Partner Token Authentication in CQG Desktop

Introduction

Partner token authentication allows seamless authentication in CQG Desktop web application.

Definition of terms

JWTJSON Web Tokens, open, industry standard RFC 7519 (https://tools.ietf.org/html/rfc7519) method for representing claims securely between two parties, https://jwt.io/. A JWT is represented as a sequence of URL-safe parts separated by period ('.') characters. Each part contains a base64url-encoded value.
CWASCQG WebAPI Server is a product that provides an easy to use interface for CQG Desktop and Mobile clients as well as for 3rd party applications to realtime market data, historical data, symbol resolution and trading capabilities of CQGs existing systems.
CQG Auth ServerServer that authenticates user by various means: login/password, one-time password, refresh token, partner token.
CQGDESKTOPCQG Desktop, web-based single-page-application that allows receiving real-time market data and place orders.

Operating principal

Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. For partner token authentication we shall use signed tokens.

To setup partner token authentication a partner shall:

  1. Use encryption algorithm RS256 (RSA encryption + SHA256 hash).
  2. Generate public/private key pair (private key must be kept in safe place) or can use existing. Note: you can generate several key-pairs. Having multiple keys allows key rotation (gradual replacing soon-to-expire certificate with new one).
  3. Provide public key(s) (certificates) to CQG.
  4. Verify iss (token issuer, partner identifier) claim value with CQG (CQG will check it for collision with other registered partners).

CQG will provide you CQGDESKTOPesktop base url for integration.

Partner shall generate token according to https://jwt.io/ rules and shall specify the following claims:

  1. sub — (registered claim name) partner user name
  2. exp — (registered claim name) expiration time on or after which the JWT must not be accepted for processing, numeric, unix time seconds.
  3. iss — (registered claim name) issuer claim value verified by CQG, string.

When partner token is ready, partner app shall build URL that will be used to navigate to CQGDESKTOPesktop website. URL shall have format

https://m.cqg.com/{brand-name}/desktop/main?partnerToken={partner-token}

When navigated to that URL CQGDESKTOP application shall extract partner token from query string, send it to CQG Auth Server, receive access token and using it, will establish connection with CQG WebAPI Server.

Example

Partner Some Partner, having SomePartnerApp, wants to implement JWT-based authentication with CQG (launch CQGDESKTOP from SomePartnerApp seamlessly). It generates public/private key-pair. E.g.

Private key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC9PYMDsIFdSBwLuyhSjK7Htx3W+SNcMZUCkk+7aLHVQWrhuwRn
jghxs8gnvecMxi3RaPjF/0lHrwey4KPSjXLrzz5VQ5cq40KGWkIQg6vqr+T7LMQW
zcrnJpawUAmsXizks47yLO5Uz36TIeDi/gnrL6vQRvK3F8PDugkmo/FkQQIDAQAB
AoGBALxh94I8uwr5NbIX5dQHaBY4G+Rcru6gDQ46SFTvq9f2/0cmvQO5SH6n0aB+
UvtMbWABd2Ti9Tf+7VMMfQik9rg+5SnLs7P+yPhn0v1/EJKO/kQYJ3seWqQCWc45
tIJE2oC/TUhTPxGcUMmqTVGiE5RoTgfC/IWxbq58BYLrlb7hAkEA9jUygfAGjTsA
7HiiXyDUUoRR+G/pU15cR3pLAS9YyXpwPzqSgVcfBhLMpyb0KenUq0uuxrUpOSan
AMQzClrHcwJBAMTESnay+lL3AyZbcaaLVQZDG/KUlKvn/0CvZrT1pzQF51dc2dhT
irA0OEMyvpTx0onkEf1J22pSRkacYb/aMHsCQHwdyT5zz/m2evq6vbATDrYiemgx
koAym3Z1Egag5bN8A8X8Mwr87mjTZVQGcSQH+uv3lT4a6ZMkByB9x/U6Wj0CQCgo
6AnR/cVxJPNvNoMHbRMaH1ojeTSc5TwOkKfee4HispTiHpRIeMX94n3UnZFIye/a
3NEVgfLxV+aRhGHj5oECQCFhlpPWps2RBiW38GkZfimqQB7pjb/OXnoCnoAgfiOw
SOcH1aXYbXVLJjAUPG8NP34ou58AtIHaUIi82OVQ16o=
-----END RSA PRIVATE KEY-----
Public key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9PYMDsIFdSBwLuyhSjK7Htx3W
+SNcMZUCkk+7aLHVQWrhuwRnjghxs8gnvecMxi3RaPjF/0lHrwey4KPSjXLrzz5V
Q5cq40KGWkIQg6vqr+T7LMQWzcrnJpawUAmsXizks47yLO5Uz36TIeDi/gnrL6vQ
RvK3F8PDugkmo/FkQQIDAQAB
-----END PUBLIC KEY-----

Then partner sends public key to CQG. CQG registers this public key in CMS/GW, allows partner users to be authenticated by partner JWT, assigns issuer-id, that would be e.g. caus—some-fcm, choose brand-name for partner, that would be e.g. somebrand (separate brand allows customization of CQGDESKTOP), and sends these values to the partner. Partner will use these values during JWT generation (iss claim value) and url building.

After that partner can start generating JWT-s.

Let's assume we want to authenticate user with partner user name someuser. JWT header shall be

{
  "alg": "RS256",
  "typ": "JWT"
}

JWT payload data shall be

{
  "sub": "someuser",
  "exp": 1516239022,
  "iss": "caus--some-partner"
}

sub — contains partner user name, exp — token expiration time, numeric, unix time, number of seconds since 1970 representing UTC time, iss — token issuer-id that was assigned/verified by CQG. To generate JWT manually in testing purposes you can go to https://jwt.io/#debugger, select RS256 algorithm, paste JWT payload data, paste private key. Web page will generate JWT for you, for the example data above that would be

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzb21ldXNlciIsImV4cCI6MTUxNjIzOTAyMiwiaXNzIjoiY2F1cy0tc29tZS1wYXJ0bmVyIn0.aOLyxjzY7BRugwosgAHyY8pY9Ml6bjjsYcTiKDhIAgUN1EpKsaPoY01Q3yruESJ8lUOgTjCsDBlOpVsf2bhVHTYWvK72ZrgzGn5zHqNqN82of3DwOwePA8H44haVzPVSb1vDTc7--9Ah-d97NPxw_fqAl9og3lWq2h3Qy7geLyQ

SomePartnerApp builds url and opens it in browser window. No need to encode JWT additionally. It is already URL-safe. URL will be

https://m.cqg.com/somebrand/desktop/main?partnerToken=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzb21ldXNlciIsImV4cCI6MTUxNjIzOTAyMiwiaXNzIjoiY2F1cy0tc29tZS1wYXJ0bmVyIn0.aOLyxjzY7BRugwosgAHyY8pY9Ml6bjjsYcTiKDhIAgUN1EpKsaPoY01Q3yruESJ8lUOgTjCsDBlOpVsf2bhVHTYWvK72ZrgzGn5zHqNqN82of3DwOwePA8H44haVzPVSb1vDTc7--9Ah-d97NPxw_fqAl9og3lWq2h3Qy7geLyQ

After that CQGDESKTOP will be loaded and it will open session for someuser login. Internally CQGDESKTOP connects to CQG Auth Server, provides partner token, receives access token, and connects to CWAS using provided access token.

Sequence diagram

The above can be illustrated with the following sequence diagram

partner-token-auth