Qiwei obtains sensitive user data

Enterprise 2023-04-08 20:06:59 views: null

1. Qiwei configures a trusted domain name
2. Qiwei obtains member userID
3. Qiwei obtains user sensitive data

Article directory

1. Introduction

1. Enterprise micro data security update

Starting from 20:00 on June 20, 2022, basic applications other than address book synchronization (such as customer contact, WeChat customer service, session archive, schedule, etc.), as well as newly created self-built applications and agent-developed applications, when calling this interface , no longer return the following fields: avatar, gender, mobile phone, email, corporate email, employee personal QR code, address, the application needs to obtain the fields authorized by the administrator and the employee himself through oauth2 manual authorization .

2. Identity verification method

insert image description here

Currently, there are 2 authentication methods: web page authorization login and code scanning authorization login.

2.1 Web page authorization login (inside Qiwei)

Official website address

Work WeChat provides an OAuth authorized login method, which allows members' identity information to be obtained from the webpage opened by the work WeChat terminal, thereby eliminating the need for login.
URL links in enterprise applications (including links in custom menus or messages) can obtain member UserId identity information through the OAuth2.0 authentication interface.

Enterprise WeChat OAuth2 access process

The calling process is:
A) The user accesses the third-party service, and the third-party service guides the user to the authorization page of the authentication server by constructing an OAuth2 link (parameters include the identity ID of the current third-party service and the redirection URI). B) The user chooses whether
to Agree to authorization
C) If the user agrees to the authorization, the authentication server redirects the user to the redirection URI specified in the first step, and attaches an authorization code at the same time.
D) The third-party service receives the authorization code, carries the redirection URI of the source of the authorization code, and applies for a certificate to the authentication server.
E) The authentication server checks the validity of the authorization code and the redirection URI, and issues an AccessToken (call credentials) after passing

insert image description here

Silent authorization and manual authorization

  • Silent authorization: After the user clicks the link, the page directly jumps to redirect_uri?code=CODE&state=STATE with 302
  • Manual authorization: After the user clicks the link, an intermediate page will pop up, allowing the user to choose whether to authorize. After the user confirms the authorization, 302 jumps to redirect_uri?code=CODE&state=STATE

2.2 Scan authorization login (browser)

Work WeChat provides the OAuth scanning code login authorization method, which allows members to use the work WeChat scanning code to log in and authorize when the company's website is opened in the browser, thereby obtaining the member's identity information and eliminating the need to log in.

insert image description here

2. Enterprise micro application configuration

insert image description here

1. Enterprise micro-configuration trusted domain name

Refer to another article

Qiwei configuration trusted domain name

https://blog.csdn.net/lydms/article/details/128885914

2. Enterprise micro authorized login

insert image description here

3. Qiwei Trusted IP

Only the configured IP can obtain enterprise data through the interface.

[External link image transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the image and upload it directly (img-QksAk0IP-1676134790625)(/Users/liyangda/Library/Application Support/typora-user-images/image-20230212005912032 .png)]

3. Web page authorization login method (Qiwei)

1. Construct web page login link

https://open.weixin.qq.com/connect/oauth2/authorize?appid={
   
   {CORPID}}&redirect_uri={
   
   {REDIRECT_URI}}&response_type={
   
   {code}}&scope={
   
   {snsapi_base}}&state={
   
   {STATE}}&agentid={
   
   {AGENTID}}#{
   
   {wechat_redirect}}

Parameter Description:

parameter must illustrate
appid yes Corporate CorpID
redirect_uri yes The URL of the callback link redirected after authorization, please use urlencode to process the link
response_type yes The return type is fixed at this time: code
scope yes Application authorization scope. snsapi_base: silent authorization , which can obtain the basic information of members (UserId and DeviceId); snsapi_privateinfo: manual authorization , which can obtain detailed information of members, including sensitive information such as avatars and QR codes.
state no After redirection, the state parameter will be included, and the enterprise can fill in the parameter value of a-zA-Z0-9, and the length cannot exceed 128 bytes
agents yes Application agentid, it is recommended to fill in this parameter (if it is a third-party application or a self-built application developed by an agent, not filling this parameter will not trigger the automatic activation of the interface license). snsapi_privateinfo is required, otherwise an error will be reported;
#wechat_redirect yes The terminal uses this parameter to determine whether to bring identity information

After the employee clicks, the page will jump to redirect_uri?code=CODE&state=STATE, and the enterprise can obtain the userid of the employee according to the code parameter. The maximum code length is 512 bytes.

  • Assuming the current corporate CorpID:wxCorpId
  • Access link:http://api.3dept.com/cgi-bin/query?action=get
https://open.weixin.qq.com/connect/oauth2/authorize?appid=wxCorpId&redirect_uri=http%3a%2f%2fapi.3dept.com%2fcgi-bin%2fquery%3faction%3dget&response_type=code&scope=snsapi_base&state=#wechat_redirect

2. Qiwei opens the authorization

After Qiwei is opened, it will enter the login authorization page, and after opening the corresponding connection:

insert image description here

After the authorization is successful, the redirection address:

Enterprises can call to obtain employee information according to the code parameter

http://lydms.com/?code=ra8mSx5bH_mga5OqylDfvuiAoXuI8ixqPipUsBbd9iQ&state=date001

3. Obtain access user identity

**Request method: **GET ( HTTPS )
**Request address: **https://qyapi.weixin.qq.com/cgi-bin/auth/getuserinfo?access_token={ {ACCESS_TOKEN}}&code={ {CODE }}
Parameter description:

parameter must illustrate
access_token yes call interface credentials
code yes The code obtained through member authorization can be up to 512 bytes. The code brought with each member authorization will be different. The code can only be used once and will automatically expire if it is not used for 5 minutes.

return parameter

{
    
    
  "userid": "lydms",
  "errcode": 0,
  "errmsg": "ok",
  "user_ticket": "PY_KcdqUjOPC6drzEjisMV3gRxEJayOwjbNlaZirW3r6tRQ6A2Lb3T-ibT07giuXmP7EIM6XwkbqPzzrl3dweqtx4HoLFMeql5qpDARv0bw",
  "expires_in": 1800
}
parameter illustrate
errcode return code
errmsg A textual description of the return code
userid Member UserID. If you need to obtain user details, you can call the address book interface: read members . If it is an Internet enterprise/enterprise interconnection/upstream and downstream, the format of the returned UserId is as follows: CorpId/userid
user_ticket Membership ticket, up to 512 bytes, valid for 1800s. The scope is snsapi_privateinfo, and this parameter is returned when the user is within the visible scope of the application. Subsequent use of this parameter can obtain user information or sensitive information, see "Obtaining Access to User Sensitive Information" . Temporarily does not support upstream and downstream or/enterprise interconnection scenarios

4. Access to sensitive information of users

**Request method: **POST ( HTTPS )
**Request address: **https://qyapi.weixin.qq.com/cgi-bin/auth/getuserdetail?access_token={ {ACCESS_TOKEN}}

{
    
    
   "user_ticket": "USER_TICKET"
}

Parameter Description:

parameter must illustrate
access_token yes call interface credentials
user_ticket yes member bill

Return parameters:

{
    
    
  "errcode": 0,
  "errmsg": "ok",
  "userid": "lydms",
  "mobile": "15811000000",
  "gender": "1",
  "email": "[email protected]",
  "avatar": "https://wework.qpic.cn/wwpic/250331_p99RzeaaZ_16760317/0",
  "qr_code": "https://open.work.weixin.qq.com/wwopen/userQRCode?vcode=vcf0b80b68e7a59",
  "biz_mail": "[email protected]",
  "address": ""
}

Parameter Description:

parameter illustrate
errcode return code
errmsg A textual description of the return code
userid memberUserID
gender gender. 0 means undefined, 1 means male, 2 means female. Return true only if user agrees to snsapi_privateinfo authorization, otherwise return 0.
avatar Avatar url. Only returned if user agrees to snsapi_privateinfo authorization
qr_code Employee's personal QR code (can be added as an external contact by scanning), only returned when the user agrees to snsapi_privateinfo authorization
mobile Mobile phone, only returned when the user agrees to snsapi_privateinfo authorization, third-party applications cannot obtain
email Email address, only returned when the user agrees to snsapi_privateinfo authorization, third-party applications cannot obtain it
biz_mail Enterprise mailbox, which is only returned when the user agrees to snsapi_privateinfo authorization, and cannot be obtained by third-party applications
address It is only returned when the user agrees to snsapi_privateinfo authorization, and cannot be obtained by third-party applications

4. Scan authorization login (browser)

1. Construct an independent window to log in to the QR code

https://open.work.weixin.qq.com/wwopen/sso/qrConnect?appid=CORPID&agentid=AGENTID&redirect_uri=REDIRECT_URI&state=STATE

Parameter Description

parameter must illustrate
appid yes The CorpID of the enterprise WeChat, check it on the management side of the enterprise WeChat
agents yes The web application ID of the authorizer, which can be viewed in the specific web application
redirect_uri yes Redirect address, UrlEncode is required
state no It is used to keep the state of the request and the callback, and bring it back to the enterprise as it is after the request is authorized. This parameter can be used to prevent csrf attacks (cross-site request forgery attacks). It is recommended that enterprises bring this parameter, which can be set to a simple random number plus session for verification
lang no Custom language, support zh, en; if lang is empty, read Accept-Language from Headers

case:

假定当前
企业CorpID:wxCorpId
开启授权登录的应用ID:1000000
登录跳转链接:http://api.3dept.com
state设置为:weblogin@gyoss9

需要配置的授权回调域为:api.3dept.com

根据URL规范,将上述参数分别进行UrlEncode,得到拼接的OAuth2链接为:
https://open.work.weixin.qq.com/wwopen/sso/qrConnect?appid=wxCorpId&agentid=1000000&redirect_uri=http%3A%2F%2Fapi.3dept.com&state=web_login%40gyoss9

Return instructions
After the user permits authorization, it will be redirected to the URL of redirect_uri with code and state parameters.

2. Scan code to log in

After entering the address in the browser:

https://open.work.weixin.qq.com/wwopen/sso/qrConnect?appid=ww3e40cde07cca01&agentid=1000002&redirect_uri=https%3A%2F%2Fwww.lydms.com&state=web_login%40gyoss9

User scan code login

[External link image transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the image and upload it directly (img-3uQo3C0a-1676134790626)(/Users/liyangda/Library/Application Support/typora-user-images/image-20230212005120479 .png)]

Get redirected address

https://www.lydms.com/?code=Ta_E0rVc30IDRbmZ14mBnIDdmAOdsF-cJk4ZbNRWrgA&state=web_login@gyoss9&appid=ww3e40cde07cc21a01

3. Obtain access user identity

This interface is used to obtain member information according to code

**Request method: **GET ( HTTPS )
**Request address: **https://qyapi.weixin.qq.com/cgi-bin/auth/getuserinfo?access_token=ACCESS_TOKEN&code=CODE
Parameter description:

parameter must illustrate
access_token yes call interface credentials
code yes The code obtained through member authorization can be up to 512 bytes. The code brought with each member authorization will be different. The code can only be used once and will automatically expire if it is not used for 5 minutes.

Permission description:
The redirected domain name must completely match the trusted domain name of the application corresponding to the access_token, otherwise a 50001 error will be returned.
Return result:
a) When the user is an enterprise member, the return example is as follows:

{
    
    
   "errcode": 0,
   "errmsg": "ok",
   "userid":"lydms"
}
parameter illustrate
errcode return code
errmsg A textual description of the return code
userid Member UserID. If you need to obtain user details, you can call the address book interface: read members

Guess you like

Origin blog.csdn.net/weixin_44624117/article/details/128991241
Recommended
Linus is the most active in "eating dog food"!
Ranking
Share good programmer web front-end array and sorting, de-duplication and random roll call
Compilation error caused by cv_bridge and python version problems error: return-statement with no value, in function returning'void*' [-fpe
魔众帮助中心系统 v3.1.0 首页切换器,界面优化
Die beim Millimeterwellenradar-Integrationstest aufgetretene Grube (Multiprozessbindung an einen UDP-Port verursacht Probleme)
How to suppress the "requires transitive directive for an automatic module" warning properly?
LeetCode-1743. Restore the Array From Adjacent Pairs-Analysis and Code (Java)
Summer 2019 Summer soft essay 7 workers
Python中Assert断言的使用语法和例子
LeetCode one question per day (2021-2-3 sliding window median)
Fairchild, the ancestor of semiconductors, the legend of the first trillion-dollar start-up
Daily
More
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)

Code World

© 2018 codetd.com