WeChat JS-SDK-Use Permission Signature Algorithm

WeChat JS-SDK-Use Permission Signature Algorithm

jsapi_ticket

Before generating a signature, you must first understand jsapi_ticket. jsapi_ticket is a temporary ticket used by the official account to call the WeChat JS interface. Under normal circumstances, the validity period of jsapi_ticket is 7200 seconds and is obtained through access_token. Since the number of API calls to obtain jsapi_ticket is very limited, frequent refresh of jsapi_ticket will lead to API call restrictions and affect your own business. Developers must cache jsapi_ticket globally in their own services .

Refer to the following document to obtain access_token ( valid for 7200 seconds, developers must cache access_token globally in their own services ): ../15/54ce45d8d30b6bf6758f68d2e95bc627.html

Use the access_token obtained in the first step to obtain a jsapi_ticket using the http GET method ( valid for 7200 seconds, developers must cache the jsapi_ticket globally in their own services ): https://api.weixin.qq.com/cgi-bin/ticket/getticket?access_token=ACCESS_TOKEN&type=jsapi

The following JSON is returned successfully:

{
"errcode":0,
"errmsg":"ok",
"ticket":"bxLdikRXVbTPdHSM05e5u5sUoXNKd8-41ZO3MhKoyN5OfkWITDGgnr2fwJ0m9E8NYzWKVZvdVtaUgWvsdshFKA",
"expires_in":7200
}

After obtaining the jsapi_ticket, you can generate a signature for JS-SDK permission verification.

Signature Algorithm

The signature generation rules are as follows: The fields involved in the signature include noncestr (random string), valid jsapi_ticket, timestamp (timestamp), url (URL of the current webpage, excluding # and its following part ). After sorting all the parameters to be signed from small to large according to the ASCII code of the field name (lexicographic order), they are concatenated into string string1 using the format of URL key-value pairs (i.e. key1=value1&key2=value2…). It should be noted that all parameter names are lowercase characters. Encrypt string1 with sha1, and both the field name and field value use the original value without URL escaping.


That is, signature = sha1(string1). Example:

noncestr=Wm3WZYTPz0wzccnW

jsapi_ticket=sM4AOVdWfPE4DxkXGEs8VMCPGGVi4C3VM0P37wVUCFvkVAy_90u5h9nbSlYy3-Sl-HhTdfl2fzFy1AOcHKP7qg

timestamp=1414587457

url=http://mp.weixin.qq.com?params=value


Step 1. Sort all parameters to be signed by the ASCII code of the field name from small to large (lexicographical order), and concatenate them into string 1 using the URL key-value pair format (i.e. key1=value1&key2=value2…):

jsapi_ticket=sM4AOVdWfPE4DxkXGEs8VMCPGGVi4C3VM0P37wVUCFvkVAy_90u5h9nbSlYy3-Sl-HhTdfl2fzFy1AOc HKP7qg&noncestr=Wm3WZYTPz0wzccnW&timestamp=1414587457&url=http://mp.weixin.qq.com?params=value


Step 2. Sign string1 with sha1 to get the signature:

0f9de62fce790f9a083d5c99e95740ceb90c27ed

Precautions

The noncestr and timestamp used for the signature must be the same as the noncestr and timestamp in wx.config.

The URL used for signature must be the complete URL of the page that calls the JS interface.

For security reasons, developers must implement signing logic on the server side .

<<:  Unity Awards 2015 is about to start, and good games are coming soon!

>>:  WeChat JS-SDK interface list and problem explanation

Recommend

Review of the operation of Xiaohongshu’s popular community!

I had nothing to do during the recent epidemic, s...

APP promotion and operation: How to improve user traffic conversion

Traffic is the object of operations . How to quic...

Lei Jun and Zhou Hongyi battle against each other: Can Xiaomi defeat 360 again?

[[133571]] Three years ago, Qihoo 360 launched a ...

Alibaba's three major marketing models: AIPL, FAST, and GROW

This article will use relatively colloquial langu...

Civil Service Examination General Knowledge 40000 Questions Baidu Netdisk

The civil service exam has 40,000 general knowled...

How to leverage the Apple Store to promote your own App?

In addition to delivering a good product, how can...

Bud parenting class: 10 abilities to let children take control of their lives

This is a course that teaches parents how to put ...

Advanced checklist for private domain operators

What is a private domain operator ? As the name s...

Xi'an half-service massage release

Xi'an Tea Tasting has its own studio: Senior ...