根据官方文档点击查看在微信公众号请求用户网页授权之前,开发者需要先到公众平台官网中的“开发 - 接口权限 - 网页服务 - 网页帐号 - 网页授权获取用户基本信息”的配置选项中,修改授权回调域名。请注意,这里填写的是域名(是一个字符串),而不是URL,因此请勿加 http:// 等协议头,也不需要加具体的项目名,在域名空间的根目录放一个txt文件才能验证通过
详细源码点击查看
一、两种scope授权方式
- 以snsapi_base为scope发起的网页授权,是用来获取进入页面的用户的openid的,并且是静默授权并自动跳转到回调页的。用户感知的就是直接进入了回调页(往往是业务页面)
- 以snsapi_userinfo为scope发起的网页授权,是用来获取用户的基本信息的。但这种授权需要用户手动同意,并且由于用户同意过,所以无须关注,就可在授权后获取该用户的基本信息
二、关于特殊场景下的静默授权
- 上面已经提到,对于以snsapi_base为scope的网页授权,就静默授权的,用户无感知
- 对于已关注公众号的用户,如果用户从公众号的会话或者自定义菜单进入本公众号的网页授权页,即使是scope为snsapi_userinfo,也是静默授权,用户无感知
三、.用户同意授权,获取code
我这边是snsapi_userinfo发起的网页授权,redirect_uri必须用urlEncode处理下
/** * * @author phil */ public abstract class AbstractParams { /** * 返回请求参数 * @return */ public abstract MapgetParams() throws Exception; }
获取授权code请求参数AuthCodeParams.java
/** * 获取授权code请求参数 * * @author phil */ public class AuthCodeParams extends AbstractParams{ public static final String SCOPE_SNSAPIBASE = "snsapi_base"; // snsapi_base(不需要弹出授权页面,只能获取openid) public static final String SCOPE_SNSPAIUSERINFO = "snsapi_userinfo"; // 弹出授权页面(获取用户基本信息) public static final String SCOPE_SNSAPI_LOGIN = "snsapi_login"; //网页应用目前仅填写snsapi_login private String appid; private String redirect_uri; // 使用urlencode对链接进行处理 private String response_type = "code"; private String scope; private String state; public AuthCodeParams() { super(); } public AuthCodeParams(String appid, String redirect_uri, String response_type, String scope, String state) { super(); this.appid = appid; this.redirect_uri = redirect_uri; this.response_type = response_type; this.scope = scope; this.state = state; } /** * 参数组装 * @return */ public MapgetParams() throws UnsupportedEncodingException { Map params = new TreeMap (); params.put("appid", this.appid); params.put("redirect_uri", HttpRequestUtil.urlEncode( this.redirect_uri, HttpRequestUtil.DEFAULT_CHARSET)); params.put("response_type", this.response_type); params.put("scope", this.scope); params.put("state", this.state); return params; } public String getAppid() { return appid; } public void setAppid(String appid) { this.appid = appid; } public String getRedirect_uri() { return redirect_uri; } public void setRedirect_uri(String redirect_uri) { this.redirect_uri = redirect_uri; } public String getResponse_type() { return response_type; } public String getScope() { return scope; } public void setScope(String scope) { this.scope = scope; } public String getState() { return state; } public void setState(String state) { this.state = state; } }
尤其注意:由于授权操作安全等级较高,所以在发起授权请求时,微信会对授权链接做正则强匹配校验,如果链接的参数顺序不对,授权页面将无法正常访问;所以我都是用TreeMap拼接参数
请求链接的拼接
// 授权链接 private final String AUTHORIZE_URL = "https://open.weixin.qq.com/connect/oauth2/authorize"; AuthCodeParams authCodeParams = new AuthCodeParams(); String redirect_uri = "http://www.liebesy.com/oauth/bindWxPhone.shtml"; authCodeParams.setRedirect_uri(redirect_uri); authCodeParams.setAppid(WeiXinConfig.APP_ID); authCodeParams.setScope(AuthCodeParams.SCOPE_SNSAPIBASE);// 采用静默授权 authCodeParams.setState(MD5Util.MD5Encode("ceshi", "")); //防止被攻击,用于校验 String url = oAuthService.getAuthPath(authCodeParams, AUTHORIZE_URL); request.setAttribute("bindurl", url);
getAuthPath()方法
/** * 获取授权请求path * @param basic * @param path * @return * @throws Exception */ public String getAuthPath(AbstractParams basic, String path) throws Exception{ Mapparams = basic.getParams(); path = HttpRequestUtil.setParmas(params, path,"")+"#wechat_redirect"; return path; }
四、通过code换取网页授权access_token
首先请注意,这里通过code换取的是一个特殊的网页授权access_token,与基础支持中的access_token(该access_token用于调用其他接口)不同。公众号可通过下述接口来获取网页授权access_token。如果网页授权的作用域为snsapi_base,则本步骤中获取到网页授权access_token的同时,也获取到了openid,snsapi_base式的网页授权流程即到此为止。
获取授权请求token的请求参数AuthTokenParams.java
/** * 获取授权请求token的请求参数 * * @author phil */ public class AuthTokenParams extends AbstractParams { private String appid; //公众号的唯一标识 private String secret; //公众号的appsecret private String code; //填写第一步获取的code参数 private String grant_type = "authorization_code"; public AuthTokenParams() { super(); } public AuthTokenParams(String appid, String secret, String code, String grant_type) { super(); this.appid = appid; this.secret = secret; this.code = code; this.grant_type = grant_type; } /** * 参数组装 * @return */ public MapgetParams() { Map params = new TreeMap (); params.put("appid", this.appid); params.put("secret", this.secret); params.put("code", this.code); params.put("grant_type", this.grant_type); return params; } public String getAppid() { return appid; } public void setAppid(String appid) { this.appid = appid; } public String getSecret() { return secret; } public void setSecret(String secret) { this.secret = secret; } public String getCode() { return code; } public void setCode(String code) { this.code = code; } public String getGrant_type() { return grant_type; } }
授权token的返回结果AuthAccessToken.java
/** * 授权token的返回结果 * @author phil * */ public class AuthAccessToken { private String access_token; // 范围授权token private int expires_in; // 过时时间 private String refresh_token;// 刷新token private String openid; // 用户的openid private String scope; // 范围 private String unionid; //当且仅当该网站应用已获得该用户的userinfo授权时,才会出现该字段 public String getAccess_token() { return access_token; } public void setAccess_token(String access_token) { this.access_token = access_token; } public int getExpires_in() { return expires_in; } public void setExpires_in(int expires_in) { this.expires_in = expires_in; } public String getRefresh_token() { return refresh_token; } public void setRefresh_token(String refresh_token) { this.refresh_token = refresh_token; } public String getOpenid() { return openid; } public void setOpenid(String openid) { this.openid = openid; } public String getScope() { return scope; } public void setScope(String scope) { this.scope = scope; } public String getUnionid() { return unionid; } public void setUnionid(String unionid) { this.unionid = unionid; } }
获取网页授权凭证方法
/** * 获取网页授权凭证 * @param basic * @param path * @return */ public AuthAccessToken getAuthAccessToken(AbstractParams basic, String path) { AuthAccessToken authAccessToken = null; //获取网页授权凭证 try { //String path = HttpRequestUtil.setParmas(params, TOKENPATH, null); String result = HttpRequestUtil.HttpsDefaultExecute(HttpRequestUtil.GET_METHOD, path, basic.getParams(), null); if(result != null){ authAccessToken = new Gson().fromJson(result, AuthAccessToken.class); } } catch (Exception e) { logger.info("error"+e.getMessage()); } return authAccessToken; }
获取网页凭证
// 获取token的链接 private final String ACCESS_TOKEN_URL = "https://api.weixin.qq.com/sns/oauth2/access_token"; @RequestMapping(value = "bindWxPhone", method = { RequestMethod.GET }) public String prize(HttpServletRequest request, HttpServletResponse response, String url) throws Exception { AuthAccessToken authAccessToken = null; // 用户同意授权后可以获得code,检验state String code = request.getParameter("code"); if(code==null){ return null; } String state = request.getParameter("state"); if(state.equals(MD5Util.MD5Encode("ceshi", ""))){ AuthTokenParams authTokenParams = new AuthTokenParams(); authTokenParams.setAppid(""); authTokenParams.setSecret(""); authTokenParams.setCode(code); authAccessToken = oAuthService.getAuthAccessToken(authTokenParams, ACCESS_TOKEN_URL); } if(authAccessToken!=null){ logger.info("网页授权的accessToken=" + authAccessToken.getAccess_token()); logger.info("正在绑定的openid=" + authAccessToken.getOpenid()); } return Common.BACKGROUND_PATH + "/system/wxuserprize/bindPhone"; }
五、刷新access_token(如果需要)
由于access_token拥有较短的有效期,当access_token超时后,可以使用refresh_token进行刷新,refresh_token有效期为30天,当refresh_token失效之后,需要用户重新授权。
推荐:用redis、mc之类的存储code
/** * 刷新网页授权验证 * @param basic 参数 * @param path 请求路径 * @return */ public String refreshAuthAccessToken(AbstractParams basic, String path) { AuthAccessToken authAccessToken = null; //刷新网页授权凭证 try { String result = HttpRequestUtil.HttpsDefaultExecute(HttpRequestUtil.GET_METHOD, path, basic.getParams(), null); if(result != null){ authAccessToken = new Gson().fromJson(result, AuthAccessToken.class); } } catch (Exception e) { authAccessToken = null; logger.info("error"+e.getMessage()); } return authAccessToken==null?null:authAccessToken.getAccess_token(); }
六、拉取用户信息
如果网页授权作用域为snsapi_userinfo,则此时可以通过access_token和openid拉取用户信息了
通过网页授权获取的用户信息AuthUserInfo.java
/** * 通过网页授权获取的用户信息 * * @author phil */ public class AuthUserInfo { // 用户标识 private String openid; // 用户昵称 private String nickname; // 性别(1是男性,2是女性,0是未知) private String sex; // 国家 private String country; // 省份 private String province; // 城市 private String city; // 用户头像链接 private String headimgurl; // 用户特权信息 private Listprivilege; // 只有在用户将公众号绑定到微信开放平台帐号后,才会出现该字段 private String unionid; public String getOpenid() { return openid; } public void setOpenid(String openid) { this.openid = openid; } public String getNickname() { return nickname; } public void setNickname(String nickname) { this.nickname = nickname; } public String getSex() { return sex; } public void setSex(String sex) { this.sex = sex; } public String getCountry() { return country; } public void setCountry(String country) { this.country = country; } public String getProvince() { return province; } public void setProvince(String province) { this.province = province; } public String getCity() { return city; } public void setCity(String city) { this.city = city; } public String getHeadimgurl() { return headimgurl; } public void setHeadimgurl(String headimgurl) { this.headimgurl = headimgurl; } public List getPrivilege() { return privilege; } public void setPrivilege(List privilege) { this.privilege = privilege; } public String getUnionid() { return unionid; } public void setUnionid(String unionid) { this.unionid = unionid; } }
//获取授权用户信息 private final String USERINFO_URL = "https://api.weixin.qq.com/sns/userinfo"; /** * 通过网页授权获取用户信息 * @param accessToken * @param openid * @return */ public AuthUserInfo getAuthUserInfo(String accessToken, String openid) { AuthUserInfo authUserInfo = null; //通过网页授权获取用户信息 Mapparams = new TreeMap (); params.put("openid", openid); params.put("access_token", accessToken); String result = HttpRequestUtil.HttpsDefaultExecute(HttpRequestUtil.GET_METHOD, USERINFO_URL, params, null); if(null != result){ try { authUserInfo = new Gson().fromJson(result, AuthUserInfo.class); } catch (JsonSyntaxException e) { logger.info("transfer exception"); } } return authUserInfo; }
七、检验授权凭证(access_token)是否有效
//判断用户accessToken是否有效 private final String AUTH_URL = "https://api.weixin.qq.com/sns/auth"; /** * 检验授权凭证(access_token)是否有效 * @param accessToken 网页授权接口调用凭证 * @param openid 用户的唯一标识 * @return { "errcode":0,"errmsg":"ok"}表示成功 { "errcode":40003,"errmsg":"invalid openid"}失败 */ public ResultState authToken(String accessToken,String openid){ ResultState state = null; Mapparams = new TreeMap (); params.put("access_token",accessToken); params.put("openid", openid); String json = HttpRequestUtil.HttpsDefaultExecute(HttpRequestUtil.GET_METHOD, AUTH_URL, params,""); if(json!=null){ state = new Gson().fromJson(json, ResultState.class); } return state; }