Refinitiv ADS Token-Based Authentication

A token-based authentication system on Refinitiv Real-Time Distribution System

Photo by Verne Ho on Unsplash

The original article can be found on the Refinitiv Developers Community.

Refinitiv Real-Time Distribution System uses Data Access Control System (DACS) to authenticate and authorize users to access real-time data. DACS requires DACS IDs, positions, and application IDs to authenticate users. To connect to Refinitiv Real-Time Distribution System, an application supplies a DACS ID, position, and application ID. Then, those items are sent to DACS for authentication. The connection is accepted if the following conditions are met:

• The DACS ID is defined within Data Access Control System

• The position does not offend simultaneous login rules

• The application is allowed to the username.

After a connection is established, username entitlements are enforced according to the entitlements of that DACS ID/application combination.

As security concerns increase, a stronger authentication model is required. Fortunately, Refinitiv Real-Time Distribution System supports the UserAuthn Authentication model which allows users to integrate any existing local authentication systems into Refinitiv Real-Time Distribution System.

Please refer to the ADS Token-Based Authentication on the Refinitiv Developer Community Website for the full article.

UserAuthn Authentication

The UserAuthn authentication is based on a token-based Authentication model which is commonly used in the financial industry. In a token-based model, the client-side application obtains a token (typically a random string), generated by a token generator based on the user’s credentials. Then, a retrieved token is sent to Refinitiv Real-Time Distribution System for authentication. Some advantages associated with token-based authentication are:

· Performance

· Client-side storage (Refinitiv Real-Time Distribution System does not know the password)

· Limited life-span (i.e., tokens expire)

The following diagram illustrates the steps of using the Refinitiv Real-Time Distribution System with a token-based authentication system.

1. An application passes its authentication credentials (username/password) to a Token Generator
2. A Token Generator responds with a token
3. An application sets a token into a login request message and then sends the request message to ADS. RFA applications can set a token in the username field. RTSDK applications can set a token in the message key attributes
4. ADS passes a token to a token authenticator to validate a token
5. If a token is valid, a token authenticator responds with an indication, DACS ID, position, and application ID
6. ADS checks a DACS ID, position, and application ID against DACS profiles
7. ADS sends a login response to an application. The login response indicates whether login is accepted or rejected

DACS UserAuthnServerExample

Refinitv DACS package contains an example of a token-based authentication system called UserAuthnServerExample. It is a node application that provides interfaces for applications to get tokens and for ADS to verify tokens.

Before configuring the UserAuthnServerExample, you should have:

1. Data Access Control System installed on the system
2. Refinitiv Real-Time Advanced Distribution Server 3.1 configured with Data Access Control System enabled
3. Node.js version 4.4.5 or above installed on the machine

EMA Examples

EMA UserAuthn Authentication examples are available on GitHub.

· EMA C++: https://github.com/Refinitiv-API-Samples/Example.EMA.CPP.AuthExample

· EMA Java: https://github.com/Refinitiv-API-Samples/Example.EMA.Java.AuthExample

These examples send a username and password to the token generator to get a token and then use the token to log in to ADS.

Summary

DACS UserAuthn Authentication allows users to integrate any existing local authentication systems into Refinitiv Real-Time Distribution System. It is based on a token-based Authentication model which is commonly used in the financial industry. An application sends credentials to a token generator to get a token. A token is sent to ADS via a login request message. ADS verifies a token with a token authenticator. If a token is valid, ADS checks a retrieved DACS ID, position, and application ID against DACS profiles and then sends a login response to an application to accept or reject a connection. DACS package contains a UserAuthnServerExample that is a node application. It provides interfaces for applications to get tokens and for ADS to verify tokens. EMA token authentication examples are also available on GitHub. The examples demonstrate how to get a token from a token generator and send a login request with a token to ADS.

Please refer to the ADS Token-Based Authentication on the Refinitiv Developer Community Website for the full article.

References

1. 2020. Data Access Control System 7.7.x: USERAUTHN AUTHENTICATION. Refinitiv.
2. ADS Token-Based Authentication on the Refinitiv Developer Community Website