Third party authorization login of OAUTH

Third party authorization login of OAUTH

hello, I'm Nezha, the Little Devil boy. Welcome to click and pay attention. There are updates, which will be presented to you for the first time

Fat sir: Little Devil boy, I received a request today. I expect us to make a third-party login function. Users can log in to our web through third-party authorization

Little Devil boy: aha? Do you have eyebrows

Fat sir: of course, I know you can log in through wechat, nailing, github and so on

Little Devil boy: do you know how to achieve it? Tell me and let me learn

Fat sir: will you take me to a fast car?

Little Devil boy: This.. You.. I'll teach you how to ride like a horse, only if you tell me how to do it

Fat sir: steady, deal.

In fact, the principle of third-party login belongs to OAuth mechanism, which is mainly used to issue token s. Now OAuth has reached oauth2 0

In Baidu Encyclopedia's words:

OAuth2.0 is a continuation of OAuth protocol, but it is not forward compatible with OAuth 1.0 (that is, OAuth 1.0 is completely abolished). OAuth 2.0 focuses on the simplicity of client developers. Either represent the user through the approved interaction between the resource owner and the HTTP service provider, or allow the third-party application to obtain access rights on behalf of the user. At the same time, it provides a special certification process for Web applications, desktop applications and mobile phones, and living room equipment. In October 2012, OAuth 2.0 protocol was officially released as RFC 6749 [1].

There are four main ways. I'll give you a brief list:

  • Authorization code
  • Hidden
  • Cipher type
  • Client credentials

Draw a diagram for you to feel

Of course, I'm not telling you about OAuth's own principles and technologies. I'm going to tell you directly how to implement the interface of docking nails I just mentioned, because the development documents of nails have been modified several times,

In addition, the expression in the document is also difficult to understand. In view of the fact that you took me on a flying ride, I'll tell you how to obtain the authorization of nails and the organizational structure of the company corresponding to the use of nails (which must have the permission of the company administrator)

Nailing development documents do not have the SDK and source code of golang version, so we will implement it ourselves

Tools used in the early stage

  • Interface debugging with postman
  • golang language through Golan compiler access_token and temporary code to obtain unionid

Get access_token

Request address

https://oapi.dingtalk.com/gettoken?appkey=xxx&appsecret=xxx

Request method

  • GET
  • query
    • appkey
    • appsecret

appkey and appsecret here are the application data in H5 micro application

response


{
    "errcode": 0,
    "access_token": "4dbda4ddb82dxxxxxx138afab15655",
    "errmsg": "ok",
    "expires_in": 7200
}

Scan code / use account password – obtain temporary code

Important description of parameters

  • appId

    appId of login app

  • redirect_uri - callback domain name

    Redirect url address. After successful login, the web page will be redirected to redirect_uri

    redirect_ The URI must be configured on the nailing open platform, or you will not have access to the following address. For example, fill in Baidu's address for this parameter

  • LOGO address

    The address of an accessible picture on the network is as follows:

Direct access code scanning login

https://oapi.dingtalk.com/connect/qrconnect?appid=xxxx&response_type=code&scope=snsapi_login&state=STATE&redirect_uri=https://www.baidu.com/

Log in to the third-party website with account and password

https://oapi.dingtalk.com/connect/oauth2/sns_authorize?appid=xxx&response_type=code&scope=snsapi_login&state=STATE&redirect_uri=https://www.baidu.com/

After successful login in the above two ways, the following effects will be achieved. For the time being, the domain name we use to jump is https://www.baidu.com/ Mainly to obtain temporary code

Obtain user information according to sns temporary authorization code

Through access_token and temporary code to obtain unionid

Preconditions

  • You need to set up your own server's exit ip white list on the nailing open platform

Request address

https://oapi.dingtalk.com/sns/getuserinfo_bycode?signature=xxx&timestamp=xxx&accessKey=xxx
  • POST

  • query

    • accessKey

      In the nailing open platform, the appId of the login application

    • timestamp

      Unit: ms

    • signature

      The signature algorithm is HmacSHA256, the signature data is the current timestamp, the key is the appSecret corresponding to appId, and the key pair timestamp is used to calculate the signature value.

      When sending an HTTP request, you need to urlEncode the signature. If you use the HTTP encapsulation method, please make sure not to repeat urlEncode

  • body

{
        "tmp_auth_code":"4a2c5695b78738d495f47bxxxxxx"
}

response

{
        "errcode":0,
        "user_info":{
                "nick":"name",
                "unionid":"dingdkjjojoixxxx",
                "openid":"dingsdsqwlklklxxxx",
                "main_org_auth_high_level":true
        },
        "errmsg":"ok"
}

Specific operation and logic of golang

For the signature calculation method of this interface, you need to see how it is implemented. The specific implementation is very simple, but for the value of timestamp, you need to pay attention to the millisecond level

package main

import (
	"bytes"
	"crypto/hmac"
	"crypto/sha256"
	"crypto/tls"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"time"
)

func main() {
	// Login app's appSecret
	secret := "xxxx"

	key := []byte(secret)
	h := hmac.New(sha256.New, key)

	timestamp := time.Now().UnixNano()/1e6 + 120000 //Because my environment time is 2 minutes slower than the nailing server, I added 2 minutes here

	strTimeStamp := fmt.Sprintf("%d", timestamp)

	h.Write([]byte(strTimeStamp))

	sha := h.Sum(nil)
	sig := base64.StdEncoding.EncodeToString(sha)

	mysig := url.QueryEscape(sig)

	url := fmt.Sprintf("https://oapi.dingtalk.com/sns/getuserinfo_bycode?signature=%s&timestamp=%d&accessKey=%s",
		mysig, timestamp, "xxxx")
	fmt.Println(url)

	tr := &http.Transport{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
	}
	spaceClient := http.Client{Timeout: time.Second * time.Duration(5), Transport: tr}

	m := map[string]string{"tmp_auth_code": "67d86cb135ee3bd18d756c2d2fa1a350"}
	res, err := json.Marshal(m)
	if err != nil {
		fmt.Println(res)
		return
	}
	fmt.Println(string(res))

	req, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(res))
	req.Header.Set("Content-Type", "application/json")

	rawResp, err := spaceClient.Do(req)
	if err != nil {
		fmt.Println(rawResp)
		return
	}
	if rawResp.Status != "200 OK" {
		fmt.Println("rawResp.Status != 200 ok", rawResp)
		return
	}

	body, readErr := ioutil.ReadAll(rawResp.Body)
	if readErr != nil {
		fmt.Println("ReadAll error ", readErr)
		return
	}

	fmt.Println("result --", string(body))
}

Get user userid according to unionid

Request address

https://oapi.dingtalk.com/topapi/user/getbyunionid?access_token=xxxxxx

Request method

  • POST

  • query

    • access_token
  • body request

{
 "unionid":"xxxxxx"
}

response

{
    "errcode": 0,
    "errmsg": "ok",
    "result": {
        "contact_type": 0,
        "userid": "managerxxxx"
    },
    "request_id": "xxxxxx"
}

Get user details according to userid

Request address

https://oapi.dingtalk.com/topapi/v2/user/get?access_token=xxxxx

Request method

  • POST
  • query
    • access_token
  • body request
{
   "language":"zh_CN",
   "userid":"managerxxxxx"
}

response

{
    "errcode": 0,
    "errmsg": "ok",
    "result": {
        "active": true,
        "admin": true,
        "avatar": "",
        "boss": false,
        "dept_id_list": [
            1
        ],
        "dept_order_list": [
            {
                "dept_id": 1,
                "order": 176299320823645512
            }
        ],
        "email": "",
        "exclusive_account": false,
        "hide_mobile": false,
        "leader_in_dept": [
            {
                "dept_id": 1,
                "leader": false
            }
        ],
        "mobile": "xxxxx",
        "name": "xxx",
        "real_authed": true,
        "role_list": [
            {
                "group_name": "default",
                "id": 1993003008,
                "name": "Master administrator"
            }
        ],
        "senior": false,
        "state_code": "86",
        "unionid": "xxxxx",
        "userid": "managerxxxxx"
    },
    "request_id": "xxxxx"
}

Get Department list

Request address

https://oapi.dingtalk.com/topapi/v2/department/listsub?access_token=xxxxx

Request method

  • POST
  • query
    • access_token
  • body request
{
        "language":"zh_CN",
        "dept_id":1
}

response

{
    "errcode": 0,
    "errmsg": "ok",
    "result": [
        {
            "auto_add_user": true,
            "create_dept_group": true,
            "dept_id": 477856721,
            "name": "Operation Department",
            "parent_id": 1
        },
        {
            "auto_add_user": true,
            "create_dept_group": true,
            "dept_id": 477856722,
            "name": "Design Department",
            "parent_id": 1
        }
    ],
    "request_id": "evcmse04h8op"
}

Get the list of department user userid s

Request address

https://oapi.dingtalk.com/topapi/user/listid?access_token=xxxxxx

Request method

  • POST
  • query
    • access_token
  • body request
{
 "dept_id":xx
}

response

{
    "errcode": 0,
    "errmsg": "ok",
    "result": {
        "userid_list": [
            "managerxxxxx"
        ]
    },
    "request_id": "xxxxx"
}

Well, that's all for this issue. If it still works for you, please help me to praise and comment. If I can pay attention to it or forward it to your circle of friends, it will be my greatest encouragement

Technology is open, so should our mentality. We embrace change, look to the sun, and unswervingly practice every idea.

Author: Little Devil boy Nezha

Keywords: Go oauth2

Added by sx on Thu, 03 Mar 2022 14:13:46 +0200