search

studerw / td-ameritrade-client

TD Ameritrade Java Client
Apache License 2.0
69 stars 47 forks source link

fetchQuotes method requires a refresh token #27

Closed jschlade closed 4 years ago

jschlade commented 4 years ago

Hi,

Thank you for coming up with this API. I find the TD Ameritrade API cumbersome and I'm still learning how this API works too. :-)

This issue is more of an enhancement request but it would be very beneficial to users that just want to use your API to get quotes and nothing more. This whole idea of using a refresh_token (that expires every 90 days) in your application is painful if you just want to get quotes.

Looking at the underlying quote API that this method uses:

https://developer.tdameritrade.com/quotes/apis/get/marketdata/quotes

It doesn't require anything but an apikey (Consumer Key). It would be great in this case if calls to fetchQuotes didn't require a refresh_token as it's not required. For example:

https://api.tdameritrade.com/v1/marketdata/quotes?apikey=<your app's consumer key>&symbol=IBM,MSFT

always works and doesn't require a refresh_token.

Thanks

studerw commented 4 years ago

I will have to check that API you claim works without a refresh token. That may work only when you’re logged into the TDA dev pages, but it wouldn’t work straight from Java outside of that page.

There are other APis out there that allow you getting a certain limit of quotes without any need for an account. You could even get it by scraping the API off of Google or Yahoo’s finance sites. But I’m pretty sure you’d be throttled and eventually blacklisted if you did it more than a few times per hour.

On Sun, Aug 23, 2020, at 18:18, jschlade wrote:

Hi,

Thank you for coming up with this API. I find the TD Ameritrade API cumbersome and I'm still learning how this API works too. :-)

This issue is more of an enhancement request but it would be very beneficial to users that just want to use your API to get quotes and nothing more. This whole idea of using a refresh_token (that expires every 90 days) in your application is painful if you just want to get quotes.

Looking at the underlying quote API that this method uses:

https://developer.tdameritrade.com/quotes/apis/get/marketdata/quotes

It doesn't require anything but an apikey (Consumer Key). It would be great in this case if calls to fetchQuotes didn't require a refresh_token as it's not required. For example:

https://api.tdameritrade.com/v1/marketdata/quotes?apikey=<your app's consumer key>&symbol=IBM,MSFT

always works and doesn't require a refresh_token.

Thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/studerw/td-ameritrade-client/issues/27, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABQHJA4L3XA655WV5SKHXCDSCGIUHANCNFSM4QI4O6XA.

jschlade commented 4 years ago

It works without a refresh token, you just need the consumer key for the app. Try it out and you'll see. Please consider implementing this. I want to use this API and for quote apps that use this API it will eliminate this cumbersome token management.

Looks like some minor refactoring of HttpTdaClient would do the trick.

Thanks

studerw commented 4 years ago

Looks like you're right. I'll try and implement this when I get time.

Without digging into the code, the HTTPClient is actually pretty smart - it won't actually try to use your refresh token to generate a current OAuth token until it explicitly makes a call that returns a 401 (I think) which means you need a new token.

So if I just added these API calls for quotes using just the CLIENTID, then you'd never ever have an exception where it tried to use your refresh token, and thus all the quote calls would return okay as long as client id / consumer key was legitimate. You could just add some garbage for the refresh token, and it would never be used anyway.

jschlade commented 4 years ago

I've started looking into this too but there's a few hurdles to overcome.

One is the use of this OauthInterceptor class that you've implemented. Since it's an Interceptor it's in use with every request and forces authentication all the time and requires a client_id and refresh_token. This looks like the biggest hurdle.

jschlade commented 4 years ago

I've implement this change without disrupting the existing functionality and code base too much.

I've commented out the check for "tda.token.refresh" in HttpTdaClient.validateProps, added "apikey" to the query string in HttpTdaClient.fetchQuotes and made some minor changes to OauthInterceptor.

This makes setting "tda.token.refresh" optional and pushes the validation for this property to the underlying method calls in HttpTdaClient. Given this, if you make a call to a method that requires an access_token and you don't have a refresh_token set an IllegalArgumentException will be thrown.

Please review and let me know what you think?

Thanks

HttpTdaClient.java.txt OauthInterceptor.java.txt

studerw commented 4 years ago

Take a look at the simple_quote_client branch.

People already have enough problems with OAuth tokens, I don't want to complicate the main client further by allowing empty refresh_tokens.

So instead, just use the HttpTdaQuoteClient.

You would need to switch to the simple_quote_client branch, build the project, and then in your project using the API, change the dependency to 2.4.0-SNAPSHOT.

Let me know if this works okay. If it does, I'll merge it into master and make a new 2.4 release.

jschlade commented 4 years ago

I'm not a huge fan of multiple client types so please don't worry about it. Thanks again for all your hard work.