Authorization signature and SDK
Login authorization related
@
1. What is authorization and how to authorize?
The so-called authorization means obtaining the Access Token. Once the application obtains the Access Token, it means that it has obtained the user's authorization and can request the user's private information (such as products, orders, etc.) from TOP (open platform) on behalf of the user. The Access Token here (Oauth2.0 protocol, which is the default protocol for current applications) is the SessionKey obtained during the original "TOP Authorization Protocol". For detailed methods of obtaining authorization, please click here Reference
2. Access Token (SessionKey) is only valid for 24 hours. How to increase it?
During the formal environment testing phase of the "Online Ordering" application, the Access Token validity period is fixed for 24 hours and cannot be increased. Re-authorization is required after expiration; after the application is launched (subject to review), the Access Token validity period will be automatically increased (and subscription The validity period of each application authorization is as follows:
Tag name | ## Formal test environment | Online and running | Remarks | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Online ordering application | 24 hours | Ordering time binding | After the application is online, the user If you subscribe for 1 year, the Access Token will be valid for 1 year. For more detailed instructions, please refer tohere; | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
xTao cooperative website | 24 hours | 24 hours | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Merchant backend system | 24 hours | 1 year | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
No session | No session | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
24 hours | Ordering time binding | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
24 hours | 1 year |
5. When using code to obtain Access Token, the following error is reported. How to deal with it?
"error": "invalid_client", "error_description": "authorize code qexkqiJRNXJXEPTjPTWYYsK5486529 invalidate,please authorize again."
The code obtained from the callback address after authorization can only be used once. If it is used repeatedly, Report this error. Just re-authorize or code and try again
6. How does the program determine the expiration time of the authorization (Access Token)?
The application can record the user authorization time, and then combine it with expires_in (Access Token validity time, in seconds) returned when obtaining the Access Token to determine.
7. How does the application support sub-account authorization?
1) Check "Support Taobao sub-account login authorization" on the application authorization management page; 2) Authorize the application with the main account; 3) Log in to the seller center with the main account and grant application permissions to the sub-account
8. After the online ordering application is launched and the user orders, what operations does the application itself need to do, or how to determine the version information ordered by the user?
After the user (seller) orders, he can see the application in the service I purchased. Click "Use Now" to enter the authorization page (the system automatically completes it. The difference from the formal environment is that the formal environment requires authorization. URL for users to access), after user authorization, TOP will return the CODE parameter to the callback address. ISV uses this parameter to obtain the seller's nick and other information using POST method (refer to here for details). Then call the service platform API (click here to view) to determine the length of time the user has ordered, what kind of package, etc., and then the application will grant the corresponding permissions.
Supplement: When a user visits for the first time (enter from "Seller Center - My Purchased Services"), an authorization page will pop up. After authorization, return CODE to the application and obtain a nick based on it to determine the user's identity. Although the authorization page did not pop up when accessing the application for the second and third time after this, the CODE will still return to the callback address.
9. There are 3 Taobao stores, and now you need to open one Under the application, the product information of three stores can be obtained. Using Taobao taobao.items.inventory.get sessionkey can only obtain the product information of one store. How to deal with this situation?
Obtain the session keys of three stores respectively. For the method of obtaining, please refer to //open.taobao.com/doc/detail.htm?id=101423. After obtaining, refer to the following example to obtain product information:
For example, store A has appkey (888), and now I want to use taobao.items.inventory.get to get the products of store B.
A) When fetching store A's products, store A authorizes 888 and obtains sessionkeyA, and then passes it to sessionkeyA when calling the API to obtain store A's products.
B) When retrieving products from store B, store B authorizes 888 and obtains sessionkeyB. Then when calling the API, pass sessionkeyB to obtain store B's authorization.
10. Common authorization errors and instructions
Error message | Error reason |
##request method must be get/post | The request must use the GET or POST method |
client_id is empty | client_id(ieappkey)Can not be empty |
response_type is empty | ##response_typecannot be empty |
##redirect_uri is empty | ##redirect_uriCannot be empty |
cannot be empty | |
authorize codecannot be empty | |
unsupported response type , the response type must code or token | ## The value of response type must be codeortoken |
##redirect_uri is invalidate | redirect_uri is inconsistent with the callback address registered in the Developer Center |
the grant type unsupported | grant typeInvalid value |
##authorize reject | User refuses authorization |
##authorize code expire | authorize code Invalid,Please re-authorize |
authorize code xxxx invalidate,please authorize again. | authorize code Invalidate,Please re-authorize |
client_secret is invalidate | app secretVerification failed |
##xss chars included in params, such as <, >, ', " | The request parameters contain the following characters: <, >, ', " |
##The Application already Bind with user ids:xxx | The authorized user is not In the Developer Center"Authorization Management"Page Binding |
Can not find the client_id:xxxxx | ##client_id(That isappkey) does not exist |
##Application need publish | Only the status is "Formal environment test"and"Online and running" applications are allowed to be authorized |
app call back is invalidate | The application call back address is invalid |
##application callback can not match the redirect_uri | redirect_uri Does not match the pre-configured callback address |
##only support http or https | Callback URL only supports https or httpprotocol |
application in black list,access forbidden. | appExists in the blacklist |
The application don't need session | This application does not require session key, no need to refreshsession key |
session key num is larger than xx | validsession keynumber exceeds The upper limit is set in the authorization management in the console. |
userid is invalidate | ##userId Does not exist |
##login failure | ##User login failure|
subuser can't access | The application does not support sub-account access |
parent account forbid this sub account to access app. | parent The account does not authorize this sub-account to access the application |
parent account forbidden | The parent account is not authorized or the authorization has expired |
refresh token is empty | refresh token is empty |
refresh token is error:xxxx | ##refresh token The content is incorrect and parsing failed |
refresh token is invalid | refresh tokenhas expired |
##refresh times limit exceed | The number of refreshes exceeds the upper limit. One session key can be refreshed at most 60 times |
session expire | The current session has expired. The user's browser may have been paused for too long and has timed out. |
## OAUTH SERVER ERROR:xxxxx | Internal system error, please try again |
Iossdk params is lack | Missingios sdkProtocol parameters |
iossdk track_id is invalid | ios sdkProtocol parameterstrack idVerification failed. It is recommended to checkapp secret |
iossdk params check failed | ios sdkProtocol parameters Verification failed |
Signature SDK related
@
1. What is a signature and how to generate it?
Reference document //open.taobao.com/doc/detail.htm?id=101617 (Part 1 related to sign)
2. Call the api to report "Invalid signature" Error, why?
1) AppSecret error, such as entering the wrong AppSecret or the AppSecret has been reset
2) The parameters when generating the signature are inconsistent with the parameters during the http request, causing an error.
3) The signature method is wrong. It is recommended to refer to the sample code //open.taobao.com/doc/detail.htm?id=112 provided by us.
3. What is the function of sdk and how to download it?
The SDK of Taobao Open Platform is a code package automatically generated by the program, which contains the open API and the corresponding request, encryption, return analysis and other necessary functions. Log in to the "Developer Center" and download it through the application certificate page (select the SDK corresponding to the permission when downloading). For details, please refer to //open.taobao.com/doc/detail.htm?id=101618
4. Appkey has API calling permission. Why does the downloaded SDK not contain the corresponding class?
When downloading the sdk, the "sdk corresponding to the permissions" was not selected. As a result, enter the certificate page and re-download
5. How to set the return data format in java sdk; and whether the sdk Support custom interface methods?
TaobaoClient client = new DefaultTaobaoClient () Add xml or json in the brackets here to specify; custom interface is not supported
FAQ
- About this document for the time being No FAQ