Authorization mechanism


Calling the Weibo open interface, such as posting Weibo, following, etc., requires user identity authentication. Currently, Weibo open platform mainly uses OAuth2.0 for user identity authentication. In addition, in order to facilitate developers to develop and test their own applications, we also provide Basic Auth identity authentication method, but Basic Auth is only suitable for the developer to whom the application belongs to call the interface.


Quick Index

  • Authorization Validity Period
  • Extension of the Authorization Validity Period


Overview of OAuth2.0

Compared with OAuth2.0 1.0, the entire authorization verification process is simpler and more secure , which is also the most important user authentication and authorization method in the future.


Regarding the authorization process of the OAuth2.0 protocol, please refer to the flow chart below, where Client refers to the third-party application, Resource Owner refers to the user, Authorization Server is our authorization server, and Resource Server is the API server.



Developers can first browse the interface documentation of OAuth2.0 and become familiar with OAuth2.0 The meaning of the interface and parameters, and then we explain how to use OAuth2.0 according to the application scenarios.


Interface Document

##InterfaceDescriptionOAuth2/authorizeRequest user authorization Token##OAuth2/access_tokenOAuth2/get_token_infoOAuth2/revokeoauth2##OAuth2/get_oauth2_tokenChange the Access Token of OAuth1.0 to the Access Token of OAuth2.0


Notes

    • 1. No application is required for OAuth2.0 authorization, and any application can be used. If developers need a longer authorization validity period, refer to the authorization validity period section of this document.
    • 2. If you are an off-site web application or client application, for security reasons, you need to fill in the redirect_url (authorization callback page) on the platform website to use OAuth2.0. Fill in the address: "My Application>Application Information>Advanced Information", for the client, we also provide a default callback page address. Please see the authorization page function section for details.


Authorization interface

OAuth2_intro.png


The new version of the authorization page has changed the problem of too many information elements on the previous page, which caused interference to users. The two behaviors of login and authorization have been separated in the new version, so users can better understand the account. The login and authorization process also provides space for more functions in the future.


Currently, the most complete authorization is divided into three steps: login-normal authorization-advanced authorization (SCOPE). However, these three steps are not inevitable. When the user's Weibo is logged in, the page will automatically jump to the ordinary authorization page. "Advanced authorization" is also not necessary. If the developer does not apply for SCOPE permission, the system will automatically Skip this step and call back the application. We found in the grayscale test that as long as advanced authorization is used properly, developers do not have to worry about the page churn rate caused by increased operations. On the contrary, a clear authorization experience can better gain the trust of users.


At the same time, authorization items will become more organized. The previous ordinary permissions will be used as basic services, and users will no longer be aware of them. Those related to user privacy will be classified into advanced authorizations. You have the right to cancel item by item when authorizing, further enhancing privacy control.


oauth2v3.png


#Application Scenario

Developers need to choose the applicable OAuth2.0 authorization process based on their respective application scenarios:


  • # #1. For PC and Web websites, please refer to: Web website authentication and authorization (Authorization Code)
    • 2. Mobile applications can directly use the official mobile SDK and call up the Weibo client (Weibo is not installed). The blog client will call up the H5 authorization page) to authorize
    • 3. H5 light application, please refer to the light application development guide


Web website authorization


oAuth2_02.gif


##1. Guide the user who needs authorization to the following address:

URL

https://api.weibo.com/oauth2/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI

2. If the user agrees to authorize, the page jumps to YOUR_REGISTERED_REDIRECT_URI/?code=CODE

3. Exchange for Access Token

URL
##https://api.weibo.com/oauth2/access_token?client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=authorization_code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI&code=CODE

## where client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET can be added to the header using basic method, and the return value is

JSON

{
    "access_token": "SlAV32hkKG",
    "remind_in": 3600,
    "expires_in": 3600
}
4. Use the obtained Access Token to call the API

Authorization of mobile application

sdk72207.png

For mobile applications (mainly Mobile Native App), it is recommended to use the officially provided SDK that supports SSO authorization, which can greatly simplify the development of the authorization process and reduce development costs.

It should be noted that for mobile applications, please use the authorization interface on open.weibo.cn. Ordinary resource APIs such as blogging and comments still call the weibo.com interface.



SDK access process
    iOS SDK download
  • Android SDK download


Authorization Validity Period

Under the OAuth2.0 authorization mechanism of the Weibo open platform, third parties obtain The access_token has an expiration time, usually 30 days.

Authorization level and OAuth2.0 access_token validity period corresponding table:



##Authorization level
Get the authorized Access Token
Authorization information query interface
Authorization recycling interface
Test1 day
NormalAuthorization validity period
30 days


Note:

  • 1. Only applications that have not been reviewed are at the testing level.
  • 2. When the developer of the application authorizes the application, the validity period is 5 years.


You can query the authorization level of the current application on "My Applications>Interface Management>Authorization Mechanism". You can also apply to increase the authorization validity period here.


Developers can calculate the effective time of access_token in two ways:

  • 1. When the user authorizes the user, the oauth2/access_tokeninterface returns the expires_inThe value is the life cycle of access_token;
  • 2. From the above corresponding table, find the authorization validity period corresponding to the application, expiration time = user authorization time authorization validity period;


Third-party development applications need to have a certain degree of robustness. When calling the interface, the return value of the interface is judged. If the user's access_token is invalid, the user needs to be guided to re-authorize.


The reasons for failure are as follows:

  • 1. The user canceled the authorization for the application;
  • 2. The access_token expires naturally;
  • 3. The user changed the password and froze the authorization for the application;
  • 4. Weibo discovered that the user account was stolen and froze the user's authorization for the application;


Extension of the authorization validity period

Re-authorization within the authorization validity period

If the user is within the authorization validity period Re-open the authorization page for authorization (if the user is logged in to Weibo at this time, this page will flash by), then Weibo will automatically extend the life cycle of the access_token for the developer. Developers are asked to maintain the access_token value after the new authorization. .


Refresh the authorization validity period through Refresh Token

In addition, we also provide a way to refresh through Refresh Token to extend it The authorization is valid, but it should be noted that: Only mobile applications that use the official Weibo mobile SDK can obtain the Refresh Token from the SDK method.


Refresh Token is a type of Access Grants. When obtaining the Access Token, the authentication server will return the corresponding Refresh Token. If the Access Token expires, you can use the Refresh Token to refresh it.


Refresh Token also has a validity period. The validity period of Refresh Token is currently 30 days, and it can be refreshed at any time during the validity period.


The validity period of the new Access Token obtained by refreshing the Refresh Token is equal to the original validity period, that is, the validity period of the original Access Token is 30 days, and the newly obtained Access Token is also 30 days.


Simply put, for mobile applications that use Weibo Mobile SDK, the authorization (Access Token) is valid for 30 days and can be renewed within 30 days. It will be valid for 30 days from the refresh time.


oAuth2_05.gif


##1. When you are When using the mobile application of Weibo's official mobile SDK, authorization will return an access_token and an additional refresh_token:

JSON
{
    "access_token": "SlAV32hkKG",
    "remind_in": 3600,
    "expires_in": 3600
    "refresh_token": "QXBK19xm62"
}
2、当你调

Use the API interface to return the Access Token When it expires, you can call oauth2/access_token and pass in refresh_token:


URL
https://api .weibo.com/oauth2/access_token?client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=refresh_token&redirect_uri=YOUR_REGISTERED_REDIRECT_URI&refresh_token=…

#Return value



JSON

##{
"access_token": "SlAV32hkKG",
"expires_in": 3600
}


3. Use the newly obtained Access Token to call the API


Use OAuth2.0 to call API

There are two ways to use OAuth2.0 to call API interface:

1. Use parameters directly and pass the parameter name access_token

URL

https://api.weibo.com/2/statuses/public_timeline.json?access_token=abcd

2. Pass it in the header, in the form of adding Authorization:OAuth2 space abcd in the header. The abcd here is assumed to be the value of Access Token, and other interface parameters can be passed normally.


Note: All Weibo open platform interfaces are deployed in the weibo.com domain, and only the mobile authorization interface is in the open.weibo.cn domain.


Other functions in authorization

Scope

# #Scope is a function provided by the new version of OAuth2.0 authorization page. Through scope, the platform will open more Weibo core functions to developers, while also strengthening user privacy protection and improving user experience. Users can authorize in the new OAuth2.0 The page has the right to choose the functions given to the application.

Scope open interface document: interface document


Client default callback page

Usually Mobile Native App does not have a server callback address. You can fill in the default callback page provided by the platform on the authorization callback page of the application console. This page is not visible to users and is only used to obtain access tokens.

OAuth2.0 client default callback page: https://api.weibo.com/oauth2/default.html


Forced login

The authorization page will read the Weibo login status of the current user by default. If you want the user to log in again, please pass in the parameters when calling the authorize interface: forcelogin=true, not filling in this parameter by default is equivalent to forcelogin=false.


Cancellation of authorization callback page

Developers can fill in the cancellation of authorization callback page in the application console. When the user cancels your application authorization, the open platform will call back the address you filled in. And pass you the following parameters, source: application appkey, uid: user who cancels authorization, auth_end: time to cancel authorization


OAuth2.0 related resources

The following SDK includes OAuth2.0 and the new version of the API interface

#Download Android SDKDownload iOS SDKDownload WP7 SDKDownload PHP SDK (maintained by SAE)Download Java SDK Download Python SDKDownload Flash SDKDownload Javascript SDKDownload C# SDK




Mobile Development SDK Documentation

##Android SDK documentation


Other reference materials

OAuth is an internationally accepted authorization method. The official technical description of OAuth2.0 can be found at http:// oauth.net/2/


If you are still using Oauth1.0, please browse the relevant documents.


OAuth2.0 error code

In Weibo OAuth2.0 implementation, when the authorization server receives the verification authorization request, The request header and request parameters of this request will be checked in accordance with the OAuth2.0 protocol. If the request is illegal or the verification fails, the authorization server will return the corresponding error message, including the following parameters:

  • error: Error code
  • error_code: Error internal number
  • error_description: Error description
  • error_url: Human-readable web page URI with information about the error, Used to provide additional error-related information to the end user.


There are two ways to return error information:

1. When requesting authorization Endpoint: https://api.weibo.com/2/oauth2/authorize An error occurs, the return method is: jump to redirect_uri, and in the uri The query parameter comes with error description information.

2. An error occurs when requesting access token endpoing: https://api.weibo.com/oauth2/access_token. Return method: Return JSON text. For example:


JSON
##{
"error": "unsupported_response_type",
"error_code": 21329,
"error_description": "Unsupported ResponseType."
}
##OAuth2.0 error The error code definitions in the response are as shown in the following table:



QQ截图20170210143858.png

##

php.cn

HomeHomeCourseCourseArticleArticleQ&AQ&ADictionaryDictionaryManualManualDownloadDownloadsearchsearchAPPDownload APPDownload



iOS SDK documentationWP7 SDK documentation