I will solve this problem. It probably happened for a while. When authorizing WeChat, WeChat officially allows you to use a guide address (A.action) to redirect to another address (B.action). You can get the code in the second address (B.action) and exchange it for the code. access_token, refresh_token, etc. In most cases, the user information can be obtained for the first time, but when refreshing for the second time, it prompts errcode":40163,"errmsg":"code been used. It means that the code has been used once. The official documentation makes it very clear that the code can only be used once. Of course, regardless of whether you have refreshed or not, as long as you use the same code and it is not the first time you use it, the above error will be reported. This is how I solved it. In B.action, first determine whether the access_token and refresh_token obtained by the code exist in the session (it is best to encapsulate them into entity objects, which is easier to judge). If they do not exist, it means that the code is used for the first time ( The page was closed before), if it exists, go to the session to directly obtain the access_token or refresh_token. Use the obtained access_token and refresh_token to obtain user information. I hope what I said is helpful to you!
There is a problem with the processing part of your authorization. After the authorization is obtained, the user information is saved in the session. You are not saved in the session after authorization. As a result, after refreshing the page, there is no user information in the session, but the address still contains the code parameter. , so I took the code to get the authorization, but the code had already been used, and the code can only be used once
That’s it, the authorization URI of OAuth2.0 specifies parameters such as response type, authorization code, state, etc. You call the WeChat OAuth2.0 authorization interface and pass in various appid appsecrets, just to get the authorization code. What does this code do? It is used by a third party (that is, you, the user authorizes you to access his resources on WeChat) to exchange AccessToken with the OAuth authorization server, which is to call the parameters used by the authorization URI I talked about at the beginning. In the OAuth2.0 specification, the parameters returned by the URI include AccessToken, RefreshToken, etc. With this AccessToken, you can use it to authenticate with the resource server to obtain user resources. Then OAuth2.0 stipulates that for security, This authorization code can only be exchanged for AccessToken once.
So how does WeChat implement it? Their authorization interface includes parameters such as response type, redirect uri, state, appid, appsecret. Their logic is that the user first calls this authorization interface, and then authorizes (or silently authorizes). After the user confirms the authorization, the WeChat authorization interface is still called. After the WeChat authorization server confirms the authorization, it will redirect the request to the redirect uri you set, and add the URL parameters code and state to this uri. This code is authorization. code, then your server will receive the authorization code through this redirection, and you can use this code to exchange for AccessToken, and then obtain the user's various resources in WeChat (such as open id).
So why did you say that you reported an error when refreshing? I seriously suspect that you refreshed the URL of your own server, and then your code obtained the same code again, and then redeemed it. Of course, the error code was reused.
Pay attention to whether two consecutive requests (using the same code in exchange for user information) result in this error occurring the second time the code is used
Have you clicked WeChat Pay? The Pay button can only be clicked once. After calling up payment, if you cancel the payment and click Pay again, an error will be reported. You can only exit the current page and enter again!
I will solve this problem.
It probably happened for a while.
When authorizing WeChat, WeChat officially allows you to use a guide address (A.action) to redirect to another address (B.action). You can get the code in the second address (B.action) and exchange it for the code. access_token, refresh_token, etc. In most cases, the user information can be obtained for the first time, but when refreshing for the second time, it prompts errcode":40163,"errmsg":"code been used. It means that the code has been used once. The official documentation makes it very clear that the code can only be used once. Of course, regardless of whether you have refreshed or not, as long as you use the same code and it is not the first time you use it, the above error will be reported.
This is how I solved it. In B.action, first determine whether the access_token and refresh_token obtained by the code exist in the session (it is best to encapsulate them into entity objects, which is easier to judge). If they do not exist, it means that the code is used for the first time ( The page was closed before), if it exists, go to the session to directly obtain the access_token or refresh_token. Use the obtained access_token and refresh_token to obtain user information.
I hope what I said is helpful to you!
The reminder is very clear
code
已经被使用了,code
It can only be used once.There is a problem with the processing part of your authorization. After the authorization is obtained, the user information is saved in the session.
You are not saved in the session after authorization. As a result, after refreshing the page, there is no user information in the session, but the address still contains the code parameter. , so I took the code to get the authorization, but the code had already been used, and the code can only be used once
That’s it, the authorization URI of OAuth2.0 specifies parameters such as response type, authorization code, state, etc. You call the WeChat OAuth2.0 authorization interface and pass in various appid appsecrets, just to get the authorization code. What does this code do? It is used by a third party (that is, you, the user authorizes you to access his resources on WeChat) to exchange AccessToken with the OAuth authorization server, which is to call the parameters used by the authorization URI I talked about at the beginning. In the OAuth2.0 specification, the parameters returned by the URI include AccessToken, RefreshToken, etc. With this AccessToken, you can use it to authenticate with the resource server to obtain user resources. Then OAuth2.0 stipulates that for security, This authorization code can only be exchanged for AccessToken once.
So how does WeChat implement it? Their authorization interface includes parameters such as response type, redirect uri, state, appid, appsecret. Their logic is that the user first calls this authorization interface, and then authorizes (or silently authorizes). After the user confirms the authorization, the WeChat authorization interface is still called. After the WeChat authorization server confirms the authorization, it will redirect the request to the redirect uri you set, and add the URL parameters code and state to this uri. This code is authorization. code, then your server will receive the authorization code through this redirection, and you can use this code to exchange for AccessToken, and then obtain the user's various resources in WeChat (such as open id).
So why did you say that you reported an error when refreshing? I seriously suspect that you refreshed the URL of your own server, and then your code obtained the same code again, and then redeemed it. Of course, the error code was reused.
Pay attention to whether two consecutive requests (using the same code in exchange for user information) result in this error occurring the second time the code is used
Have you clicked WeChat Pay? The Pay button can only be clicked once. After calling up payment, if you cancel the payment and click Pay again, an error will be reported. You can only exit the current page and enter again!
Did the original poster solve it? I also encountered the same problem?