The Access_token problem of micro-letter Oauth2

Source: Internet
Author: User
Tags openid
Oauth2 the entire process of obtaining user information has gone through. There's no problem.

But there's something in the middle that's unclear. I hope that the friend who knows to help answer the next.

Do you have to go through code to get access_token every time?
If not, then the user's OpenID can only be returned when acquiring Access_token, or the user's OpenID will not be available.
Or is it the first time you get the user's OpenID and then save it to the cookie and read the cookie next time???
Otherwise that refresh Access_token have what meaning ah ...

Then there is the Access_token is only valid for the current session, or for a user OpenID is valid, or all users are valid ...

First contact with this, thank you .....


Reply to discussion (solution)

This is only for you need to operate on the management function of the time only used, like the general chat what is not necessary to obtain, generally only the platform management background will be used to this, generally after the first record to prevent each operation will go to get a single day of the API call consumption completed.

This is only for you need to operate on the management function of the time only used, like the general chat what is not necessary to obtain, generally only the platform management background will be used to this, generally after the first record to prevent each operation will go to get a single day of the API call consumption completed.


I'm talking about: The Web page authorizes the user to get basic information, not the basic function interface.

The approximate process is this:
1. Construct the URL address:
Https://open.weixin.qq.com/connect/oauth2/authorize?appid=APPID&redirect_uri=REDIRECT_URI&response_ Type=code&scope=scope&state=state#wechat_redirect

Redirect_uri is my own web address. Users directly access the above address, and then callback Redirect_uri address, and with the parameter code; there is no user OpenID.

2.
Https://api.weixin.qq.com/sns/oauth2/access_token?appid=APPID&secret=APPSECRET&code=CODE&grant_ Type=authorization_code
According to code get Access_token, here will return:
{
"Access_token": "Access_token",
"Expires_in": 7200,
"Refresh_token": "Refresh_token",
"OpenID": "OpenID",
"Scope": "Scope"
}
In this step, OpenID is the OpenID of the user who is currently visiting my page.
3.
Access user profiles based on OpenID

And the problem is the second step.
I save Access_token, that next time I should not skip the second step? Skip the words, then how do I get OpenID? Without OpenID, I can't take the third step.

If you do not store Access_token, every time a user accesses a webpage, it gets access_token once. It's too frequent.

Haven't you done this before?

The user's OpenID is saved to the database, bound to the user
Access_token every fetch, save to the database, before use, first check the database Access_token there is no expiration, two hours expired, expired regain again saved,

Access_token have access restrictions, and if you keep getting it, you won't be able to provide the service.

The user's OpenID is saved to the database, bound to the user
Access_token every fetch, save to the database, before use, first check the database Access_token there is no expiration, two hours expired, expired regain again saved,

Access_token have access restrictions, and if you keep getting it, you won't be able to provide the service.



This is clear.
But in the web authorization, to get to the user's OpenID only by getting token that step back at the same time. This is the OpenID of the user who also returns token and the current Web page when acquiring token. This is not the same as the underlying interface. In the base interface, users can obtain OpenID for each operation once.
{
"Access_token": "Access_token",
"Expires_in": 7200,
"Refresh_token": "Refresh_token",
"OpenID": "OpenID",//OpenID of the user who is currently visiting the Web page
"Scope": "Scope"
}
But without the user's OpenID, I can't get the user's information even if I have token.


 ', ' user_id ' =>0, ' act ' = ', ' exp ' =>0, ' token ' = ', ' userdata ' + ', ' var $wxu _mod;var $CODE = '; function __construct () {$this->appid = APPID1; $this->appsecret = Appsecret1;if (isset ($_get[' code ')) {$this-    >code = $_get[' CODE ']; $userinfo = $this->getuserinfo ();d UMP ($USERINFO);} }public function GetUserInfo () {$accessToken = $this->getaccesstoken (); $cfg [' SSL '] = true;//https:// Api.weixin.qq.com/sns/userinfo?access_token=access_token&openid=openid$userinfo = $this->__curlopen (" Https://api.weixin.qq.com/sns/userinfo?access_token= ". $accessToken." &openid= ". $this->_client[' wx_id ']. ' &lang=zh_cn ', $cfg); $userinfo = Json_decode ($userinfo, True); return $userinfo;} /** * Get access TOKEN */public function Getaccesstoken ($getHTTP = False) {$isCurl = true;/* $tokenfile = Root_path. "/temp/token_web"; $token = file_exists ($tokenfile)? File_get_contents ($tokenfile): "; if ($token) {$token = Json_ Decode ($token, True), if (Time ()-$token [' Access_time '] < $token[' expires_in ') {$isCurl = false;}} */if ($isCurl | | $getHTTP) {//https://api.weixin.qq.com/sns/oauth2/access_token?appid=appid&secret=secret& code=code&grant_type=authorization_code$cfg[' SSL ' = true; $token = $this->__curlopen ("https:// Api.weixin.qq.com/sns/oauth2/access_token?appid= ". $this->appid." &secret= ". $this->appsecret." &code= ". $this->code." &grant_type=authorization_code ", $cfg); $token = Json_decode ($token, true); $token [' access_time '] = time ();//file_ Put_contents ($tokenfile, Json_encode ($token), LOCK_EX);} $this->_client[' wx_id ' = $token [' OpenID ']; $client = $this->wx_user (); if ($client) {$this->_client = $client;} else{$this->wx_user (' Add ');}    return $token [' Access_token '];} Public Function __curlopen ($url, $cfg) {$ch = Curl_init (); curl_setopt ($ch, Curlopt_url, $url); Isset ($cfg [' Post ']) & & Curl_setopt ($ch, Curlopt_customrequest, "POST"), if ($cfg [' SSL ']) {curl_setopt ($ch, Curlopt_ssl_verifypeer, FALSE); curl_setopt ($ch, CurloPt_ssl_verifyhost, FALSE);} curl_setopt ($ch, Curlopt_useragent, ' mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0) curl_setopt ($ch, curlopt_followlocation, 1); curl_setopt ($ch, Curlopt_autoreferer, 1); Isset ($cfg [' Post ']) && curl_setopt ($ch, Curlopt_postfields, $cfg [' Post ']); curl_setopt ($ch, Curlopt_returntransfer, TRUE) ; $result = curl_exec ($ch), if (Curl_errno ($ch)) {return curl_error ($ch);} Curl_close ($ch); return $result;} User information operation public Function wx_user ($act = ") {if ($this->_client[' wx_id ')} {$this->wxu_mod = &m (" Weixinuser "); if ($act = = ' Add ') {$this->wxu_mod->add ($this->_client);} ElseIf ($act = = ' edit ') {$this->wxu_mod->edit ("wx_id="). $this->_client[' wx_id ']. "'", $this->_client);} else{$client = $this->wxu_mod->get ("wx_id=". $this->_client[' wx_id ']. "'"); return $client;}}} /* $scope: Snsapi_base/snsapi_userinfo*/public function Makestarturl ($url, $state = ", $scope = ' snsapi_userinfo ') {//ht Tps://open.weixin.qq.com/connect/oauth2/authorize?appid=appid&redirect_uri=redirect_uri&response_type=code&scope=scope&state=state#wechat_redirect$ Base_url = "https://open.weixin.qq.com/connect/oauth2/authorize?appid={$this->appid}&redirect_uri="; $base _url. = Rawurlencode ($url), $base _url. = "&response_type=code&scope={$scope}&state={$state} #wechat_ Redirect "; return $base _url;}}? >

In other words, in order to get the OpenID of the user who is currently visiting the Web page, we need to obtain token to get the OpenID of the user who currently accesses the page.
In this way, you have to get tokens every time. It doesn't make any sense for me to keep it.


See:
Http://mp.weixin.qq.com/wiki/17/c0f37d5704f0b64713d5d2c37b468d75.html

Or it's not the first time that you get tokens and OpenID, save them.
Then save the user's OpenID in a cookie.
Next time directly read the OpenID in the cookie, and the stored OpenID corresponding token, (equivalent to skip to get token that step), directly to get the user information??

However, if the client does not support cookies, the result will be the same ....

You are based on what purpose needs to be user statistics, if only for third-party login that you just follow the third-party login document to operate, if you want to do background user synchronization, then you need a public number AH.

Do activities.
This does not need to login, only need to visit each page of the user's OpenID, you can

It's over. Hey

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.