transferred from
http://www.cnblogs.com/0201zcr/p/5133062.html
1、OAuth2.0
OAuth (Open Authorization) is an open standard that allows a user to allow third-party applications to access private resources (such as photos, videos, contact lists) stored by the user on a website without providing a username and password to the third party application.
Before performing WeChat OAuth2. Before performing WeChat OAuth2.0 authorized login access, register a developer account on the WeChat open platform , have an approved website application, obtain the corresponding AppID and AppSecret , apply for WeChat login and pass the audit After that, the access procedure can be started.
WeChat OAuth2.0 authorization login currently supports authorization_code mode, which is suitable for application authorization with server side. The overall process of this mode is:
1. The third party initiates a WeChat authorization login request. After the WeChat user allows the authorization of the third-party application, WeChat will launch the application or redirect to the third-party website with the code parameter of the authorization temporary ticket; 2. Add the AppID and AppSecret, etc., exchange access_token through API; 3. Make interface calls through access_token to obtain basic data resources of users or help users to achieve basic operations.
Get access_token sequence diagram:
1. The domain name (which is a string) is filled in here, not the URL, so please do not add protocol headers such as http: // ; 2. The configuration specification of the authorization callback domain name is the full domain name, for example, the domain name that requires web page authorization is: www .qq.com, after configuration, the pages under this domain name http://www.qq.com/music.html and http://www.qq.com/login.html can perform OAuth2.0 authentication . But http://pay.qq.com , http://music.qq.com , http://qq.com cannot perform OAuth2.0 authentication
5.1, request url description
Before the third party uses the website application to authorize the login, please note that the corresponding webpage authorization scope (scope=snsapi_login) has been obtained. You can open the following link on the PC side:
https://open.weixin.qq.com/connect/qrconnect?appid=APPID&redirect_uri=REDIRECT_URI&response_type=code&scope=SCOPE&state=STATE#wechat_redirect
appid | Yes | Application unique identifier (obtained in the previous authentication web application) |
redirects | Yes | The redirection address needs to be UrlEncode (obtained in the previous authentication web application) |
response_type | Yes | fill in the code |
scope | Yes | Application authorization scope. There are multiple scopes separated by commas (,). Web applications currently only need to fill in snsapi_login. |
state | no | It is used to maintain the state of the request and callback, and after the request is authorized, it is brought back to the third party as it is. This parameter can be used to prevent csrf attacks (cross-site request forgery attacks). It is recommended that third parties bring this parameter. It can be set to a simple random number plus session for verification. |
redirect_uri?code=CODE&state=STATE
If the user prohibits authorization , the code parameter will not be taken after the redirect , only the state parameter will be taken
redirect_uri?state=STATE
5.2, Case:
The WeChat QR code link of Yihaodian is as follows:
https://open.weixin.qq.com/connect/qrconnect?appid=wxbdc5610cc59c1631&redirect_uri=https%3A%2F%2Fpassport.yhd.com%2Fwechat%2Fcallback.do&response_type=code&scope=snsapi_login&state=3d6be0a4035d839573b04816624a415e#wechat_redirect
Copy it into the browser and open it to get the QR code of Yihaodian. The QR code page is as follows:
By using the scan function of the WeChat client, scanning the QR code will jump to the address where the redirect_uri is filled in above. If the user agrees to the authorization , the code parameter returned by WeChat is obtained here .
6. Obtain user information
https://api.weixin.qq.com/sns/oauth2/access_token?appid=APPID&secret=SECRET&code=CODE&grant_type=authorization_code
Parameter Description
Whether the parameter must be specifiedappid | Yes | The unique identifier of the application, obtained after the application is submitted and approved by the WeChat open platform |
secret | Yes | The application key, AppSecret, is obtained after the application is submitted to the WeChat Open Platform for review and approval. |
code | Yes | Fill in the code parameter obtained in the first step |
grant_type | Yes | 填authorization_code |
Back to Instructions
Correct return:
{ "access_token":"ACCESS_TOKEN", "expires_in":7200, "refresh_token":"REFRESH_TOKEN", "openid":"OPENID", "scope":"SCOPE", "unionid": "o6_bmasdasdsad6_2sgVt7hMZOPfL" }
access_token | 接口调用凭证 |
expires_in | access_token接口调用凭证超时时间,单位(秒) |
refresh_token | 用户刷新access_token |
openid | 授权用户唯一标识 |
scope | 用户授权的作用域,使用逗号(,)分隔 |
unionid | 当且仅当该网站应用已获得该用户的userinfo授权时,才会出现该字段。 |
错误返回样例:
{"errcode":40029,"errmsg":"invalid code"}
- code参数的超时时间是5分钟,且每次请求的code参数的值都不一样。
- access_token的超时时间是32分钟。
- access_token有效且为超时;
- 微信用户已授权给第三方应用账号相应接口作用域(scope)【在二维码生成连接那里填写】
snsapi_base | /sns/oauth2/access_token | 通过code换取access_token、refresh_token和已授权scope |
/sns/oauth2/refresh_token | 刷新或续期access_token使用 | |
/sns/auth | 检查access_token有效性 | |
snsapi_userinfo | /sns/userinfo | 获取用户个人信息 |
https://api.weixin.qq.com/sns/userinfo?access_token=ACCESS_TOKEN&openid=OPENID
参数说明
参数 是否必须 说明access_token | 是 | 调用凭证(上一个请求中获得) |
openid | 是 | 普通用户的标识,对当前开发者帐号唯一(上一个请求中获得) |
lang | 否 | 国家地区语言版本,zh_CN 简体,zh_TW 繁体,en 英语,默认为zh-CN |
返回说明
正确的Json返回结果:
{ "openid":"OPENID", "nickname":"NICKNAME", "sex":1, "province":"PROVINCE", "city":"CITY", "country":"COUNTRY", "headimgurl": "http://wx.qlogo.cn/mmopen/g3MonUZtNHkdmzicIlibx6iaFqAc56vxLSUfpb6n5WKSYVY0ChQKkiaJSgQ1dZuTOgvLLrhJbERQQ4eMsv84eavHiaiceqxibJxCfHe/0", "privilege":[ "PRIVILEGE1", "PRIVILEGE2" ], "unionid": " o6_bmasdasdsad6_2sgVt7hMZOPfL" }
openid | 普通用户的标识,对当前开发者帐号唯一 |
nickname | 普通用户昵称 |
sex | 普通用户性别,1为男性,2为女性 |
province | 普通用户个人资料填写的省份 |
city | 普通用户个人资料填写的城市 |
country | 国家,如中国为CN |
headimgurl | 用户头像,最后一个数值代表正方形头像大小(有0、46、64、96、132数值可选,0代表640*640正方形头像),用户没有头像时该项为空 |
privilege | 用户特权信息,json数组,如微信沃卡用户为(chinaunicom) |
unionid | 用户统一标识。针对一个微信开放平台帐号下的应用,同一用户的unionid是唯一的。 |
错误的Json返回示例:
{ "errcode":40003,"errmsg":"invalid openid" }
7、总结
最近着手开发了微信网页扫码登录和公众号授权登录收获颇丰,两者的开发很类似。以下是我个人摸索过程中发现的两者的异同:
- 两者都可以通过微信客户端扫码授权的方式,让第三方页面获得微信用户的一些基本信息(昵称、性别、所在地、在微信唯一标示等……)。他们都是通过提供一个链接让用户授权的方式。但网页版需要在页面打开二维码之后授权,而公众号则需要用户先关注了我们的公众号,然后点开公众号里面的链接,确认授权即可。
- 网页扫码登录需要将授权的链接(二维码链接)在网页中打开、而公众号授权登录的链接必须要微信客户端中打开。
- 无论网页扫码登录还是在公众号中授权登录,都是通过授权的方式获得一个code参数,之后通过code参数获取access_token和openid和通过access_token和openid去获取用户的基本信息的请求链接是一样的。
- 在开发公众号授权登录的过程中,我发现了有测试账号的提供,足以满足我们的测试和开发,但在开发网页扫码时,暂时未发现哪里能获取测试账号,我是通过申请获取的。(希望知道哪里有测试账号的请求高手赐教)。