I have a valid consumer key and I'm unable to get Interactive Brokers Web API OAuth to work.
{"error":"id: 3931, error: invalid consumer","statusCode":401}
- The endpoint I'm trying to get to work: https://www.interactivebrokers.com/webtradingapi/doc.html#tag/OAuth/paths/~1oauth~1request_token/post
- OAuth v1.0a specification https://oauth.net/core/1.0a/#auth_header_authorization
Am I missing something in my implementation?
It's also on GitHub.
var httpClient = new HttpClient
{
BaseAddress = new Uri("https://www.interactivebrokers.com/tradingapi/v1/")
};
var restClient = new IBRestClient(httpClient);
var response = await restClient.RequestTokenAsync("xxxxx");
Console.WriteLine($"Response: {response}");
Console.ReadLine();
public sealed class IBRestClient
{
private readonly HttpClient _httpClient;
public IBRestClient(HttpClient httpClient)
{
_httpClient = httpClient;
}
public async ValueTask<string> RequestTokenAsync(string consumerKey)
{
const string requestUri = "oauth/request_token";
var request = new HttpRequestMessage(HttpMethod.Post, requestUri);
var baseUrl = _httpClient.BaseAddress!.AbsoluteUri;
var authorizationHeader = OAuthHelper.GetAuthorizationHeader($"{baseUrl}{requestUri}", "POST", consumerKey);
var authSplit = authorizationHeader.Split(' ');
request.Headers.Authorization = new AuthenticationHeaderValue(authSplit[0], authSplit[1]);
var response = await _httpClient.SendAsync(request);
return await response.Content.ReadAsStringAsync();
}
}
public static class OAuthHelper
{
private static readonly RandomNumberGenerator Random = RandomNumberGenerator.Create();
public static string GetAuthorizationHeader(string uri, string method, string consumerKey)
{
var oauthParameters = new Dictionary<string, string>
{
{ "oauth_consumer_key", consumerKey },
{ "oauth_signature_method", "RSA-SHA256" },
{ "oauth_timestamp", GetTimestamp() },
{ "oauth_nonce", GetNonce() },
{ "oauth_callback", "oob" }
};
// The request parameters are collected, sorted and concatenated into a normalized string
var queryParameters = ExtractQueryParams(uri);
var oauthParamString = GetOAuthParamString(queryParameters, oauthParameters);
var baseUri = GetBaseUriString(uri);
// Signature Base String
var signatureBaseString = GetSignatureBaseString(baseUri, method, oauthParamString);
var pem = File.ReadAllText("private_encryption.pem");
var signingKey = RSA.Create();
signingKey.ImportFromPem(pem);
var signature = SignSignatureBaseString(signatureBaseString, Encoding.UTF8, signingKey);
oauthParameters.Add("oauth_signature", signature);
// Constructs and returns the Authorization header
var sb = new StringBuilder();
foreach (var param in oauthParameters)
{
sb
.Append(sb.Length == 0 ? "OAuth " : ",")
.Append(param.Key)
.Append("=\"")
.Append(ToUriRfc3986(param.Value))
.Append('"');
}
return sb.ToString();
}
/// <summary>
/// Parse query parameters out of the URL.
/// </summary>
private static Dictionary<string, List<string>> ExtractQueryParams(string uri)
{
var queryParamCollection = new Dictionary<string, List<string>>();
var beginIndex = uri.IndexOf('?');
if (beginIndex <= 0)
{
return queryParamCollection;
}
var rawQueryString = uri[beginIndex..];
var decodedQueryString = Uri.UnescapeDataString(rawQueryString);
var mustEncode = !decodedQueryString.Equals(rawQueryString);
var queryParams = rawQueryString.Split('&', '?');
foreach (var queryParam in queryParams)
{
if (string.IsNullOrEmpty(queryParam))
{
continue;
}
var separatorIndex = queryParam.IndexOf('=');
var key = separatorIndex < 0 ? queryParam : Uri.UnescapeDataString(queryParam[..separatorIndex]);
var value = separatorIndex < 0
? string.Empty
: Uri.UnescapeDataString(queryParam[(separatorIndex + 1)..]);
var encodedKey = mustEncode ? ToUriRfc3986(key) : key;
var encodedValue = mustEncode ? ToUriRfc3986(value) : value;
if (!queryParamCollection.ContainsKey(encodedKey))
{
queryParamCollection[encodedKey] = new List<string>();
}
queryParamCollection[encodedKey].Add(encodedValue);
}
return queryParamCollection;
}
/// <summary>
/// Lexicographically sorts all parameters and concatenates them into a string.
/// </summary>
private static string GetOAuthParamString(IDictionary<string, List<string>> queryParameters,
IDictionary<string, string> oauthParameters)
{
var sortedParameters = new SortedDictionary<string, List<string>>(queryParameters, StringComparer.Ordinal);
foreach (var oauthParameter in oauthParameters)
{
sortedParameters[oauthParameter.Key] = new List<string> { oauthParameter.Value };
}
// Build the OAuth parameter string
var parameterString = new StringBuilder();
foreach (var parameter in sortedParameters)
{
var values = parameter.Value;
values.Sort(StringComparer.Ordinal); // Keys with same name are sorted by their values
foreach (var value in values)
{
parameterString
.Append(parameterString.Length > 0 ? "&" : string.Empty)
.Append(parameter.Key)
.Append('=')
.Append(value);
}
}
return parameterString.ToString();
}
/// <summary>
/// Normalizes the URL.
/// </summary>
private static string GetBaseUriString(string uriString)
{
var uri = new Uri(uriString);
var lowerCaseScheme = uri.Scheme.ToLower();
var lowerCaseAuthority = uri.Authority.ToLower();
var path = uri.AbsolutePath;
if (("http".Equals(lowerCaseScheme) && uri.Port == 80) || ("https".Equals(lowerCaseScheme) && uri.Port == 443))
{
// Remove port if it matches the default for scheme
var index = lowerCaseAuthority.LastIndexOf(':');
if (index >= 0)
{
lowerCaseAuthority = lowerCaseAuthority[..index];
}
}
if (string.IsNullOrEmpty(path))
{
path = "/";
}
return $"{lowerCaseScheme}://{lowerCaseAuthority}{path}"; // Remove query and fragment
}
/// <summary>
/// The Signature Base String is a consistent reproducible concatenation of the request elements into a single string.
/// </summary>
private static string GetSignatureBaseString(string baseUri, string httpMethod, string oauthParamString)
{
return httpMethod.ToUpper() // Uppercase HTTP method
+ "&" + ToUriRfc3986(baseUri) // Base URI
+ "&" + ToUriRfc3986(oauthParamString); // OAuth parameter string
}
/// <summary>
/// Signs the signature base string using an RSA private key.
/// </summary>
private static string SignSignatureBaseString(string baseString, Encoding encoding, RSA privateKey)
{
var hash = Sha256Digest(baseString, encoding);
var signedHashValue = privateKey.SignHash(hash, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
return Convert.ToBase64String(signedHashValue);
}
/// <summary>
/// Percent encodes entities.
/// </summary>
private static string ToUriRfc3986(string input)
{
if (string.IsNullOrEmpty(input))
{
return input;
}
var escaped = new StringBuilder(Uri.EscapeDataString(input));
string[] uriRfc3986EscapedChars = { "!", "*", "'", "(", ")" };
foreach (var escapedChar in uriRfc3986EscapedChars)
{
escaped.Replace(escapedChar, UriHelper.HexEscape(escapedChar[0]));
}
return escaped.ToString();
}
/// <summary>
/// Returns a cryptographic hash of the given input.
/// </summary>
private static byte[] Sha256Digest(string input, Encoding encoding)
{
var inputBytes = encoding.GetBytes(input);
return SHA256.HashData(inputBytes);
}
/// <summary>
/// Generates a 16 char random string for replay protection.
/// </summary>
private static string GetNonce()
{
var data = new byte[8];
Random.GetBytes(data);
return BitConverter.ToString(data).Replace("-", string.Empty).ToLower();
}
/// <summary>
/// Returns UNIX Timestamp.
/// </summary>
private static string GetTimestamp()
{
return DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString();
}
}
internal static class UriHelper
{
private static readonly char[] HexUpperChars =
{
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'
};
internal static string HexEscape(char character)
{
if (character > '\xff')
{
throw new ArgumentOutOfRangeException(nameof(character));
}
var chars = new char[3];
var pos = 0;
EscapeAsciiChar(character, chars, ref pos);
return new string(chars);
}
private static void EscapeAsciiChar(char ch, char[] to, ref int pos)
{
to[pos++] = '%';
to[pos++] = HexUpperChars[(ch & 0xf0) >> 4];
to[pos++] = HexUpperChars[ch & 0xf];
}
}
