Authentication

Establishing Authentication

Client applications should authenticate with a Motif Markets identity server. The exact steps for this process are documented in RFC6749.

Endpoint URL
Empower Hub Sdn Bhd https://passport.em2.asia

Which Flow to use

Depending on how your application is structured and what it does dictates which authentication flow needs to be used.

  • If your client application acts on behalf of a user, then you should implement the hybrid flow. This will redirect the user to the Passport login page where the user can be verified in a secure maner, and an access token and a refresh token will be returned to your client application. In this way there is no need for your client application to handle any sensitive credential data. This is the typical method for use with websites.
  • If your client application acts on behalf of itself or your company, then you can implement the password flow. This requires your client application to provide user credentials, which have typically been allocated to you. This is the typical method for use with data and backend services.

Your ClientID will need to be configured for either of these flows in advance. If you request a flow for which you are unauthorised then you will not be able to establish a conenction.

Discovery Document

A discovery document is available from these sites by issuing a GET to the path /.well-known/openid-configuration to obtain a JSON object. This object contains information about the service and can be used to determine the endpoints and capabilities provided by the service.

Example Discovery Document Request:

GET https://passport.em2.asia/.well-known/openid-configuration HTTP/1.1
User-Agent: Fiddler
Host: passport.em2.asia

Example Discovery Document Response:

HTTP/1.1 200 OK
Date: Wed, 15 Jan 2020 04:28:09 GMT
Content-Type: application/json; charset=UTF-8
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
Referrer-Policy: no-referrer
Content-Length: 1963

{"issuer":"https://passport.em2.asia",
"jwks_uri":"https://passport.em2.asia/.well-known/openid-configuration/jwks",
"authorization_endpoint":"https://passport.em2.asia/connect/authorize",
"token_endpoint":"https://passport.em2.asia/connect/token",
"userinfo_endpoint":"https://passport.em2.asia/connect/userinfo",
"end_session_endpoint":"https://passport.em2.asia/connect/endsession",
"check_session_iframe":"https://passport.em2.asia/connect/checksession",
"revocation_endpoint":"https://passport.em2.asia/connect/revocation",
"introspection_endpoint":"https://passport.em2.asia/connect/introspect",
"device_authorization_endpoint":"https://passport.em2.asia/connect/deviceauthorization",
"frontchannel_logout_supported":true,
"frontchannel_logout_session_supported":true,
"backchannel_logout_supported":true,
"backchannel_logout_session_supported":true,
"scopes_supported":["openid","profile","email","roles","Passport/Admin","Zenith/Market",
"Zenith/News","Zenith/Trading","Zenith/OrderPad","Zenith/Admin","offline_access"],
"claims_supported":["sub","updated_at","locale","zoneinfo","birthdate","gender","website","picture","profile","preferred_username","nickname",
"middle_name","given_name","family_name","name","email","email_verified","role"],
"grant_types_supported":["authorization_code","client_credentials","refresh_token","implicit","password",
"urn:ietf:params:oauth:grant-type:device_code"],
"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],
"response_modes_supported":["form_post","query","fragment"],
"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],
"id_token_signing_alg_values_supported":["RS256"],
"subject_types_supported":["public"],
"code_challenge_methods_supported":["plain","S256"],
"request_parameter_supported":true
}

Required information

  • a registered Client ID for your application
  • optionally, a Client Secret
  • a valid set of user credentials

Requesting a Token

A POST request needs to issued to the token endpoint as described in the discovery document

Request

POST https://passport.em2.asia/connect/token HTTP/1.1
Host: passport.em2.asia
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Content-Length: 77

grant_type=password&username=example&password=password&client_id=ExampleIQ

Valid Response

HTTP/1.1 200 OK
Date: Wed, 15 Jan 2020 05:53:47 GMT
Content-Type: application/json; charset=UTF-8
Connection: keep-alive
Cache-Control: no-store, no-cache, max-age=0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
Referrer-Policy: no-referrer
Content-Length: 1535

{"access_token":"eyJhbGc...IGjgIXCR0",
"expires_in":3600,
"token_type":"Bearer",
"refresh_token":"E89839LKNLO...E0",
"scope":"offline_access Zenith/Admin Zenith/News Zenith/OrderPad Zenith/Trading"
}

Refreshing a Token

A POST request needs to be issued to the token endpoint as described in the discovery document. No user credentials are required to be passed, only the refresh token. A new access token will be returned.

Request

POST https://passport.em2.asia/connect/token HTTP/1.1
Host: passport.em2.asia
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Content-Length: 105

grant_type=refresh_token&refresh_token=E89839LKNLO...E0&client_id=ExampleIQ

Valid Response

HTTP/1.1 200 OK
Date: Thu, 16 Jan 2020 00:59:07 GMT
Content-Type: application/json; charset=UTF-8
Connection: keep-alive
Cache-Control: no-store, no-cache, max-age=0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
Referrer-Policy: no-referrer
Content-Length: 1535

{"access_token":"eyJhbG...dbAeLqc",
"expires_in":3600,
"token_type":"Bearer","refresh_token":"Cqg6W7...5kU",
"scope":"Zenith/Admin Zenith/News Zenith/OrderPad Zenith/Trading offline_access"}