configuring a ad user principal for a server application and use 'password' as grant_type with the client credentials grant flow, I cannot seem to find the correct syntax, as ADFS always give the error 'MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid.'. I have used the syntax 'user#fqdn' for the username.
Thanks you for helping me out here!
Let me try and work through these.
In ADFS, OIDC applications and WS-Fed / SAML RP are completely different. You can't mix and match.
jwt.io has a signature error because it doesn't know the .well-known endpoint to get the key. Refer this.
To get extra claims you need to add an API as that is the only place for claims rules.
To get a refresh token, you need a scope of "offline_access".
For resource owner password, user name and password are separate fields. Refer here.
Feel free to ask more questions. Just expand your question.
Also, samples here. Look at the menu on the LHS.
Update
What do you mean by "can modify web content on a per relying party basis"?
Re. jwt.io, read this.
For refresh tokens, read this. It seems ADFS doesn't follow the spec here.

invalid_client no registered origin for service account approach

I am trying to do Google API authorization through both Web Application approach and service account approach. For web application approach, the quick start code from their website works fine. However when I tried the same code with service account Client ID (same code as the quick start example, just replacing the Client ID), it gives me Invalid_client no registered origin error.
I saw in this post and other SO questions, mostly they forgot to put the Authorized Javascript Origin. However, this is different for service account approach, they don't have this field.
Anyone encountered same issue?
Error message: no registered origin
Request Details proxy=oauth2relay1086088613 immediate=false
scope=https://www.googleapis.com/auth/analytics.readonly
origin=https://localhost:9443 response_type=token
redirect_uri=postmessage state=909080772|0.2369183797
client_id=113356969233986791514 include_granted_scopes=true
Service accounts are typically used in server-to-server communication. You can think of a service account as a robot user that has permissions to access the API. Unless you're doing domain-wide delegation (where a service account can act on behalf of all users on a domain), you probably just want to use OAuth. Perhaps try the credentials wizard and see what it recommends?
If you do end up wanting to use service accounts, you'll need to download a private key for the service account and sign the request with that key (rather than just including the OAuth client ID). To do that, I recommend using one of the Google API Client Libraries.

Different Access token every time - using Google OAuth and Authlogic

Greetings!
I have some troubles enabling OAuth authentication for my web
application running on Ruby on Rails. I am using authlogic and
authlogic_oauth and that is, in the end, using OAuth gem and therefore
I decided to ask here. So shortly:
I succesfully "register" (i.e. obtain the first Access Token for the
user) but then, whenever I try to "login", I receive a differenct
access token for the same Google Account, the Authlogic-oauth plugin
fails to find the user and the login crashes. Maybe I don't understand
it right but is not the AT supposed to be the same every time. And can
it be a problem that I am accessing Google from http://localhost even
though the Customer keys are for different domain?
anyway, thanks for any reply ... I spend already 2 days with that
issue and debugging doesn't seems to lead me anywhere
Jakub
PS: I sent that question on Google Group oauth-ruby - sorry to anyone reading both channels
The AT is supposed to be different every time. OAuth is not an authentication protocol, it is an authorization delegation protocol. Try using OpenID instead: http://code.google.com/apis/accounts/docs/OpenID.html
Twitter does not give out different tokens which allows OAuth to be used as an authentication mechanism. LinkedIn doesn't do that meaning you may only use OAuth as an authorization protocol (which is what it was intended to do).
However, there is a useful API for pulling in data from LinkedIn. Of particular interest could be the Profile API.

Resources