We often see wechat login to a third-party platform, so after we use wechat scan code, how does the platform get our information?
This can be modeled in life
For example, when we receive express delivery, the Courier will ring the doorbell downstairs. At this time, we at home will answer the doorbell phone and confirm that it is the Courier after opening the door for him.
The above method is relatively safe, but it is not efficient enough. If we have a lot of things, the younger brother needs to send and receive 8 calls after sorting them. It sounds a bit troublesome, so we designed another scheme: Tell the Courier the door code, but it’s temporary and will expire in an hour, so we only have to answer the doorbell once. It’s a safe and efficient solution
The third-party login of wechat is based on this model. The following are the login procedures for scanning codes
Wechat platform [residential building] is a network service that stores user data. If you want to obtain user information, you must go through wechat’s “access control system”. If the third-party application wants to go through the access control system, the user information needs to be authorized by the wechat user [our owner].
- The user scans the code, and the third party initiates the wechat authorized login request.
- After a wechat user authorizes a third-party application, wechat will pull up the application or redirect it to a third-party website, and bring the code parameter of the authorized temporary note. [We answered the phone and confirmed that it was indeed the Courier and told the access control system that I agreed to give him the authorization to enter the community]
- Access_token is exchanged via API with code parameter plus AppID, AppSecret, etc. [After getting my confirmation, the access control system will show the Courier a password to enter the building]
- The access_token interface is invoked to obtain basic data resources or help users to perform basic operations. [Little brother according to the password to enter the door, in a short time if he did not forget, there is no need to call me]
This is the application of OAuth 2.0 protocol
Oauth2.0 agreement
Simply put, OAuth is an authorization mechanism. The owner of the data tells the system that it agrees to authorize third-party applications to access the data. The system then generates a short-term access token (token), which can be used in place of a password for third-party applications.
Token and password have the same function, both can enter the system, but there are three differences.
(1) The token is short-term and will expire automatically. Users cannot modify it themselves. Generally, the password is valid for a long time. The password will not change if the user does not change it.
(2) The token can be revoked by the data owner and is immediately invalid. In the above example, the owner can cancel the Courier’s token at any time. Passwords cannot be revoked by others.
(3) The token has scope, for example, it can only enter the no.2 door of the community. Read-only tokens are more secure than read-write tokens for network services. Passwords are generally full permissions.
The above design ensures that tokens can be used to grant permissions to third-party applications, while at the same time being controllable without compromising system security. This is the advantage of OAuth 2.0.
Note that once you know the token, you can enter the system. The system generally does not confirm the identity again, so the token must be kept secret, and the consequences of revealing the token are the same as those of revealing the password. This is why token validity is usually set very short.
User identification
In order to identify users, each user for each public will generate a secure OpenID, if you need to more common public, between mobile users, you have to WeChat open platform, the public, and application to bind to an open platform account, after binding, though a user for multiple application number and the public have a number of different OpenID, But he only has one UnionID for all the public accounts and applications under the same open platform account
The public platform uses the Access_token as the interface invocation credential to invoke interfaces. All interface invocation must obtain the Access_token first. The access_token is valid within 2 hours and must be obtained again after expiration
Wechat mini program login
Wechat uses the credentials (code) to obtain user login status information, including the user’s unique id (OpenID) and the session key (session_key) of this login. The encryption and decryption communication of user data depends on session key.
- Get the code by wx.login
- Send the code to a third-party server
- The third-party server needs to combine appID + AppSecret +code, call auth.code2Session interface and send it to wechat server
- When wechat server gets appID + AppSecret +code, Some information is returned to the third-party server, including the user’s unique identifier OpenID, the user’s unique identifier under the wechat open Platform account UnionID (if the current applets have been bound to the wechat open platform account) and the session key session_key.
- The project server saves the session_key and openID to generate tokens and returns them to the client
- The client saves the token, and each subsequent request must carry the token