Feature Request: Support for IBKR OAuth 2.0 Authentication

[climbercarmich]

Hi ibind maintainers,

The "Advanced OAuth 1.0a" docs mention asking for info on OAuth 2.0 implementation. Based on recent IBKR documentation and communication, it seems they support OAuth 2.0 via the private_key_jwt method (RFC 7521/RFC 7523), using the https://api.ibkr.com/v1/api endpoint. (As an eligible business user, I'm currently onboarding with IBKR for this and might be able to provide more specifics later).

Adding support for this could potentially:

• Allow users with eligible accounts (currently business/institutional, possibly wider later) to run ibind in headless/automated environments without the gateway.
• Offer an alternative to the current OAuth 1.0a method, which relies on the unmaintained pyCrypto library.

Is supporting this OAuth 2.0 flow something the ibind project might consider, or are there existing plans related to it?

Thanks for any information!

[salsasepp]

Hi, thank you for bringing this up. Yes, ibind maintainers would greatly welcome any OAuth 2.0 contribution. Please see this related issue #87. Essentially, for lack of publicly available information, this can only be tackled if somebody can provide documentation and testing for OAuth 2.0, and ideally a pull request. In case you could do any of that, very much appreciated!

[climbercarmich]

Ok, as I get more info I will have a go at implementing this into ibind or at the least provide more info to help the implementation.

[climbercarmich]

I have got this working locally now and submitted a pull request - hopefully this is helpful. It follows this flow:

OAuth 2.0 Authentication Workflow (CP Web API):
1. Request an OAuth 2.0 Access Token for the specified scope(s) i.e. sso-sessions.write                                                                    [POST  https://api.ibkr.com/oauth2/api/v1/token]
2. Create SSO Session for CP Web API                                                                                                                                                                 [POST  https://api.ibkr.com/gw/api/v1/sso-sessions] 
     →  a 200 (Ok) response means user may now access “non-iserver” endpoints
3. Validate SSO Session                                                                                                                                                                                           [GET    https://api.ibkr.com/v1/api/sso/validate]                
4.  Initialize a brokerage session - needed to access trading & market data (/iserver) endpoints                                                            [POST  https://api.ibkr.com/v1/api/iserver/auth/ssodh/init]
      →  a 200 (Ok) response means user may now access the “/iserver” endpoints
5. Logout - to close the brokerage session & logout                                                                                                                                          [POST  https://api.ibkr.com/v1/api/logout]

I also wondered if the use of pycryptodome (drop-in replacement for the old PyCrypto library) could help resolve the security issues seen with OAuth1?