PHP for third-party logins

1. oAuth2.0 principle

Website in order to facilitate users to quickly login system, will provide the use of well-known third-party platform account for fast login function, third-party login is based on the oAuth2.0 standard to achieve. The following is a detailed analysis of the principles of "Account password Authorization" and "authorization based on oAuth2.0 standards" and the advantages of oAuth2.0 authorization.

1.1 Account Password Authorization method

Users to the site to initiate the use of other platform account login instructions, third-party platform website on the user to obtain the account number and password, the user will account and password to provide a third-party site, the site uses the user's account and password to log in to the service provider, retrieve the user's information. This is the process of authorizing login using account and password.

Problems that exist:

First, the service provider's account number and password are leaked to the third party platform, resulting in security issues;

Analysis: Assuming that the service provider is, no one will be willing to account and password to tell the current visit to the site, once the current site information leaks, account and password will be lost;

Second, the user to recover authorization, only by changing the password to achieve, if there are many third-party sites are used

The same service provider is authorized to log in, then all third-party website authorization has been withdrawn;

Analysis: Suppose we want to take back the account and password granted to the current website, and it is impossible for a third party to voluntarily abandon the

Authorization, then only the user to modify the password, but there are a number of third-party sites are authorized by the service provider login, change the password at the same time, the authorization of other sites are also invalid;

Third, it is difficult to achieve to different sites, grant different permissions;

1.2 OAuth principle and authorization process

In order to solve the problem of the traditional authorization method of account password, the OAuth project group developed the OAuth Standard to provide an open standard for API access authorization, and OAuth is an open standard for access authorization. Unlike previous licensing methods, OAuth's authorization does not allow a third party to touch the user's account information (such as a user name and password), which means that the third party can request authorization for the user's resources without using the user's username and password, so OAuth is secure. OAuth is a shorthand for open authorization. Service providers and third-party platforms are encoded according to OAUTH standards, service providers can implement a secure authorization mechanism, third-party application calls service provider resources are also unified, service providers and third parties to achieve their own functions based on uniform standards.

User to the third party site request, request to use other platform authorized login, this time the third site is not directly require users to provide other platform account and password, but to guide the user's browser to jump to the authorized login page of the service provider, the user in the service provider's website page to complete the authorization. So to solve the first problem, users do not need to give third-party users to disclose the account number and password. After login authorization, the service provider will generate a one-time access code to access the resources, we call the token, this token contains the user, third-party sites, resource permissions information. After the token is generated, the service provider also directs the user's browser to carry the token back to the third-party website, and after receiving the token, the third-party web site can carry the token as a credential provider with access to the resource. In this process, the user has not leaked the account and password to the third party, successfully authorized the login, and restricted the access of third parties to the service resources.

Here is the oAuth2.0 authorization flowchart

2. PHP Implementation Authorization Login

Register the developer account on the open platform and have an approved website app, and get the appropriate AppID and Appsecret, apply for login and after approval, you can start the access process.

First Step: Request code

https://open.weixin.qq.com/connect/qrconnect?appid=wxd7ygg9f86e0e&redirect_uri=http://www.rainzfw.tech/ Third-login/weixin.html&response_type=code&scope=snsapi_login&state=123

If you are prompted to "this link cannot be accessed", check that the parameters are filled in incorrectly, such as the Redirect_uri domain name is inconsistent with the authorization domain name that was entered in the audit, or scope is not snsapi_login.

Once authorized, the user will be redirected to the Redirect_uri URL with the code and State parameters

Http://www.rainzfw.tech/third-login/weixin.html?code=bckbjhbjhvbvjaf43415&state=123

Step two: Get Access_token by code

Https://api.weixin.qq.com/sns/oauth2/access_token?appid=APPID&secret=SECRET&code=CODE&grant_type= Authorization_code

Return Description:

{

"Access_token": "Oezxceiibsksxw0eoyliefy2hfc4bxv9jvc0sgj4px4_8tx1ci3jf_qp_6swjvx2rcaujxep1_ 9edzdjlf3miwii2n8cntoodfx7nypfrmoszyq4gb2fndwjr__kuqptcfvuvg6xbtuczz4zh6v8vq ",

"Expires_in": 7200,

"Refresh_token": "Oezxceiibsksxw0eoyliefy2hfc4bxv9jvc0sgj4px4_8tx1ci3jf_qp_ 6swjvx2lw60inlf6ak1q21rw7mjyc5yg3gz9p1psanokti2ezuqxa6cnwsxxdqlj3421teovcwirjhka8otqjslkyg-yg ",

"OpenID": "ojekjs2fatq47fgjdoeiyopmn97s",

"Scope": "Snsapi_login",

"Unionid": "O4wcnw02yjfuyglzxv0lwcbkvf6y"

}

Step three: Call the interface via Access_token:

1. Access_token is valid and not timed out;

2. The user has authorized the appropriate interface scope (scope) for the third-party app account.

For interface scope (scope), the interface that can be called has the following:

Where Snsapi_base belongs to the underlying interface, and if the application already has other scope permissions, the default has Snsapi_base permissions. Using Snsapi_base can let the mobile page authorization bypass the Jump authorization login page request user authorization action, jump directly to the third party Web page with the authorized temporary ticket (code), but will make the user authorized scope (scope) is only snsapi_base, This results in the inability to obtain the data and underlying functionality that is required for user authorization. Interface invocation method can be consulted on the authorization Relationship Interface invocation Guide

70231191

PHP for third-party logins