WeChat JS-SDK-Use Permission Signature Algorithm

jsapi_ticket

Before generating a signature, you must first understand jsapi_ticket. jsapi_ticket is a temporary ticket used by the official account to call the WeChat JS interface. Under normal circumstances, the validity period of jsapi_ticket is 7200 seconds and is obtained through access_token. Since the number of API calls to obtain jsapi_ticket is very limited, frequent refresh of jsapi_ticket will lead to API call restrictions and affect your own business. Developers must cache jsapi_ticket globally in their own services .

Refer to the following document to obtain access_token ( valid for 7200 seconds, developers must cache access_token globally in their own services ): ../15/54ce45d8d30b6bf6758f68d2e95bc627.html

Use the access_token obtained in the first step to obtain a jsapi_ticket using the http GET method ( valid for 7200 seconds, developers must cache the jsapi_ticket globally in their own services ): https://api.weixin.qq.com/cgi-bin/ticket/getticket?access_token=ACCESS_TOKEN&type=jsapi

The following JSON is returned successfully:

{
"errcode":0,
"errmsg":"ok",
"ticket":"bxLdikRXVbTPdHSM05e5u5sUoXNKd8-41ZO3MhKoyN5OfkWITDGgnr2fwJ0m9E8NYzWKVZvdVtaUgWvsdshFKA",
"expires_in":7200
}

After obtaining the jsapi_ticket, you can generate a signature for JS-SDK permission verification.

Signature Algorithm

The signature generation rules are as follows: The fields involved in the signature include noncestr (random string), valid jsapi_ticket, timestamp (timestamp), url (URL of the current webpage, excluding # and its following part ). After sorting all the parameters to be signed from small to large according to the ASCII code of the field name (lexicographic order), they are concatenated into string string1 using the format of URL key-value pairs (i.e. key1=value1&key2=value2…). It should be noted that all parameter names are lowercase characters. Encrypt string1 with sha1, and both the field name and field value use the original value without URL escaping.

That is, signature = sha1(string1). Example:

noncestr=Wm3WZYTPz0wzccnW

jsapi_ticket=sM4AOVdWfPE4DxkXGEs8VMCPGGVi4C3VM0P37wVUCFvkVAy_90u5h9nbSlYy3-Sl-HhTdfl2fzFy1AOcHKP7qg

timestamp=1414587457

url=http://mp.weixin.qq.com?params=value

Step 1. Sort all parameters to be signed by the ASCII code of the field name from small to large (lexicographical order), and concatenate them into string 1 using the URL key-value pair format (i.e. key1=value1&key2=value2…):

jsapi_ticket=sM4AOVdWfPE4DxkXGEs8VMCPGGVi4C3VM0P37wVUCFvkVAy_90u5h9nbSlYy3-Sl-HhTdfl2fzFy1AOc HKP7qg&noncestr=Wm3WZYTPz0wzccnW&timestamp=1414587457&url=http://mp.weixin.qq.com?params=value

Step 2. Sign string1 with sha1 to get the signature:

0f9de62fce790f9a083d5c99e95740ceb90c27ed

Precautions

The noncestr and timestamp used for the signature must be the same as the noncestr and timestamp in wx.config.

The URL used for signature must be the complete URL of the page that calls the JS interface.

For security reasons, developers must implement signing logic on the server side .