Micro-trust public platform recently introduced a micro-letter certification, authentication can be access to advanced interface permissions, one of which is OAuth2.0 Web licensing, a lot of friends in the use of this time failed or unable to understand its content, I hope that a tutorial on a detailed explanation, and then have this article.
One, what is OAuth2.0
Official website: http://oauth.net/http://oauth.net/2/
Authoritative definition: OAuth is an open protocol to allow secure authorization in a simple and standard the from web, mobile and desktop Applications.
OAuth is an open agreement, allows a user to allow a third party to apply secure and standard access to private resources (such as user personal information, photos, videos, contact lists) stored on a Web site, mobile, or desktop application without having to provide the user name and password to a third party application.
OAuth 2.0 is the next version of the OAuth protocol, but not backwards compatible OAuth 1.0. OAuth 2.0 focuses on the simplicity of client developers, while providing a dedicated certification process for Web applications, desktop applications and mobile phones, and living room devices.
OAuth allows users to provide a token, rather than a username and password, to access data that they store in a particular service provider. Each token authorizes a particular Web site (for example, a video editing site) to access a specific resource (for example, a video from a single album) within a specific period of time (for example, within the next 2 hours). In this way, OAuth allows users to authorize third party websites to access information they store on other service providers without having to share their access licenses or all the content of their data.
Sina Weibo API is also currently using OAuth 2.0.
Original: http://www.cnblogs.com/txw1958/p/weixin71-oauth20.html
Second, micro-trust public platform OAuth2.0 authorization
Micro-trust public platform OAuth2.0 authorization detailed steps are as follows:
1. Users pay attention to micro-credit public accounts.
2. Micro-Credit public account to provide the user Request authorization page URL.
3. The user clicks on the Authorization page URL, will initiate the request to the server
4. The server asks the user if he or she agrees to authorize the micro-credit public account (no such step when scope is snsapi_base)
5. User consent (scope is snsapi_base without this step)
6. The server passes the code through the callback to the micro-credit public account
7. Micro-Credit public account access code
8. Micro-Credit public account request access via code to the server Token
9. Server returns access token and OpenID to micro-credit public account
10. Micro-Credit Public account request user information to the server via access token (no this step when scope is snsapi_base)
11. The server sends the user information back to the micro-credit public account (no such step when scope is snsapi_base)
The AppID and Appsecret used are found in the developer center-developer ID.
1. Configure authorization callback page domain name
Enter the micro-trust public platform after the backstage, in turn into the Developer Center-permission table, to find the Web page authorization to obtain user basic information,
Click on the right side of the modification. Original: http://www.cnblogs.com/txw1958/p/weixin71-oauth20.html
Authorization callback Domain name configuration specification for a full domain name and no HTTP, such as the need for Web page authorization domain name: www.qq.com, after the configuration of this domain Name page http://www.qq.com/music.html, http://www.qq.com/ Login.html can carry out OAuth2.0 authentication. But http://pay.qq.com, http://music.qq.com, http://qq.com cannot carry out OAuth2.0 authentication.
Here we fill in Square times studio of a Baidu application level two domain name for mascot.duapp.com
Original: http://www.cnblogs.com/txw1958/p/weixin71-oauth20.html
If your URL is not blacklisted, it will appear at the top.
Then, the domain name configuration is successful.
2. User authorization and access to code
Under the domain name root directory, create a new file, named Oauth2.php, whose contents are
<?php
if (isset ($_get[' code ')) {
echo $_get[' code '];
} else{
echo "NO CODE";
>
Find out how the request authorization page is structured first:
Https://open.weixin.qq.com/connect/oauth2/authorize?appid=APPID&redirect_uri=REDIRECT_URI&response_ Type=code&scope=scope&state=state
Parameter description
Parameters |
must be |
Description |
AppID |
Is |
Unique identification of the public number |
Redirect_uri |
Is |
Callback link address for redirection after authorization
|
Response_type |
Is |
return type, please fill in the code |
Scope |
Is |
Application authorization scope, Snsapi_base (not pop-up authorization page, direct jump, can only obtain user OpenID), Snsapi_userinfo (pop-up authorization page, can get nickname, sex, location via OpenID). And, even in the event of not paying attention, can obtain the information as long as the user authorizes. |
State |
Whether |
After redirection, the state parameter is taken and the developer can fill in any parameter values |
#wechat_redirect |
Whether |
Open the link directly in the micro-letter, you can not fill out this parameter. When you do page 302 redirection, you must take this parameter |
Apply authorization scope: Because Snsapi_base can only get OpenID, it's not very meaningful, so we use Snsapi_userinfo.
Callback Address: Fill in the file address of the oauth2.php after just uploaded,
State parameter: A random number, fill in 1 here
The construction request URL is as follows:
https://open.weixin.qq.com/connect/oauth2/authorize?appid=wx8888888888888888&redirect_uri=http:// Mascot.duapp.com/oauth2.php&response_type=code&scope=snsapi_userinfo&state=1
Send this link to the micro-mail to open in the micro-mail browser, where a link is used to encapsulate the following:
Welcome to the "near treasure", it can make it easier for you to find in your vicinity of your mind of the catering, clothing, department stores, beauty salons shops.
<a href= "Https://open.weixin.qq.com/connect/oauth2/authorize?appid=wx8888888888888888&redirect_uri=http ://mascot.duapp.com/oauth2.php&response_type=code&scope=snsapi_userinfo&state=1 "> Click here to bind </a >
Technical Support Square Times Studio
The following is shown in the micro-letter
When you click Bind, eject the application licensing interface
Select Allow, click
Jump to auth2.php page, execute
echo $_get[' code ']
The interface shows the code, which is the link from the top right button, and the links are as follows:
Http://mascot.duapp.com/oauth2.php?code=00b788e3b42043c8459a57a8d8ab5d9f&state=1
We succeeded in getting the code.
Note: If this interface occurs at the time of binding, the parameter is not correct and you need to go back and check the parameters
3. Use code in exchange for Access_token
In exchange for Web page authorization Access_token The page is structured as follows:
Https://api.weixin.qq.com/sns/oauth2/access_token?appid=APPID&secret=SECRET&code=CODE&grant_type= Authorization_code
Parameter description
Parameters |
whether you must |
Description |
AppID |
Is |
Unique identification of the public number |
Secret |
Is |
Appsecret of the public number |
Code |
Is |
Fill in the first step to get the code parameter |
Grant_type |
Is |
Fill in the Authorization_code |
Code: Here to fill in the value obtained in the previous step
The construction request URL is as follows:
https://api.weixin.qq.com/sns/oauth2/access_token?appid=wx8888888888888888&secret= Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&code=00b788e3b42043c8459a57a8d8ab5d9f&grant_type=authorization_code
You can execute this statement directly in the browser:
(
The key here is to get the code for the JSON data through the URL above
$ch = Curl_init ();
curl_setopt ($ch, Curlopt_url, $url);
curl_setopt ($ch, Curlopt_returntransfer, 1); Requires the result to be a string and output to the screen
curl_setopt ($ch, Curlopt_header, 0);/do not HTTP HEADER to accelerate efficiency
curl_setopt ($ch, Curlopt_ UserAgent, ' mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0) ');
curl_setopt ($ch, Curlopt_timeout,);
curl_setopt ($ch, Curlopt_ssl_verifypeer, FALSE); HTTPS request does not verify certificate and hosts
curl_setopt ($ch, Curlopt_ssl_verifyhost, FALSE);
$output = curl_exec ($ch);
Curl_close ($ch);
$jsondecode = Json_decode ($output); Encodes a string in JSON format
$array = Get_object_vars ($jsondecode);
//convert array//Red two lines are the focus, for HTTPS, let me tangle the day more
echo $ Array
)
Get the following JSON data:
{"
Access_token": "Oezxceiibsksxw0eoylieasr0gmyd1awcffdhgb4fhs_ KKF2COTGJ2CBNUKQQVJ-G0ZWEE5-UBJBZ941EOPQDQY5SS_GCS2Z40DNVU99Y5AI1BW2UQN--2JXOBLIM5D6L9RIMVM8VG8CBAILPWA8VW ",
"expires_in": 7200,
"Refresh_token": "Oezxceiibsksxw0eoylieasr0gmyd1awcffdhgb4fhs_ Kkf2cotgj2cbnukqqvj-g0zwee5-ubjbz941eopqdqy5ss_gcs2z40dnvu99y5czpawzksiuz_6x_tfkloxlu7kdkm2232wdxb3msuzq1a ",
"OpenID": "OLVPPJQS9BHVZWPJ5A-VTYAX3GLC",
"Scope": "Snsapi_userinfo,"
}
The data format is interpreted as follows:
Parameters |
Description |
Access_token |
Web page Authorization Interface call voucher, note: This access_token is different from the access_token of the underlying support |
Expires_in |
Access_token interface Call voucher timeout time, in seconds |
Refresh_token |
User Refresh Access_token |
Openid |
User Unique identification, please note that when the public number is not concerned, the user access to the public number of the Web page, will also produce a user and public number only OpenID |
Scope |
User-authorized scope, separated by commas (,) |
As a result, we succeeded in exchanging code for Access_token and Refresh_token.
Refresh Access_token
The function of refreshing access_token is mentioned in the official document, but this is not necessary, first use can be ignored.
The URL request method is as follows:
https://api.weixin.qq.com/sns/oauth2/refresh_token?appid=APPID&grant_type=refresh_token&refresh_token= Refresh_token
Parameter description
Parameters |
whether you must |
Description |
AppID |
Is |
Unique identification of the public number |
Grant_type |
Is |
Fill in the Refresh_token |
Refresh_token |
Is |
Fill in the Refresh_token parameters obtained through Access_token |
The structure is as follows:
https://api.weixin.qq.com/sns/oauth2/refresh_token?appid=wx8888888888888888&grant_type=refresh_token& Refresh_token=oezxceiibsksxw0eoylieasr0gmyd1awcffdhgb4fhs_kkf2cotgj2cbnukqqvj-g0zwee5-ubjbz941eopqdqy5ss_ Gcs2z40dnvu99y5czpawzksiuz_6x_tfkloxlu7kdkm2232wdxb3msuzq1a
Execute JSON data in the same format in the browser
4. Use Access_token to get user information
Request Method:
Https://api.weixin.qq.com/sns/userinfo?access_token=ACCESS_TOKEN&openid=OPENID
Parameter description
Parameters |
Description |
Access_token |
Web page Authorization Interface call voucher, note: This access_token is different from the access_token of the underlying support |
Openid |
Unique identification of the user |
The construction URL is as follows:
Https://api.weixin.qq.com/sns/userinfo?access_token=OezXcEiiBSKSxW0eoylIeAsR0GmYd1awCffdHgb4fhS_ Kkf2cotgj2cbnukqqvj-g0zwee5-ubjbz941eopqdqy5ss_gcs2z40dnvu99y5ai1bw2uqn--2jxoblim5d6l9rimvm8vg8cbailpwa8vw &openid=olvppjqs9bhvzwpj5a-vtyax3glc
You can execute this statement directly in the browser:
Get the following JSON data:
{
"OpenID": "OLVPPJQS9BHVZWPJ5A-VTYAX3GLC", "
nickname": "Square Times",
"sex": 1,
"language": "ZH_CN",
" City ":" Shenzhen ","
province ":" Guangdong ",
" Country ":" CN ",
" Headimgurl ":" http://wx.qlogo.cn/mmopen/ utpkyf69vabcrdrlbuspsdqn38doibckru6samcsnx558etalvm8pym6jlegzorh67hyzibizpxu4bk1xnwzsxb3cs4qpbbg18/0 ",
" Privilege ": []
}
Parameter interpretation:
Parameters |
Description |
Openid |
Unique identification of the user |
Nickname |
User Nickname |
Sex |
The user's sex, the value of 1 o'clock is male, the value of 2 o'clock is female, the value of 0 o'clock is unknown |
Province |
The province in which the user's personal data is filled |
City |
The city where the ordinary user's personal data fills in |
Country |
Countries, such as China for CN |
Headimgurl |
User Avatar, the last value represents the size of the square head (there are 0, 46, 64, 96, 132 value Optional, 0 represents 640*640 square avatar), the user does not have the Avatar when the item is empty |
Privilege |
User privileged information, JSON array, such as micro-SIM user (chinaunicom) |
This is consistent with my personal micro-mail message.
At this point, without entering my account and password, the micro-credit public account has obtained my personal information, including nicknames, gender, country, province, city, personal avatar and privileged list.
A complete OAUTH2 certification is complete.
Third, the detailed demonstration
Pay attention to Square times studio (two-dimensional code see below), reply to "authorization", return message, click on the picture
On the confirmation page, click "Allow"
Pop-up get the results (the image has been done anti-theft processing, so can not be directly displayed, download to the local again to show)
The above is about the development of micro-credit, Web pages authorized to obtain information on the user's data collation, follow-up to continue to supplement the relevant information, thank you for your support for this site!