java - 微信登录oauth2.0授权相关问题

Question

微信登录，用户授权给第三方，第三方在获得授权码之前微信怎么判断是哪个用户授的权，还有请求accessToken时，只带了code，势必生成code的时候会有和用户相关的绑定信息，要不怎么去验code，只有code正确，才会生成相应的token，求大神指教，感觉理解还不到位

Answer 1

code is temporary data. Since it is passed to you through a link jump, this parameter cannot be data related to the user's identity, so we give you a temporary data, and then you use this temporary data to exchange for a token representing the user's identity.

Answer 2

Code can be understood as the user's authorization, and token can be understood as the third party authorizing the user to the caller.

Answer 3

WeChat authorization requires you to scan the QR code. When you scan the code, WeChat will send information to the server, so that the server knows who has authorized it.
The returned code is a unique value generated by the server and is stored on the server together with the user information. Of course WeChat can distinguish it

Answer 4

Thank you for the above answer. I read some source code. Yes, there is indeed a binding relationship. When generating the authorization code, the WeChat authentication server will determine whether to log in. If logged in, a token related to the user (usernamepasswordtoken, this token will be generated) It doesn’t matter what token you change, it’s just used to identify the user), then generate the code, save the relationship between code, client_id, and username, and then return the code. When the client requests the token, it will verify the correctness of the code based on client_id and code. If correct, the WeChat authentication server will obtain the current user, then generate authenticateId based on client_id, username, and scope (if scope is not empty), then generate accessToken, save the relationship between authenticateId and accessToken, and finally removeCode and return accessToken