About oauth2.0
OAuth 2.0 authorization framework supports third-party support limited access to HTTP service, approved by the interaction between a resource owner and resource persons to represent the HTTP service to access these resources, or gain access by allowing third-party applications on their own behalf authority.
To facilitate understanding, it is conceivable OAuth2.0 is in an intermediate layer between the user resources and third-party applications, it is the resources and third-party applications spaced so that third-party applications can not directly access resources, which play a role in protecting resources .
To access this protected resource, third-party applications (clients) in the time of the visit need to provide credentials. That is, the need to tell you who OAuth2.0 what you do.
OAuth defines four roles:
- resource owner (resource owner)
- resource server (resource server)
- client (Client): On behalf of the resource owner and the owner's authorization to access a protected resource applications
- authorization server (authorization server): access token issued to the client after successful authentication and authorization resource owner
Abstract OAuth2.0 process shown in Figure:
- (A) client requests its authorization to the resource owner
- (B) the client receives the license of the owner of the resource, this is a license authorized on behalf of the resource owner credentials
- (C) The client requests access token to the authorization server, and produce license
- (D) authorization server to authenticate the identity of the client, and license check, if we are all valid, the access token issuance
- (E) client requests a protected resource to the resource server, and produce an access token
- (F) resource servers check the access token, if the token is valid, the provision of services
Think about the micro-channel public platform, in the micro-channel public platform development process when we visit a page, the page may pop up a message box applications that require access to our personal information asked whether to allow the point to confirm in fact authorize a third party app to get us in the micro-letter personal information public platform. Here is authorized to micro-letter web OAuth2.0 use.
Examples of micro-channel authorization page
[Micro-channel public platform | development document] http://mp.weixin.qq.com/wiki/home/ .
Implementation steps:
Step 1: The user consent, access code
Step 2: The code page in exchange for authorization access_token
3 The third step: pulling the user information (as required scope snsapi_userinfo)
The first step: user consent, access code
Splicing the following address, replacing the parameters of the micro-channel open at
https://open.weixin.qq.com/connect/oauth2/authorize?appid=APPID&redirect_uri=REDIRECT_URI&response_type=code&scope=SCOPE&state=STATE#wechat_redirect
If the user agrees authorization, the page will jump to redirect_uri /? Code = CODE & state = STATE.
The sample code to obtain code
/ **
* @explain
* acquisition code, used to get openid and the access_token
* @remark
* code can only be used once, after acquiring the code fails to get again need to re-enter the
* authorization page does not pop up for public concern No. after the custom menu jumps, etc., if you do not focus, you can only get openid
** /
public function getCode ()
{
IF (isset ($ _ gET [ "code"])) {
return $ _GET [ "code"];
} {the else
$ = STR. "LOCATION: https://open.weixin.qq.com/connect/oauth2/authorize?appid=" $ this-> AppID "the redirect_uri = &" $ this-> index_url "& response_type =... & scope = & snsapi_userinfo code State = # wechat_redirect. 1 ";
header (STR $);
Exit;
}
}
Step Two: The code page in exchange for authorization access_token
Alternatively the link parameters, the server requests the address curl
https://api.weixin.qq.com/sns/oauth2/access_token?appid=APPID&secret=SECRET&code=CODE&grant_type=authorization_code
Return data as follows
{
"access_token":"ACCESS_TOKEN",
"expires_in":7200,
"refresh_token":"REFRESH_TOKEN",
"openid":"OPENID",
"scope":"SCOPE"
}
Code Example:
/**
* @explain
* 用于获取access_token,返回的<span style="font-family: Arial, Helvetica, sans-serif;">$access_token_array中也包含有用户的openid信息。</span>
**/
public function getOpenId()
{
$access_token_url = "https://api.weixin.qq.com/sns/oauth2/access_token?appid=" . $this->appid . "&secret=" . $this->appsecret . "&code=" . $this->code . "&grant_type=authorization_code";
$access_token_json = $this->https_request($access_token_url);
$access_token_array = json_decode($access_token_json, TRUE);
return $access_token_array;
}
The third step: pulling the user information (as required scope snsapi_userinfo)
http: GET (using the https protocol) https://api.weixin.qq.com/sns/userinfo?access_token=ACCESS_TOKEN&openid=OPENID&lang=zh_CN
Return data as follows:
{
"openid":" OPENID",
" nickname": NICKNAME,
"sex":"1",
"province":"PROVINCE"
"city":"CITY",
"country":"COUNTRY",
"headimgurl": "http://thirdwx.qlogo.cn/mmopen/g3MonUZtNHkdmzicIlibx6iaFqAc56vxLSUfpb6n5WKSYVY0ChQKkiaJSgQ1dZuTOgvLLrhJbERQQ4eMsv84eavHiaiceqxibJxCfHe/46",
"privilege":[ "PRIVILEGE1" "PRIVILEGE2" ],
"unionid": "o6_bmasdasdsad6_2sgVt7hMZOPfL"
}
The sample code
/ **
* @explain
* After openid acquired user may determine whether there is user data to be acquired skip the access_token, can continue to obtain the access_token
** /
public getUserInfo function ()
{
$ userinfo_url = "HTTPS: // API .weixin.qq.com / SNS / UserInfo the access_token = "$ this-> the access_token [ 'the access_token'].." OpenID = & "$ this-> the access_token [ 'OpenID'].." & lang = zh_CN ";?
$ userinfo_json $ this- => https_request ($ userinfo_url);
$ = userinfo_array of json_decode ($ userinfo_json, TRUE);
return $ userinfo_array;
}