With this solution, merchants can learn how to obtain users' authorization to access user information on mini programs. For more information about mini programs, see About Mini Programs.

User authorization is based on the industry-standard OAuth2.0 authorization mechanism. When users open and use a mini program, the mini program needs to get the users' consent so that users allow mini programs to obtain basic user information such as avatar, nickname, gender, region, etc, that are store in the native app.

Note: This solution is aimed at mini programs that are released to Alipay+ partner apps. If you release your mini program to Alipay China, refer to the Alipay China user authorization solution.

How it works

The authorization happens between the mini program, the native app and the user. In order for merchants to learn more details when a mini program is developed on the Alipay+ Mini Program Platform and launched to Alipay+ partner app, the following diagram illustrates the end-to-end process on how it works:

1. The merchant signs a contract with Alipay+ Mini Program Platform (AIMPDP).
2. The merchant uses the Alipay+ Mini Program Platform to develop and manage mini programs.
3. After the mini program is ready to be released, the merchant launches the mini program to a native app, for example, an Alipay+ partner app, or another wallet app.
4. When users open the merchant's mini program that run on the native app, the mini program needs to first obtain user authorization in order to get the basic information that have been authorized in the native app.

The following documents will explain more about the authorization from a developer's point of view.

Basic concepts

Check the basic concepts below. The following terms and descriptions will help you understand more about user authorization:

Guidelines

When obtaining user authorization, stick to the following guidelines:

• Do not guide users to grant authorization at the launch of the mini program. Users have the right to fully understand the mini program and its operations before giving any authorization.
• Fully respect the privacy of users and handle user authorization properly. If a mini program is found to handle user authorization unreasonably or beyond the agreed scope, the Mini Program Platform has the right to permanently withdraw this authority of the mini program.

How to obtain user authorization

To achieve the authorization capability, follow the steps below:

Before you start

1. Make sure you have finished all the following steps:

1. Apply for an account.
2. Log in to the Alipay Global Merchant portal and click Manage to navigate to the Alipay+ Mini Program Platform to manage mini programs. For more information, see Alipay+ merchant onboarding.
3. Create a mini program. Open your mini program and get the appId.
4. Contact Alipay technical support to provide us the appId.

2. What Alipay technical support will provide is listed below:

• MID (merchant ID)
• ClientId (client ID)
  

3. Then we will guide you through the configuration of public key and private key. For more information, see OpenAPIs Overview and Call an API via adding a signature. The process is as follows:

1. You exchange your public key for our public key.
2. We provide endpoints for you to call OpenAPIs.

Step 1: Obtain authCode from the wallet app

The flow illustrates how a merchant's mini program obtains the authCode from the wallet app (also known as super app) or Alipay+ partner app:

Detailed flow is as follows:

1. A user opens the merchant's mini program. The mini program invokes the my.getAuthCode(scopes) to send an authorization request to the wallet app [1.1].
2. The wallet app processes the request and then pops up the authorization page [1.1.1].
3. After the user agrees to the authorization, the mini program gets the authCode [2.1].
4. Then the mini program calls my.getAppIdSync and gets appId from the wallet app [2.1.2].
5. The mini program calls my.getSiteInfo and gets customerBelongsTo from the wallet app [2.1.4].

You can obtain user authorization by calling the my.getAuthCode JSAPI and fetch the authCode in the success callback. To learn more, see my.getAuthCode.

Note: The authCode, appId, and customerBelongsTo are required to get accessToken in Step 2.

Step 2: Obtain accessToken

With the obtained authCode, appId, and customerBelongsTo, you can exchange accessToken and userId.

For more information, check the flow below. It illustrates the sequence of obtaining accessToken from the AIMPDP (Alipay International Mini Program Development Platform):

Detailed flow is as follows:

1. The merchant's mini program obtains the accessToken from the merchant server. During this process, authCode, appId, and customerBelongsTo are required [1].
2. The merchant server initiates a request to obtain the access token via the applyToken API [1.1]. Before calling the applyToken API, signing the request is needed. To learn more, see Call an API via adding a signature.
3. Then the merchant server sends the request via /v2/authorizations/applyToken to the AIMPDP. During this process, authCode, appId, and customerBelongsTo are required [1.2].
4. The AIMPDP processes the request and returns the accessToken [1.3].
5. The merchant server validates the signature, creates a login session, and then saves the accessToken [1.6].
6. The merchant server returns the request result to the mini program [1.7].

Note:

• For more about the applyToken API, refer to /v2/authorizations/applyToken.
• During this process, the ClientId, public key, and private key are required.

With the above steps, you have now completed the configuration of user authorization. The following sections introduce the extended steps to query user information and revoke authorization.

Step 3: Query user information (optional)

You can decide which kind of information you want to inquire about tailored to your business. User information includes userId, status, nickName, userName, avatar, gender, birthDate, loginIdInfos, contactInfos, etc.

The flow below illustrates how to query user information via accessToken:

Detailed flow is as follows:

1. The merchant's mini program sends a request to query user information with appId [1].
2. The merchant server processes the request and gets the user's accessToken [1.1].
3. The merchant server initiates a request to inquire user information via the inquiryUserInfo API [1.2]. Before calling the inquiryUserInfo API, signing the request is needed. To learn more, see Call an API via adding a signature.
4. Then the merchant server sends the request via /v2/users/inquiryUserInfo to the AIMPDP [1.3]. The AIMPDP processes the request and returns the user information [1.4].
5. The merchant server validates the signature and gets the user information [1.6].
6. Then the merchant server sends the request result to the merchant's mini program [1.7].

Note: For more about the inquiryUserInfo API, refer to /v2/users/inquiryUserInfo.

Step 4: Revoke authorization (optional)

You can cancel the authorization by calling the revoke API. For more about this API, refer to /v2/authorizations/revoke.

The flow below illustrates how to cancel the authorization via the revoke API:

When a user cancels an access token from the mini program,

1. The merchant server calls the revoke interface via /v2/authorizations/revoke to cancel the access token [1.1].
2. The AIMPDP processes the cancellation request and returns the result to the merchant server [1.2].
3. Then the merchant server transfers the result to the mini program [1.3].

API list

Refer to the following two tables for the APIs that are used in the above procedures, along with their description:

JSAPI

OpenAPI