B.1 SSO User Creation & Authorisation (Full OAuth)

Full SSO implementation provides complete OAuth 2.0 compliant user identity management where the broker's CRM owns and controls user authentication. This module replaces cTrader's default login system with broker-branded authentication flows.

Overview

The Full SSO module enables:

• Complete replacement of cTrader login with broker CRM authentication
• Unified user identity across broker and trading platforms
• Automatic re-login capabilities
• Broker-owned user data and authentication policies
• Seamless integration with existing broker user management systems

Prerequisites

Before implementing Full SSO, ensure completion of:

• Part A: All foundation requirements (infrastructure, authentication, broker identification, URL conventions, error codes)

User Creation Flow

Flow Diagram

Detailed Flow Stages

Stage 1: Initial Application Launch

1. User launches cTrader application
2. Platform searches for existing accessToken locally
3. Failure to find valid token triggers SSO flow

Stage 2: Broker Authentication

4. Platform opens custom login/signup screen

   • URL: https://brokerCrmUrl.com/auth/login
   • Parameter: firstLogin=true
   • Includes broker identification parameters

5. User completes registration on broker's CRM

   • Fills broker's registration requirements
   • Accepts terms and conditions
   • Completes any mandatory verification steps

Stage 3: User Creation in cTrader

6. Broker backend sends user creation request

   • API Call: 3.2 - Create a User
   • Endpoint: /ctid/users
   • Authentication: Manager token

7. cTrader backend creates new user

   • Generates unique userId
   • Returns success response with userId

8. Broker CRM stores user linkage

   • Maps internal user ID to cTrader userId
   • Maintains bidirectional reference

Stage 4: Agreement Confirmation (Optional)

9. User confirms broker agreement
   • API Call: 3.13 - Confirm User Agreement
   • Endpoint: /ctid/users/{userId}/agreement
   • Stores legal acceptance timestamp

Stage 5: Trading Account Creation

10. Platform opens account creation screen

    • URL: https://brokerCrmUrl.com/account/create
    • Pre-populated with user information

11. User submits account creation form

    • Selects account type
    • Sets trading preferences
    • Specifies initial deposit if required

12. Broker CRM creates trading account

    • API Call: 3.3 - Create a Trader
    • Endpoint: /ctid/traders
    • Returns account login number

13. Account linkage confirmation

    • API Call: 3.4 - Link Trading Account to User
    • Endpoint: /ctid/users/{userId}/traders/{traderId}
    • Establishes user-account relationship

Stage 6: Token Generation and Exchange

14. Broker CRM generates OT token

    • Creates one-time token for session establishment
    • Associates token with user and account

15. User redirected to success URL

    • URL: https://brokerCrmUrl.com/callback/success
    • Parameter: token={otToken}
    • Platform closes browser and stores token

16. Platform initiates authorization

    • Opens connection to cTrader backend
    • Sends authorization request with OT token

17. cTrader backend exchanges OT token

    • API Call: 4.2 - Verify and Exchange OT Token
    • Endpoint: /oauth2/token
    • Authentication: CRM API token

18. Broker CRM validates and responds

    • Verifies OT token validity
    • Returns userId and accessToken

Stage 7: Session Establishment

19. cTrader backend authorizes session

    • Creates authenticated session under userId
    • Returns accessToken to application

20. Application stores access token

    • Saves token for future requests
    • Enables automatic re-login capability

21. Authorized communications begin

    • Platform can now access cTrader APIs
    • User is fully authenticated in system

User Authorization Flow (Existing Users)

For users already registered in both systems:

Flow Stages

1. Application launch and token search
2. Token found and valid → Direct authentication
3. Token expired/invalid → Re-authentication flow
4. Open login screen with firstLogin=false
5. User authentication with broker CRM
6. Token exchange and session establishment

Automatic Re-Login Flow

Conditions for Automatic Re-Login

• User previously authenticated on same device
• 'Keep Me Logged In' option selected during previous login
• Valid long-term accessToken exists

Flow Process

1. Application checks for stored accessToken
2. Validates token with cTrader backend
3. If valid → Direct access without login screen
4. If invalid → Full authentication flow

API Specifications

Required API Endpoints (Broker CRM)

User Creation Endpoint

POST /oauth2/crmApiToken
POST /oauth2/token

User Management Endpoints

POST /ctid/users
POST /ctid/traders  
POST /ctid/users/{userId}/traders/{traderId}
POST /ctid/users/{userId}/agreement

Required Screens

Login/Signup Screen

• URL: /auth/login
• Parameters: firstLogin, lang, source, theme, partnerId
• Functionality: User registration and authentication

Account Creation Screen

• URL: /account/create
• Parameters: userId, lang, source, theme
• Functionality: Trading account setup

Success Callback Screen

• URL: /callback/success
• Parameters: token
• Functionality: Token delivery and flow completion

Implementation Requirements

Security Requirements

• HTTPS Only: All endpoints must use HTTPS
• Token Security: Secure token generation and validation
• Session Management: Proper session timeout and refresh
• Data Protection: Secure storage of user credentials

User Experience Requirements

• Responsive Design: Mobile and desktop compatible
• Loading Performance: ≤ 3 seconds screen load time
• Error Handling: Clear error messages and recovery options
• Accessibility: WCAG 2.1 AA compliance

Integration Requirements

• Parameter Handling: Accept all required URL parameters
• Error Responses: Standardized error response format
• Logging: Comprehensive audit trail
• Monitoring: Performance and error rate monitoring

Business Benefits

For Regulated Brokers

• Compliance: Unified compliance audit trail
• Data Control: Complete ownership of user data
• Risk Management: Centralized identity and access management

For User Experience

• Branding: Consistent broker branding throughout
• Convenience: Single login for all platforms
• Trust: Familiar broker interface reduces friction

For Operations

• Support: Centralized user management
• Analytics: Complete user journey tracking
• Efficiency: Reduced support overhead

Testing Requirements

Conformance Testing

• Complete user creation flow validation
• Token exchange mechanism verification
• Error handling scenario testing
• Cross-platform compatibility verification

Security Testing

• Token security validation
• Session management testing
• Data protection verification
• Authentication bypass attempts

Performance Testing

• Load testing for concurrent users
• Token exchange performance
• Screen loading time validation
• Error recovery performance

This Full SSO implementation provides comprehensive identity management with broker-owned authentication, ideal for regulated brokers and those requiring complete control over user identity and compliance.