Process of scanning code for login

image.png

Getting the app Identifier and appkey/appSecret

Firstly, You should go to developer center of the open platform to create a scan code for logging in to app

image.png

Fill in the following required information to complete the application creation

image.png

After creating the application, you can copy the application identifier (as a parameter value for constructing the login page client_id), and click on “Details” to enter the configuration page of the application.

image.png

Configure the basic information of the application (Check the App Key and App Secret of the application at the application identifier. The basic information can be editedas is shown in the figure below.)

image.png

Click on the application configuration, and configure the callback address.

image.png

Construct login page of scanning code

DingTalk related to government affairs can be logged in through web system by scanning code in two ways.

The first way: use the scan code provided by Government-related DingTalk to log in to the page

In the corporate web system, users can click on “using DingTalk to scan the code” to log in, and the third-party web system will switch to the following address:

  1. https://login.dg-work.cn/oauth2/auth.htm?response_type=code&client_id=应用标识&redirect_uri=回调地址&scope=get_user_info&authType=QRCODE

The values of the two parameters “client_id” and “redirect_uri” in the URL are filled in with the application ID and callback address of the third web system. After users ofDingtalk related to government affairs scans the code to log in for confirmation, it will redirect to the “redirect_uri” you specified, and temporarily add the two parameters of authorization code “code” (this “code” is not “authcode”) and “state”.

Please note:
The domain name involved in the parameter “redirect_uri=callback address” must be the same as the callback domain name which is filled in when app authorization is created by scanning code for login, otherwise it will prompt you withno access authority.
The size of the generated 2D code is fixed at 200*200px, which cannot be modified.

image.png

The second way: The QR code for logging in Dingtalk related to government affairs can be included in its website page.

tep 1: It is included in the page by“iframe”
Add “embedMode=true” to the address constructed by the first way

  1. https://login.dg-work.cn/oauth2/auth.htm?response_type=code&client_id=应用标识&redirect_uri=回调地址&scope=get_user_info&authType=QRCODE&embedMode=true

Step 2: After scanning the code successfully, you need to monitor the scanning result in the page

  1. <script type="application/javascript">
  2.     window.addEventListener('message', function(event) {
  3.             // 这里的event.data 就是登录成功的信息
  4.               // 数据格式:{ "code": "aaaa", "state": "bbbb" }
  5.         alert(JSON.stringify(event.data));
  6.     });
  7. </script>

Please note: The size of the generated QR is fixed at 200*200px, which cannot be modified.
image.png

Domain name in each environment/login domain name

Environment Domain name on open platform ( Use by adjusting interface) Login domain name (construct the login page)
Saas openplatform.dg-work.cn login.dg-work.cn
DingTalk openplatform-pro.ding.zj.gov.cn
(The domain name corresponds to the IP of outer net related to government affairs: 59.202.52.1)		 login-pro.ding.zj.gov.cn
(The domain name corresponds to the IP of outer net related to government affairs: 59.202.52.68)

Getting Application“access_token”

To get access_token, please refer toGet access_token. Note: please use the ak/sk of the code-scanning app to get“the access_token”

Get personal information of authorized users

The server gets the personal information of the authorized users through the temporary authorization code

Request method:POST(HTTPS)

Interface name

/rpc/oauth2/getuserinfo_bycode.json
Note: Please use the access domain name to call the interface, and you cannot use the login domain name to call the interface. Related domain name reference:access domain name in each environment/login domain name

Request parameter

Parameter Parameter type Required Remark
access_token String Yes Call API for identifier, and apply access_token
code String Yes The temporary authorization code “code” authorized by the user can only be used once.And the code parameter will be added when switching to redirect_uri in the previous step.

Return Results

  1. {
  2.     "success":true,
  3.     "content":{
  4.         "data":{
  5.             "accountId":100135,
  6.             "lastName":"俊锋",
  7.             "clientId":"mozi-buc-sso",
  8.             "realmId":12371,
  9.             "tenantName":"租户2",
  10.             "realmName":"租户2",
  11.             "namespace":"local",
  12.             "tenantId":12371,
  13.             "nickNameCn":"俊锋",
  14.             "tenantUserId":"12371$100135",
  15.             "account":"admin2"
  16.         },
  17.         "success":true,
  18.         "responseMessage":"成功",
  19.         "responseCode":"0"
  20.     }
  21. }

Note: When the interface is called by a superadministrative account and there is no “employeeCode” in the back result, you can call the interface by an ordinary account.

Return parameter

Parameter Remark
accountId Account id
realmId Tenant id
realmName Tenant name
lastName Name
nickNameCn Nickname
account Login account
employeeCode Staff code
tenantUserId The unique identifier of staff in the enterprise
namespace Account type identifier
clientId App identifier
tenantId Tenant id
tenantName Tenant name

Error code

responseCode responseMessage
240111 Code Invalid or non-existent
240133 App “accessToken” is invalid or non-existent