Skip to main content

SSO user creation and authorisation

SSO user creation and authorisation is the identity module where the broker's CRM owns and controls user authentication.

note

The broker's CRM must store the user's preferred language. When a user first registers in the broker's client area, this is used to send the welcome email in the correct language.

Prerequisites

Important

Before implementing SSO user creation and authorisation, ensure completion of:

  • Setup actions: Infrastructure & connectivity, authentication of API calls
  • Contracts: Broker identification, screen URL conventions

User creation flow

Flow diagram

The flow proceeds through the following stages:

  1. The user launches the cTrader application.
  2. The platform fails to find a stored accessToken locally.
  3. The platform opens the custom login/signup screen with the firstLogin parameter set to true.
  4. The user completes the broker's requirements and registers on the broker's CRM.
  5. The broker backend sends a user creation request to the cTrader backend (POST /oauth2/ctid/create).
  6. The cTrader backend creates the user and responds with the userId (POST /oauth2/ctid/create).
  7. The broker stores the link between its internal user and the userId.
  8. (Optional) The user confirms the broker's agreement (PUT /oauth2/ctid/acceptAgreement).
  9. The browser opens the account creation screen; the submitted form is sent to the broker backend.
  10. The broker backend requests a trading account creation and the cTrader backend returns the account login (POST /webserv/traders).
  11. The broker backend requests account linkage and the cTrader backend confirms it (POST /ctid/link).
  12. The broker stores the account record and generates an OT token.
  13. The user is redirected to the success URL with the OT token passed as the token parameter.
  14. The application detects the success URL, closes the web browser and stores the token.
  15. The application opens a connection to the cTrader backend and sends an authorisation request with the token.
  16. The cTrader backend exchanges the OT token for a long-term access token (POST /oauth2/onetime/authorize).
  17. The broker CRM verifies the token and responds with the userId and accessToken (POST /oauth2/onetime/authorize).
  18. The cTrader backend authorises the session under the userId and returns the accessToken.
  19. The platform stores the accessToken for future use.
  20. The application starts authorised communications with the cTrader backend.

User authorisation flow

Applies when the user already exists in both the broker's CRM and the cTrader backend, but the app has no stored accessToken. The user authenticates with their credentials on the broker's login screen.

Flow diagram

The flow proceeds through the following stages:

  1. The user launches the cTrader application.
  2. The platform fails to find a stored accessToken.
  3. The platform opens the custom login/signup screen.
  4. The user fills out the authorisation form and is authorised on the broker's CRM.
  5. The CRM finds the stored userId and generates an OT token.
  6. The user is redirected to the success URL with the OT token passed as the token parameter.
  7. The application detects the success URL, closes the web browser/iframe and stores the token.
  8. The application opens a connection to the cTrader backend and sends an authorisation request with the token.
  9. The cTrader backend exchanges the OT token for a long-term access token (POST /oauth2/onetime/authorize).
  10. The broker CRM verifies the token and responds with the userId and accessToken (POST /oauth2/onetime/authorize).
  11. The cTrader backend authorises the session under the userId and returns the accessToken.
  12. The platform stores the accessToken for future use.
  13. The application starts authorised communications with the cTrader backend.

Automatic re-login flow

Applies when the user previously authenticated on the same app and device, selected Keep me logged in and the app has an accessToken in local storage.

Flow diagram

The flow proceeds through the following stages:

  1. The user launches cTrader.
  2. The application finds the stored accessToken.
  3. The application opens a connection to the cTrader backend and sends an authorisation request with the accessToken.
  4. The cTrader backend authorises the user via the accessToken (POST /oauth2/authorize).
  5. The broker CRM checks the accessToken and responds with the userId (POST /oauth2/authorize).
  6. The cTrader backend authorises the current session under the userId.
  7. The application starts authorised communications with the cTrader backend.

API specifications

Endpoints used

This flow uses the following API reference endpoints.

Broker → cTrader

cTrader → broker CRM

Required screens

See URL conventions and query parameters for URL format rules and parameter definitions.

Login/signup screen

  • URL: https://brokerCrmUrl.com/auth/login
  • Parameters: firstLogin, lang, source, theme, partnerId
warning

If your login/signup page allows users to login or signup using their Apple ID (using the Sign in with Apple button or equivalent), note that the creation of user accounts using @privaterelay.appleid.com addresses is not supported. Any API requests containing such emails will return an error response. To this end, and in order to ensure a smooth user experience, we request that you either implement corresponding logic to prevent the use of such email addresses, or consider removing social authentication options from your login/signup screen.

Login/signup screen web example 1

Account creation screen

  • URL: https://brokerCrmUrl.com/account/create
  • Parameters: userId, lang, source, theme

Success callback screen

  • URL: https://brokerCrmUrl.com/callback/success
  • Parameters: token