Official Accounts
  • 中文
  • EN
取消
en
  • 中文
  • EN
中文
EN
取消
  • Official Accounts Development Guide

    • If a user visits a third-party webpage in the Weixin app, the Official Account can get the user's basic information using Weixin webpage authorization mechanism to realize its business logic.

    The webpage authorization callback domain name

    1. Before the Weixin Official Account requests the webpage authorization from a user, the developer must first go to the Official Accounts Platform, navigate to the configuration options in Development > API Authorization > Webpage Service > Webpage Account > Get Basic User Information via Webpage Authorization, and modify the authorization callback domain name. Note that this should be filled in with a domain name (which is a string) instead of a URL, so do not add http:// or other protocol headers here.

    2. The authorization callback domain name should be configured as a full domain name. For example, if a domain name requiring webpage authorization is www.qq.com, you can perform OAuth 2.0 authentication on the sub-domain pages http://www.qq.com/music.html and http://www.qq.com/login.html after configuration, but cannot do so on http://pay.qq.com, http://music.qq.com, and http://qq.com.

    3. If an Official Account grants login authorization to a third-party developer for management, no settings are required. The third-party will implement webpage authorization on behalf of the Official Account.

    Differences between the two scopes for webpage authorization

    1. The webpage authorization initiated with snsapi_base as the scope is used to obtain the openid of users who access the page. It is a silent authorization and will automatically redirect to the callback page. What users perceive is direct access to the callback page (often the business page).

    2. The webpage authorization initiated with snsapi_userinfo as the scope is used to obtain the basic information of users who access the page. Users are required to manually agree to such authorization, so that their basic information can be obtained without them having to follow the account.

    3. The "Get Basic User Information" API in the user management class APIs gets basic user information based on the user's OpenID only after the user and Official Account exchange messages or an event is pushed when the user follows the official account. This API includes other Weixin APIs, and all of them can only be successfully called after the user (i.e. the openID) follows the Official Account.

    Differences between the webpage authorization access_token and ordinary access_token

    1. Weixin webpage authorization uses the OAuth2.0 mechanism. After a user grants authorization to an Official Account, the Official Account can get a credential to call the webpage authorization-specific API (webpage authorization access_token) for operations such as getting basic user information.

    2. Other Weixin APIs have to use the "Get access_token" API in the Basic Support to get the ordinary access_token.

    UnionID mechanism

    1. Note that you must follow the UnionID mechanism to get basic user information via webpage authorization. You need to go to the Weixin Open Platform (open.weixin.qq.com) to link the Official Account before you can make a user account consistent between multiple Official Account, or between the Official Account and Apps, using the UnionID mechanism.

    2. UnionID mechanism: If you have multiple mobile apps, web apps, and Official Accounts, you can uniquely identity the user by getting the UnionID in the user's basic information, as the user's UnionID is unique across all the mobile apps, web apps and Official Accounts under the same Weixin Open Platform.

    Silent authorization in special scenarios

    1. As mentioned above, webpage authorization initiated with snsapi_base as the scope is silent and not perceived by the user.

    2. When a user who've already followed the Official Account is redirected to the authorization page from an Official Account chat or the Official Account's custom menu, even if the scope is set as snsapi_userinfo, authorization is silent and not perceived by the user.

    Specifically, there are four steps to the webpage authorization process:

    1. Guide the user to the authorization page to agree to the authorization and obtain the code

    2. Use the code to retrieve the webpage authorization access_token (which is different from the basic support access_token)

    3. Refresh the webpage authorization access_token if necessary to prevent it from expiring

    4. Get basic user information via the webpage authorization access_token and openid (supports UnionID mechanism)

    Contents

    1 Step 1: Obtain code after user agrees to the authorization

    2 Step 2: Use the code to retrieve the webpage authorization access_token

    3 Step 3: Refresh access_token (if needed)

    4 Step 4: Fetch user information (set scope as snsapi_userinfo)

    5 Appendix: Check the validity of the authorization credential (access_token)

    Step 1: Obtain code after user agrees to the authorization

    Direct followers to open the following page while ensuring that the Weixin Official Account has permission for the authorization scope (after Server Accounts get the advanced APIs, these APIs have snsapi_base and snsapi_userinfo in the scope parameter by default):

    https://open.weixin.qq.com/connect/oauth2/authorize?appid=APPID&redirect_uri=REDIRECT_URI&response_type=code&scope=SCOPE&state=STATE#wechat_redirect If prompted that "This link cannot be accessed", check if the parameter is filled in correctly, and if you have the authorization scope permission corresponding to the scope parameter.

    Note that Weixin will perform regular strong match checks on authorized links when authorization requests are initiated, due to the high security level of authorization operations. If the parameter order of a link is incorrect, you will not be able to access the authorization page.

    Reference link (open this link in the Weixin app):
If scope is snsapi_base
https://open.weixin.qq.com/connect/oauth2/authorize?appid=wx520c15f417810387&redirect_uri=https%3A%2F%2Fchong.qq.com%2Fphp%2Findex.php%3Fd%3D%26c%3DwxAdapter%26m%3DmobileDeal%26showwxpaytitle%3D1%26vb2ctag%3D4_2030_5_1194_60&response_type=code&scope=snsapi_base&state=123#wechat_redirect
If scope is snsapi_userinfo
https://open.weixin.qq.com/connect/oauth2/authorize?appid=wxf0e81c3bee622d60&redirect_uri=http%3A%2F%2Fnba.bluewebgame.com%2Foauth_response.php&response_type=code&scope=snsapi_userinfo&state=STATE#wechat_redirect

    Note: Use the HTTPS link as the redirect callback redirect_uri to ensure the authorization code is secure.

    Parameters:

    Parameter Required Description
    appid Yes The unique identifier of the Official Account
    redirect_uri Yes Redirect callback URL after authorization. Process the link with UrlEncode.
    response_type Yes Response type. Enter code.
    scope Yes App's authorization scope. When the scope is snsapi_base, the authorization page does not pop up and you can only get the user's openid; when the scope is snsapi_userinfo, the authorization page pops up and you can get the user's alias, gender, and location with openid. Additionally, you can get user information even if they are not following the Official Account, as long as they have granted authorization.
    state No After the redirect, the state parameter will be passed. The parameter value consists of up to 128 bytes comprised of letters (a-z and A-Z) and numbers (0-9).
    #wechat_redirect Yes This parameter is required regardless of whether the page is directly opened or accessed via a 302 redirect.

    The following figure shows the authorization page when scope is snsapi_userinfo:

    After the user agrees to authorization

    The page will be redirected to redirect_uri/?code=CODE&state=STATE if the user agrees to grant authorization

    Code description: The code is used to get the access_token and different for each user authorization. A code can only be used once and will automatically expire after 5 minutes if unused.

    Error codes:

    Error Code Description
    10003 The redirect_uri domain name does not match the one configured in the backend
    10004 This Official Account has been suspended
    10005 This Official Account does not have authorization for this scope
    10006 This test account must be followed
    10009 Too many attempts. Try again later.
    10010 scope is required
    10011 redirect_uri is required
    10012 appid is required
    10013 state is required
    10015 Unauthorized third-party platform. Check authorization status.
    10016 Use the Appid of the Official Account instead of the one of the Weixin Open Platform

    Step 2: Use the code to retrieve the webpage authorization access_token

    Note that the code is exchanged for a special webpage authorization access_token, which is different from the base support access_token (which is used to call other APIs). Official Accounts can get the webpage authorization access_token using the following API. If the webpage authorization scope is snsapi_base, the webpage authorization access_token and openid are obtained in this step. The snsapi_base-type webpage authorization process ends here.

    Note: As the Official Account's secret and acquired access token are of high security level, they must only be saved on the server and cannot be sent to the app. Subsequent steps such as refreshing the access_token and getting user information with the access_token must also be initiated from the server.

    Request method

    After obtaining code, request the following link to get the access_token: https://api.weixin.qq.com/sns/oauth2/access_token?appid=APPID&secret=SECRET&code=CODE&grant_type=authorization_code

    Parameters:

    Parameter Required Description
    appid Yes The unique identifier of the Official Account
    secret Yes Official Account's appsecret
    code Yes Enter the code parameter obtained in Step 1
    grant_type Yes Enter authorization_code

    Response

    The returned JSON packet for a successful request:

    {
    "access_token":"ACCESS_TOKEN",
    "expires_in":7200,
    "refresh_token":"REFRESH_TOKEN",
    "openid":"OPENID",
    "scope":"SCOPE" 
 }
    Parameter Description
    access_token Credential for calling the webpage authorization API. Note: This access_token is not the same as the basic support access_token.
    expires_in The time to expiration of the API call credential (access_token), in seconds.
    refresh_token The access_token refreshed by the user
    openid A user's unique identifier. Note that even if the user has not followed the Official Account, a unique OpenID will still be generated when the user visits the Official Account's webpage.
    scope User authorization scope. Multiple scopes are separated by commas (,).

    When an error (such as invalid code) occurs, Weixin will return the following JSON packet:

    {"errcode":40029,"errmsg":"invalid code"}

    Step 3: Refresh access_token (if needed)

    As the access_token has a short validity period, when the access_token expires, it can be refreshed using the refresh_token. The refresh_token is valid for 30 days. After the refresh_token expires, you must get authorization again.

    Request method

    After obtaining refresh_token in step 2, request the following link to get access_token:
https://api.weixin.qq.com/sns/oauth2/refresh_token?appid=APPID&grant_type=refresh_token&refresh_token=REFRESH_TOKEN
    Parameter Required Description
    appid Yes The unique identifier of the Official Account
    grant_type Yes Enter refresh_token
    refresh_token Yes Enter the refresh_token parameter obtained through access_token

    Response

    The returned JSON packet for a successful request:

    { 
    "access_token":"ACCESS_TOKEN",
    "expires_in":7200,
    "refresh_token":"REFRESH_TOKEN",
    "openid":"OPENID",
    "scope":"SCOPE" 
}
    Parameter Description
    access_token Credential for calling the webpage authorization API. Note: This access_token is not the same as the basic support access_token.
    expires_in The time to expiration of the API call credential (access_token), in seconds.
    refresh_token The access_token refreshed by the user
    openid The unique identifier of the user
    scope User authorization scope. Multiple scopes are separated by commas (,).

    When an error (such as invalid code) occurs, Weixin will return the following JSON packet:

    {"errcode":40029,"errmsg":"invalid code"}

    Step 4: Fetch user information (set scope as snsapi_userinfo)

    If the webpage authorization scope is snsapi_userinfo, developers can now get user information via access_token and openid.

    Request method

    HTTP: GET (use the HTTPS protocol) https://api.weixin.qq.com/sns/userinfo?access_token=ACCESS_TOKEN&openid=OPENID&lang=zh_CN

    Parameters:

    Parameter Description
    access_token Credential for calling the webpage authorization API. Note: This access_token is not the same as the basic support access_token.
    openid ID that uniquely identifies a user
    lang Language used in a country/region. zh_CN: Simplified Chinese; zh_TW: Traditional Chinese; en: English

    Response

    The returned JSON packet for a successful request:

    {   
    "openid": "OPENID",
    "nickname": NICKNAME,
    "sex": 1,
    "province":"PROVINCE"
    "city":"CITY",
    "country":"COUNTRY",
    "headimgurl":       "http://thirdwx.qlogo.cn/mmopen/g3MonUZtNHkdmzicIlibx6iaFqAc56vxLSUfpb6n5WKSYVY0ChQKkiaJSgQ1dZuTOgvLLrhJbERQQ4eMsv84eavHiaiceqxibJxCfHe/46",
    "privilege":[ "PRIVILEGE1" "PRIVILEGE2"     ],
    "unionid": "o6_bmasdasdsad6_2sgVt7hMZOPfL"
}
    Parameter Description
    openid ID that uniquely identifies a user
    nickname User alias
    sex User's gender. 1: Male; 2: Female; 0: Unknown.
    province The province entered in the user's personal information.
    city The city entered in the ordinary user's personal information
    country The country, e.g. CN for China.
    headimgurl User's profile photo. The last numeric value represents the size of a square profile photo (The value can be 0, 46, 64, 96, or 132. The value 0 represents a 640*640 square profile photo). This parameter is left blank if a user has no profile photo. If the user changes the profile photo, the URL of the original profile photo will expire.
    privilege User privilege information, in the form of a JSON array. For example, Weixin Woka users have the value "chinaunicom".
    unionid This field only appears after the user links the Official Account to a Weixin Open Platform account.

    When an error (such as invalid openid) occurs, Weixin will return the following JSON packet:

    {"errcode":40003,"errmsg":" invalid openid "}

    Appendix: Check the validity of the authorization credential (access_token)

    Request method

    HTTP: GET (use the HTTPS protocol) https://api.weixin.qq.com/sns/auth?access_token=ACCESS_TOKEN&openid=OPENID

    Parameters:

    Parameter Description
    access_token Credential for calling the webpage authorization API. Note: This access_token is not the same as the basic support access_token.
    openid ID that uniquely identifies a user

    Response The returned JSON packet for a successful request:

    { "errcode":0,"errmsg":"ok"}

    Example of returned JSON packet for a failed request:

    { "errcode":40003,"errmsg":"invalid openid"}