ibauth 0.0.2__tar.gz

ibauth-0.0.2/PKG-INFO

@@ -0,0 +1,47 @@
+Metadata-Version: 2.4
+Name: ibauth
+Version: 0.0.2
+Summary: Interactive Brokers OAuth
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: bump2version>=1.0.1
+Requires-Dist: cryptography>=44.0.2
+Requires-Dist: curlify>=2.2.1
+Requires-Dist: mypy>=1.15.0
+Requires-Dist: pre-commit>=4.1.0
+Requires-Dist: pyjwt>=2.10.1
+Requires-Dist: pyyaml>=6.0.2
+Requires-Dist: requests>=2.32.3
+Requires-Dist: ruff>=0.9.9
+Requires-Dist: tenacity>=9.0.0
+
+# IBKR Authentication Workflow
+
+Documentation for the IBKR Web API is [here](https://www.interactivebrokers.com/campus/ibkr-api-page/webapi-ref/).
+
+1. Pull the repository.
+2. Create and activate a virtual environment.
+3. Install dependencies from `requirements.txt`.
+4. Create a YAML configuration file:
+
+    ```yaml
+    client_id: ""
+    client_key_id: ""
+    credential: ""
+    private_key_file: ""
+    ```
+
+    The private key file will usually have a `.pem` extension.
+5. Run the test script.
+
+    ```bash
+    python auth.py
+    ```
+
+## Installation
+
+You can install from GitHub.
+
+```bash
+pip3 install git+https://github.com/datawookie/ibkr-oauth-flow
+```

ibauth-0.0.2/README.md

@@ -0,0 +1,30 @@
+# IBKR Authentication Workflow
+
+Documentation for the IBKR Web API is [here](https://www.interactivebrokers.com/campus/ibkr-api-page/webapi-ref/).
+
+1. Pull the repository.
+2. Create and activate a virtual environment.
+3. Install dependencies from `requirements.txt`.
+4. Create a YAML configuration file:
+
+    ```yaml
+    client_id: ""
+    client_key_id: ""
+    credential: ""
+    private_key_file: ""
+    ```
+
+    The private key file will usually have a `.pem` extension.
+5. Run the test script.
+
+    ```bash
+    python auth.py
+    ```
+
+## Installation
+
+You can install from GitHub.
+
+```bash
+pip3 install git+https://github.com/datawookie/ibkr-oauth-flow
+```

ibauth-0.0.2/ibauth.egg-info/PKG-INFO

@@ -0,0 +1,47 @@
+Metadata-Version: 2.4
+Name: ibauth
+Version: 0.0.2
+Summary: Interactive Brokers OAuth
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: bump2version>=1.0.1
+Requires-Dist: cryptography>=44.0.2
+Requires-Dist: curlify>=2.2.1
+Requires-Dist: mypy>=1.15.0
+Requires-Dist: pre-commit>=4.1.0
+Requires-Dist: pyjwt>=2.10.1
+Requires-Dist: pyyaml>=6.0.2
+Requires-Dist: requests>=2.32.3
+Requires-Dist: ruff>=0.9.9
+Requires-Dist: tenacity>=9.0.0
+
+# IBKR Authentication Workflow
+
+Documentation for the IBKR Web API is [here](https://www.interactivebrokers.com/campus/ibkr-api-page/webapi-ref/).
+
+1. Pull the repository.
+2. Create and activate a virtual environment.
+3. Install dependencies from `requirements.txt`.
+4. Create a YAML configuration file:
+
+    ```yaml
+    client_id: ""
+    client_key_id: ""
+    credential: ""
+    private_key_file: ""
+    ```
+
+    The private key file will usually have a `.pem` extension.
+5. Run the test script.
+
+    ```bash
+    python auth.py
+    ```
+
+## Installation
+
+You can install from GitHub.
+
+```bash
+pip3 install git+https://github.com/datawookie/ibkr-oauth-flow
+```

ibauth-0.0.2/ibauth.egg-info/SOURCES.txt

@@ -0,0 +1,11 @@
+README.md
+pyproject.toml
+ibauth.egg-info/PKG-INFO
+ibauth.egg-info/SOURCES.txt
+ibauth.egg-info/dependency_links.txt
+ibauth.egg-info/requires.txt
+ibauth.egg-info/top_level.txt
+ibkr_oauth_flow/__init__.py
+ibkr_oauth_flow/const.py
+ibkr_oauth_flow/logger.py
+ibkr_oauth_flow/util.py

ibauth-0.0.2/ibauth.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

ibauth-0.0.2/ibauth.egg-info/requires.txt

@@ -0,0 +1,10 @@
+bump2version>=1.0.1
+cryptography>=44.0.2
+curlify>=2.2.1
+mypy>=1.15.0
+pre-commit>=4.1.0
+pyjwt>=2.10.1
+pyyaml>=6.0.2
+requests>=2.32.3
+ruff>=0.9.9
+tenacity>=9.0.0

ibauth-0.0.2/ibauth.egg-info/top_level.txt

@@ -0,0 +1 @@
+ibkr_oauth_flow

ibauth-0.0.2/ibkr_oauth_flow/__init__.py

@@ -0,0 +1,276 @@
+import math
+from typing import Any
+import time
+import yaml
+from pathlib import Path
+
+from cryptography.hazmat.primitives import serialization
+from tenacity import retry, stop_after_attempt, wait_exponential
+
+from .const import GRANT_TYPE, CLIENT_ASSERTION_TYPE, SCOPE, VALID_DOMAINS
+from .util import make_jws, get, post, ReadTimeout, HTTPError
+
+from .logger import logger
+
+
+class IBKROAuthFlow:
+    def __init__(
+        self, client_id: str, client_key_id: str, credential: str, private_key_file: str, domain: str = "api.ibkr.com"
+    ):
+        if not client_id:
+            raise ValueError("Required parameter 'client_id' is missing.")
+
+        if not client_key_id:
+            raise ValueError("Required parameter 'client_key_id' is missing.")
+
+        if not credential:
+            raise ValueError("Required parameter 'credential' is missing.")
+
+        if not private_key_file:
+            raise ValueError("Required parameter 'private_key_file' is missing.")
+
+        if domain not in VALID_DOMAINS:
+            raise ValueError(f"Invalid domain: {domain}.")
+        else:
+            self.domain = domain
+
+        self.client_id = client_id
+        self.client_key_id = client_key_id
+        self.credential = credential
+
+        logger.info(f"Load private key from {private_key_file}.")
+        with open(private_key_file, "r") as file:
+            self.private_key = serialization.load_pem_private_key(
+                file.read().encode(),
+                password=None,
+            )
+
+        self.access_token = None
+        self.bearer_token = None
+
+        # These fields are set in the tickle() method.
+        #
+        self.authenticated = None
+        self.connected = None
+        self.competing = None
+
+        self.IP = None
+
+    @property
+    def url_oauth2(self) -> str:
+        return f"https://{self.domain}/oauth2"
+
+    @property
+    def url_gateway(self) -> str:
+        return f"https://{self.domain}/gw"
+
+    @property
+    def url_client_portal(self) -> str:
+        return f"https://{self.domain}"
+
+    @property
+    def domain(self) -> str:
+        return self._domain
+
+    @domain.setter
+    def domain(self, value: str) -> None:
+        """
+        Set and validate the domain.
+        """
+        if value not in VALID_DOMAINS:
+            raise ValueError(f"Invalid domain: {value}. Must be one of {VALID_DOMAINS}.")
+        logger.info(f"Domain: {value}")
+        self._domain = value
+
+    def _check_ip(self) -> Any:
+        """
+        Get public IP address.
+        """
+        logger.debug("Check public IP.")
+        IP = get("https://api.ipify.org", timeout=10).content.decode("utf8")
+
+        logger.info(f"Public IP: {IP}.")
+        if self.IP and self.IP != IP:
+            logger.warning("🚨 Public IP has changed.")
+
+        self.IP = IP
+        return IP
+
+    def _compute_client_assertion(self, url: str) -> Any:
+        now = math.floor(time.time())
+        header = {"alg": "RS256", "typ": "JWT", "kid": f"{self.client_key_id}"}
+
+        if url == f"{self.url_oauth2}/api/v1/token":
+            claims = {
+                "iss": f"{self.client_id}",
+                "sub": f"{self.client_id}",
+                "aud": "/token",
+                "exp": now + 20,
+                "iat": now - 10,
+            }
+
+        elif url == f"{self.url_gateway}/api/v1/sso-sessions":
+            claims = {
+                "ip": self.IP,
+                "credential": f"{self.credential}",
+                "iss": f"{self.client_id}",
+                "exp": now + 86400,
+                "iat": now,
+            }
+
+        logger.debug(f"Header: {header}.")
+        logger.debug(f"Claims: {claims}.")
+
+        return make_jws(header, claims, self.private_key)
+
+    def get_access_token(self) -> None:
+        """
+        Obtain an access token. This is the first step in the authentication
+        flow.
+
+        Returns:
+            str: The access token.
+        """
+        url = f"{self.url_oauth2}/api/v1/token"
+
+        headers = {"Content-Type": "application/x-www-form-urlencoded"}
+
+        form_data = {
+            "grant_type": GRANT_TYPE,
+            "client_assertion": self._compute_client_assertion(url),
+            "client_assertion_type": CLIENT_ASSERTION_TYPE,
+            "scope": SCOPE,
+        }
+
+        logger.info("Request access token.")
+        response = post(url=url, headers=headers, data=form_data)
+
+        self.access_token = response.json()["access_token"]
+
+    def get_bearer_token(self) -> None:
+        url = f"{self.url_gateway}/api/v1/sso-sessions"
+
+        headers = {
+            "Authorization": "Bearer " + self.access_token,  # type: ignore
+            "Content-Type": "application/jwt",
+        }
+
+        # Initialise IP (it's embedded in the bearer token).
+        self._check_ip()
+
+        logger.info("Request bearer token.")
+        response = post(url=url, headers=headers, data=self._compute_client_assertion(url))
+
+        self.bearer_token = response.json()["access_token"]
+
+    @retry(stop=stop_after_attempt(5), wait=wait_exponential(multiplier=5))  # type: ignore
+    def ssodh_init(self) -> None:
+        """
+        Initialise a brokerage session.
+        """
+        url = f"{self.url_client_portal}/v1/api/iserver/auth/ssodh/init"
+
+        headers = {
+            "Authorization": "Bearer " + self.bearer_token,  # type: ignore
+            "User-Agent": "python/3.11",
+        }
+
+        logger.info("Initiate a brokerage session.")
+        try:
+            response = post(url=url, headers=headers, json={"publish": True, "compete": True})
+        except HTTPError:
+            logger.error("⛔ Error initiating a brokerage session.")
+            raise
+
+        logger.debug(f"Response content: {response.json()}.")
+
+    def validate_sso(self) -> None:
+        url = f"{self.url_client_portal}/v1/api/sso/validate"
+
+        headers = {
+            "Authorization": "Bearer " + self.bearer_token,  # type: ignore
+            "User-Agent": "python/3.11",
+        }
+
+        logger.info("Validate brokerage session.")
+        response = get(url=url, headers=headers)
+
+        logger.debug(f"Response content: {response.json()}.")
+
+    @retry(stop=stop_after_attempt(5), wait=wait_exponential(multiplier=5))  # type: ignore
+    def tickle(self) -> str:
+        """
+        Keeps session alive.
+
+        Returns:
+            Session ID.
+        """
+        url = f"{self.url_client_portal}/v1/api/tickle"
+
+        headers = {
+            "Authorization": "Bearer " + self.bearer_token,  # type: ignore
+            "User-Agent": "python/3.11",
+        }
+
+        logger.info("Send tickle.")
+        try:
+            response = get(url=url, headers=headers, timeout=10)
+        except (HTTPError, ReadTimeout):
+            logger.error("⛔ Error connecting to session.")
+            self.get_bearer_token()
+            self.ssodh_init()
+            raise
+
+        self.session_id: str = response.json()["session"]
+        auth_status = response.json()["iserver"]["authStatus"]
+        self.authenticated = auth_status["authenticated"]
+        self.competing = auth_status["competing"]
+        self.connected = auth_status["connected"]
+
+        logger.debug(f"Session ID: {self.session_id}")
+        logger.debug(f"- authenticated: {self.authenticated}")
+        logger.debug(f"- competing:     {self.competing}")
+        logger.debug(f"- connected:     {self.connected}")
+
+        logger.debug(f"Response content: {response.json()}.")
+
+        return self.session_id
+
+    def logout(self) -> None:
+        url = f"{self.url_client_portal}/v1/api/logout"
+
+        if self.bearer_token is None:
+            logger.warning("🚨 Not terminating brokerage session (no bearer token found).")
+            return
+
+        headers = {
+            "Authorization": "Bearer " + self.bearer_token,
+            "User-Agent": "python/3.11",
+        }
+
+        logger.info("Terminate brokerage session.")
+        post(url=url, headers=headers)
+
+
+def auth_from_yaml(path: str) -> IBKROAuthFlow:
+    """
+    Create an IBKROAuthFlow instance from a YAML configuration file.
+
+    Args:
+        path (str): The path to the YAML configuration file.
+
+    Returns:
+        IBKROAuthFlow: An instance of IBKROAuthFlow.
+    """
+    path_absolute = Path(path).resolve()
+    logger.info(f"Load configuration from {path_absolute}.")
+    with open(path_absolute, "r") as file:
+        config = yaml.safe_load(file)
+
+    return IBKROAuthFlow(
+        client_id=config["client_id"],
+        client_key_id=config["client_key_id"],
+        credential=config["credential"],
+        private_key_file=config["private_key_file"],
+        domain=config.get("domain", "api.ibkr.com"),
+    )

ibauth-0.0.2/ibkr_oauth_flow/const.py

@@ -0,0 +1,14 @@
+CLIENT_ASSERTION_TYPE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
+SCOPE = "sso-sessions.write"
+GRANT_TYPE = "client_credentials"
+
+VALID_DOMAINS = [
+    "api.ibkr.com",
+    "1.api.ibkr.com",
+    "2.api.ibkr.com",
+    "3.api.ibkr.com",
+    "4.api.ibkr.com",
+    "5.api.ibkr.com",
+    "6.api.ibkr.com",
+    "7.api.ibkr.com",
+]

ibauth-0.0.2/ibkr_oauth_flow/logger.py

@@ -0,0 +1,3 @@
+import logging
+
+logger = logging.getLogger("ibkr_oauth_flow")

ibauth-0.0.2/ibkr_oauth_flow/util.py

@@ -0,0 +1,50 @@
+import time
+import jwt
+import curlify
+import requests
+from typing import Any
+
+from requests import Response
+from requests.exceptions import HTTPError, ReadTimeout  # noqa
+
+from .logger import logger
+
+__all__ = ["ReadTimeout", "HTTPError"]
+
+from .const import *
+
+RESP_HEADERS_TO_PRINT = ["Cookie", "Cache-Control", "Content-Type", "Host"]
+
+
+def log_response(response: Response) -> None:
+    logger.debug(f"Request:  {curlify.to_curl(response.request)}")
+    logger.debug(f"Response: {response.status_code} {response.text}")
+    response.raise_for_status()
+
+
+def get(url: str, headers: dict[str, str] | None = None, timeout: float | None = None) -> requests.Response:
+    logger.debug(f"🔄 GET {url}")
+    response = requests.get(url, headers=headers, timeout=timeout)
+    log_response(response)
+    return response
+
+
+def post(
+    url: str,
+    data: dict[str, Any] | None = None,
+    json: dict[str, Any] | None = None,
+    headers: dict[str, str] | None = None,
+    timeout: float | None = None,
+) -> requests.Response:
+    logger.debug(f"🔄 POST {url}")
+    response = requests.post(url, data=data, json=json, headers=headers, timeout=timeout)
+    log_response(response)
+    return response
+
+
+def make_jws(header: dict[str, Any], claims: dict[str, Any], clientPrivateKey: Any) -> Any:
+    # Set expiration time.
+    claims["exp"] = int(time.time()) + 600
+    claims["iat"] = int(time.time())
+
+    return jwt.encode(claims, clientPrivateKey, algorithm="RS256", headers=header)

ibauth-0.0.2/pyproject.toml

@@ -0,0 +1,34 @@
+[project]
+name = "ibauth"
+version = "0.0.2"
+description = "Interactive Brokers OAuth"
+readme = "README.md"
+requires-python = ">=3.11"
+dependencies = [
+    "bump2version>=1.0.1",
+    "cryptography>=44.0.2",
+    "curlify>=2.2.1",
+    "mypy>=1.15.0",
+    "pre-commit>=4.1.0",
+    "pyjwt>=2.10.1",
+    "pyyaml>=6.0.2",
+    "requests>=2.32.3",
+    "ruff>=0.9.9",
+    "tenacity>=9.0.0",
+]
+
+[build-system]
+requires = ["setuptools"]
+
+[tool.mypy]
+ignore_missing_imports = false
+
+[[tool.mypy.overrides]]
+module = ["requests", "requests.exceptions", "curlify", "yaml"]
+ignore_missing_imports = true
+
+[tool.ruff]
+line-length = 120
+
+[tool.ruff.lint]
+select = ["I", "F"]

ibauth-0.0.2/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+