1. Qiwei configures a trusted domain name
2. Qiwei obtains member userID
3. Qiwei obtains user sensitive data
Article directory
1. Introduction
1. Enterprise micro data security update
Starting from 20:00 on June 20, 2022, basic applications other than address book synchronization (such as customer contact, WeChat customer service, session archive, schedule, etc.), as well as newly created self-built applications and agent-developed applications, when calling this interface , no longer return the following fields: avatar, gender, mobile phone, email, corporate email, employee personal QR code, address, the application needs to obtain the fields authorized by the administrator and the employee himself through oauth2 manual authorization .
2. Identity verification method
Currently, there are 2 authentication methods: web page authorization login and code scanning authorization login.
2.1 Web page authorization login (inside Qiwei)
Work WeChat provides an OAuth authorized login method, which allows members' identity information to be obtained from the webpage opened by the work WeChat terminal, thereby eliminating the need for login.
URL links in enterprise applications (including links in custom menus or messages) can obtain member UserId identity information through the OAuth2.0 authentication interface.
Enterprise WeChat OAuth2 access process
The calling process is:
A) The user accesses the third-party service, and the third-party service guides the user to the authorization page of the authentication server by constructing an OAuth2 link (parameters include the identity ID of the current third-party service and the redirection URI). B) The user chooses whether
to Agree to authorization
C) If the user agrees to the authorization, the authentication server redirects the user to the redirection URI specified in the first step, and attaches an authorization code at the same time.
D) The third-party service receives the authorization code, carries the redirection URI of the source of the authorization code, and applies for a certificate to the authentication server.
E) The authentication server checks the validity of the authorization code and the redirection URI, and issues an AccessToken (call credentials) after passing
Silent authorization and manual authorization
- Silent authorization: After the user clicks the link, the page directly jumps to redirect_uri?code=CODE&state=STATE with 302
- Manual authorization: After the user clicks the link, an intermediate page will pop up, allowing the user to choose whether to authorize. After the user confirms the authorization, 302 jumps to redirect_uri?code=CODE&state=STATE
2.2 Scan authorization login (browser)
Work WeChat provides the OAuth scanning code login authorization method, which allows members to use the work WeChat scanning code to log in and authorize when the company's website is opened in the browser, thereby obtaining the member's identity information and eliminating the need to log in.
2. Enterprise micro application configuration
1. Enterprise micro-configuration trusted domain name
Refer to another article
Qiwei configuration trusted domain name
https://blog.csdn.net/lydms/article/details/128885914
2. Enterprise micro authorized login
3. Qiwei Trusted IP
Only the configured IP can obtain enterprise data through the interface.
[External link image transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the image and upload it directly (img-QksAk0IP-1676134790625)(/Users/liyangda/Library/Application Support/typora-user-images/image-20230212005912032 .png)]
3. Web page authorization login method (Qiwei)
1. Construct web page login link
https://open.weixin.qq.com/connect/oauth2/authorize?appid={
{CORPID}}&redirect_uri={
{REDIRECT_URI}}&response_type={
{code}}&scope={
{snsapi_base}}&state={
{STATE}}&agentid={
{AGENTID}}#{
{wechat_redirect}}
Parameter Description:
parameter | must | illustrate |
---|---|---|
appid | yes | Corporate CorpID |
redirect_uri | yes | The URL of the callback link redirected after authorization, please use urlencode to process the link |
response_type | yes | The return type is fixed at this time: code |
scope | yes | Application authorization scope. snsapi_base: silent authorization , which can obtain the basic information of members (UserId and DeviceId); snsapi_privateinfo: manual authorization , which can obtain detailed information of members, including sensitive information such as avatars and QR codes. |
state | no | After redirection, the state parameter will be included, and the enterprise can fill in the parameter value of a-zA-Z0-9, and the length cannot exceed 128 bytes |
agents | yes | Application agentid, it is recommended to fill in this parameter (if it is a third-party application or a self-built application developed by an agent, not filling this parameter will not trigger the automatic activation of the interface license). snsapi_privateinfo is required, otherwise an error will be reported; |
#wechat_redirect | yes | The terminal uses this parameter to determine whether to bring identity information |
After the employee clicks, the page will jump to redirect_uri?code=CODE&state=STATE, and the enterprise can obtain the userid of the employee according to the code parameter. The maximum code length is 512 bytes.
- Assuming the current corporate CorpID:
wxCorpId
- Access link:
http://api.3dept.com/cgi-bin/query?action=get
https://open.weixin.qq.com/connect/oauth2/authorize?appid=wxCorpId&redirect_uri=http%3a%2f%2fapi.3dept.com%2fcgi-bin%2fquery%3faction%3dget&response_type=code&scope=snsapi_base&state=#wechat_redirect
2. Qiwei opens the authorization
After Qiwei is opened, it will enter the login authorization page, and after opening the corresponding connection:
After the authorization is successful, the redirection address:
Enterprises can call to obtain employee information according to the code parameter
http://lydms.com/?code=ra8mSx5bH_mga5OqylDfvuiAoXuI8ixqPipUsBbd9iQ&state=date001
3. Obtain access user identity
**Request method: **GET ( HTTPS )
**Request address: **https://qyapi.weixin.qq.com/cgi-bin/auth/getuserinfo?access_token={
{ACCESS_TOKEN}}&code={
{CODE }}
Parameter description:
parameter | must | illustrate |
---|---|---|
access_token | yes | call interface credentials |
code | yes | The code obtained through member authorization can be up to 512 bytes. The code brought with each member authorization will be different. The code can only be used once and will automatically expire if it is not used for 5 minutes. |
return parameter
{
"userid": "lydms",
"errcode": 0,
"errmsg": "ok",
"user_ticket": "PY_KcdqUjOPC6drzEjisMV3gRxEJayOwjbNlaZirW3r6tRQ6A2Lb3T-ibT07giuXmP7EIM6XwkbqPzzrl3dweqtx4HoLFMeql5qpDARv0bw",
"expires_in": 1800
}
parameter | illustrate |
---|---|
errcode | return code |
errmsg | A textual description of the return code |
userid | Member UserID. If you need to obtain user details, you can call the address book interface: read members . If it is an Internet enterprise/enterprise interconnection/upstream and downstream, the format of the returned UserId is as follows: CorpId/userid |
user_ticket | Membership ticket, up to 512 bytes, valid for 1800s. The scope is snsapi_privateinfo, and this parameter is returned when the user is within the visible scope of the application. Subsequent use of this parameter can obtain user information or sensitive information, see "Obtaining Access to User Sensitive Information" . Temporarily does not support upstream and downstream or/enterprise interconnection scenarios |
4. Access to sensitive information of users
**Request method: **POST ( HTTPS )
**Request address: **https://qyapi.weixin.qq.com/cgi-bin/auth/getuserdetail?access_token={
{ACCESS_TOKEN}}
{
"user_ticket": "USER_TICKET"
}
Parameter Description:
parameter | must | illustrate |
---|---|---|
access_token | yes | call interface credentials |
user_ticket | yes | member bill |
Return parameters:
{
"errcode": 0,
"errmsg": "ok",
"userid": "lydms",
"mobile": "15811000000",
"gender": "1",
"email": "[email protected]",
"avatar": "https://wework.qpic.cn/wwpic/250331_p99RzeaaZ_16760317/0",
"qr_code": "https://open.work.weixin.qq.com/wwopen/userQRCode?vcode=vcf0b80b68e7a59",
"biz_mail": "[email protected]",
"address": ""
}
Parameter Description:
parameter | illustrate |
---|---|
errcode | return code |
errmsg | A textual description of the return code |
userid | memberUserID |
gender | gender. 0 means undefined, 1 means male, 2 means female. Return true only if user agrees to snsapi_privateinfo authorization, otherwise return 0. |
avatar | Avatar url. Only returned if user agrees to snsapi_privateinfo authorization |
qr_code | Employee's personal QR code (can be added as an external contact by scanning), only returned when the user agrees to snsapi_privateinfo authorization |
mobile | Mobile phone, only returned when the user agrees to snsapi_privateinfo authorization, third-party applications cannot obtain |
Email address, only returned when the user agrees to snsapi_privateinfo authorization, third-party applications cannot obtain it | |
biz_mail | Enterprise mailbox, which is only returned when the user agrees to snsapi_privateinfo authorization, and cannot be obtained by third-party applications |
address | It is only returned when the user agrees to snsapi_privateinfo authorization, and cannot be obtained by third-party applications |
4. Scan authorization login (browser)
1. Construct an independent window to log in to the QR code
https://open.work.weixin.qq.com/wwopen/sso/qrConnect?appid=CORPID&agentid=AGENTID&redirect_uri=REDIRECT_URI&state=STATE
Parameter Description
parameter | must | illustrate |
---|---|---|
appid | yes | The CorpID of the enterprise WeChat, check it on the management side of the enterprise WeChat |
agents | yes | The web application ID of the authorizer, which can be viewed in the specific web application |
redirect_uri | yes | Redirect address, UrlEncode is required |
state | no | It is used to keep the state of the request and the callback, and bring it back to the enterprise as it is after the request is authorized. This parameter can be used to prevent csrf attacks (cross-site request forgery attacks). It is recommended that enterprises bring this parameter, which can be set to a simple random number plus session for verification |
lang | no | Custom language, support zh, en; if lang is empty, read Accept-Language from Headers |
case:
假定当前
企业CorpID:wxCorpId
开启授权登录的应用ID:1000000
登录跳转链接:http://api.3dept.com
state设置为:weblogin@gyoss9
需要配置的授权回调域为:api.3dept.com
根据URL规范,将上述参数分别进行UrlEncode,得到拼接的OAuth2链接为:
https://open.work.weixin.qq.com/wwopen/sso/qrConnect?appid=wxCorpId&agentid=1000000&redirect_uri=http%3A%2F%2Fapi.3dept.com&state=web_login%40gyoss9
Return instructions
After the user permits authorization, it will be redirected to the URL of redirect_uri with code and state parameters.
2. Scan code to log in
After entering the address in the browser:
https://open.work.weixin.qq.com/wwopen/sso/qrConnect?appid=ww3e40cde07cca01&agentid=1000002&redirect_uri=https%3A%2F%2Fwww.lydms.com&state=web_login%40gyoss9
User scan code login
[External link image transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the image and upload it directly (img-3uQo3C0a-1676134790626)(/Users/liyangda/Library/Application Support/typora-user-images/image-20230212005120479 .png)]
Get redirected address
https://www.lydms.com/?code=Ta_E0rVc30IDRbmZ14mBnIDdmAOdsF-cJk4ZbNRWrgA&state=web_login@gyoss9&appid=ww3e40cde07cc21a01
3. Obtain access user identity
This interface is used to obtain member information according to code
**Request method: **GET ( HTTPS )
**Request address: **https://qyapi.weixin.qq.com/cgi-bin/auth/getuserinfo?access_token=ACCESS_TOKEN&code=CODE
Parameter description:
parameter | must | illustrate |
---|---|---|
access_token | yes | call interface credentials |
code | yes | The code obtained through member authorization can be up to 512 bytes. The code brought with each member authorization will be different. The code can only be used once and will automatically expire if it is not used for 5 minutes. |
Permission description:
The redirected domain name must completely match the trusted domain name of the application corresponding to the access_token, otherwise a 50001 error will be returned.
Return result:
a) When the user is an enterprise member, the return example is as follows:
{
"errcode": 0,
"errmsg": "ok",
"userid":"lydms"
}
parameter | illustrate |
---|---|
errcode | return code |
errmsg | A textual description of the return code |
userid | Member UserID. If you need to obtain user details, you can call the address book interface: read members |