The article teaches how to authenticate and authorize requests to the API using tokens.
The FCLite API requires a JWT to be passed in order to authenticate. The third-party OAuth authentication model allows a third-party application to direct the end user to an authentication page. After successful authentication, the user is redirected back to the third-party application, which then provides the token.
The authorization_code grant type allows token exchange in the back channel and is completely hidden to the end user.
3rd Party application must launch the login page
https://{fxcm_domain}/oauth/authorize?client_id={client_id}&response_type=code&redirect_uri={redirect_uri}&scope=openid%20trading
Required parameters:
fxcm_domain is environment specific:
Production Real: https://oauth.fxcorporate.com
Production Demo: https://oauth-demo.fxcorporate.com
UAT: https://oauthu.fxcorporate.com
QA: https://oauthq.fxcorporate.com
client_id: string value provided by FXCM and must match exactly
response_type: always – code
redirect_uri: must be agreed between FXCM and 3rd party and must match exactly
scope: always ‘openid trading’
Optional parameters:
code_challenge_method= Set to S256 to indicate that SHA-256 hashing is used to transform the code verifier
code_challenge= The BASE64URL-encoded SHA-256 hash of a random 32 bytes called code verifier which the client must generate and store internally and which is intended to prevent code injection and CSRF attacks. Originally specified in the PKCE extension (RFC 7336) to OAuth 2.0
state= Optional opaque value set by the client which the authorisation server will echo verbatim in the authorisation response. Enables the client to encode application state information to appear at the redirect_uri
nonce= String value used to associate a Client session with an ID Token, and to mitigate replay attacks
The user enter their FXCM login credentials. The user will be prompted to and must subsequently approve the request. Server will redirect back to {redirect_uri} with the query parameter: code. Third party application will receive response with header.location: {redirect_uri}?code={code} It submit a POST. POST BODY must contain:
code: value from ‘code’ query parameter
grant_type: ‘authorization_code’
client_id: string value provided by FXCM
client_secret: string value provided by FXCM
redirect_uri: exact redirect_uri that you provided to FXCM when creating your account. If the URI is different, you will receive a 400 error. This URI is used to get your token.
Client receives JSON response: {access_token: access_token, refresh_token: refresh_token, token_type: ‘Bearer’}
access_token: the API access token as a JWT to create a session with
refresh_token: a refresh token which can be used to get a new access token
Third party application may submit post to get new access token through the refresh mechanism: https://{fxcm_domain}/oauth2/token
Or it may submit post to logout and clear cookies: https://{fxcm_domain}/oauth2/logout
You can authenticate and authorize requests to the FCLite API using the method IFXConnectLiteSession.attach.
Class IFXConnectLiteSession is the interface that provides access to the trading system.
The method attach logs the user in to the trading system. The function's parameters include the JSON web token, the URL of the server and the name of the connection.
Logout Hide
typescriptjavascriptfunction attach(jwt: string, tradingSystemUrl: string, connection: string);
Questions and answers
1. What is the purpose of authentication and authorization to APIs using tokens?
The main advantage is security. Since login password can be intercepted or picked up by an attacker, while a token has a short life span and is issued by a specific service that is trusted by the client.
2. In what cases will the information from the article be useful?
The information from the article will be useful in cases where you integrate into the NewCo EcoSystem and when the token is sufficient to access one system from another.
3. Where can I obtain the JSON web token for the attach method?
The JSON web token required for the attach method is provided by a service within the NewCo EcoSystem. It is not accessible to ordinary users and is specifically designed for integration with NewCo.