Alipay, China's leading third-party online payment solutionAlipay, China's leading third-party online payment solution

2. Obtaining the Alipay user ID

Before you begin

You must wait until the H5 page is loaded and then start to obtain the Alipay user ID. Otherwise, the H5 page loading process is to be very slow because the H5 page will be loaded after you get the result of obtaining the Alipay user ID.

Obtaining the Alipay user ID

The buyer’s Alipay ID (buyer_id) is required as one of the request parameters of the alipay.acquire.create interface. Therefore, to complete a payment transaction, firstly you must obtain the buyer’s Alipay user ID by completing the following steps:

  1. Construct the openauth link and then guide the user to visit this link.
  2. The authorization will occur silently and redirection page occurs automatically. In this case, users will be automatically redirected to the configured callback page, and the auth_code will be passed. With the auth code, the alipay.system.oauth.token API is called to obtain the Alipay user ID.

Constructing the openauth link

URL format:

copy
https://openauth.alipay.com/oauth2/publicAppAuthorize.htm?app_id=APPID&scope=auth_base&redirect_uri=ENCODED_URL

Description of URL parameters

ParameterRequiredDescription
app_idYApplication ID of the app in the Developer Center.
scopeYInterface permission value, fixed as auth_base in this condition.
redirect_uriYEscaped URL of the callback page (the URL must begin with http or https), for example: http%3A%2F%2Fexample.com Before the request, developers must configure the authorization callback URL in the corresponding application at Developer Center.
stateNSelf-defined parameter by the merchant. After a user has given permission, the state value will be returned as is to the merchant after redirection. To avoid CSRF attack, it’s suggested to pass the state parameter. This state parameter must be unpredictable while at the same can prove connections exist between the user and the login authentication status of the third-party website.

About the redirect_uri:

The API verifies whether the redirect_uri configured in the authorization link is consistent with that in the corresponding application at the Developer Center.

For example:

If the link configured in the application by the developer is: https://auth.example.com/authCallBack , then the redirect_uri is https%3A%2F%2Fauth.example.com%2FauthCallBack. After configuration, URLs under this domain name (auth.example.com), such as http://auth.example.com/authCallBack、https://auth.example.com/authRedirect、https://auth.example.com/ can support OAuth 2.0 –based authentication.

However, http://www.example.com/、http://example.com would not be supported for web-based authentication.


Obtaining the auth_code

When the user is redirected to the callback page, Alipay will add request parameters into the callback including auth_code, app_id, scope and so on. An example of the request is as below:

copy
http://example.com/doc/toAuthPage.html?app_id=2014101500013658&source=alipay_wallet&scope=auth_base&auth_code=ca34ea491e7146cc87d25fca24c4cD11

Among which,auth_code=ca34ea491e7146cc87d25fca24c4cD11

Obtaining the user ID by using auth_code

Interface name: alipay.system.oauth.token

For the information about request and response parameters and error codes, refer to the API doc

The developer can obtain the Alipay user ID by using auth_code. As the token to obtain the Alipay user ID, the auth_code returned is unique in each authorization. Each auth_code can be used only once and will automatically be expired in one day.

Sample request:

copy
REQUEST URL: https://globalopenapi.alipay.com/gateway.do
REQUEST METHOD: POST
CONTENT:
    app_id=2014070100171525
    method=alipay.system.oauth.token
    charset=GBK
    sign_type=RSA2
    timestamp=2014-01-01 08:08:08
    sign=rXaTEfJ7WTDsP1DWRPHARW3uOr19+fzlngMCJBvbhP1XPEa9qZwGGng9oMDloABpJMT2SGeOj46+BUkqCGRO9fH90Vci3hOH01BfYnbhJz3ADK2h7gpjlponx4/sxELN6f2GXi51XKiHKnxMA9XpLLo68q+roY0M/ZFQ1UdnqeM=
    version=1.0
    grant_type=authorization_code
    code=4b203fe6c11548bcabd8da5bb087a83b

Request parameters

ParameterTypeDescriptionRequiredSample

app_id

String

The unique ID that is assigned by Alipay to identify an application.

Y

2014072300007148

method

String

Interface name.

Y

alipay.system.oauth.token

charset

String

The charset with which the request data are encoded, such as GBK, UTF-8, and GB2312.

Y

UTF-8

sign_type

String

Sign type. RSA and RSA2 are supported. RSA2 is recommended to be used.

Y

RSA2

timestamp

String

The time when the merchant server sends the request. The format is yyyy-MM-dd HH:mm:ss.

Y

2014-07-24 03:07:50

sign

String

The signature value. 

Y

Refer to the sample request

version

String

The API version. The value is fixed as 1.0.

Y

1.0

grant_typeStringFixed as authorization_code in this situation

Y

authorization_code
code StringThe auth_code obtained by the developer in step 2 

Y

4b203fe6c11548bcabd8da5bb087a83b

Synchronous response sample

copy
{
    "alipay_system_oauth_token_response": {
        "code": "10000",
        "msg": "Success",
        "access_token": "publicpBa869cad0990e4e17a57ecf7c5469a4b2",
        "user_id": "2088411964574197",
        "alipay_user_id": "20881007434917916336963360919773",
        "expires_in": 300,
        "re_expires_in": 300,
        "refresh_token": "publicpB0ff17e364f0743c79b0b0d7f55e20bfc"
    },
    "sign": "xDffQVBBelDiY/FdJi4/a2iQV1I7TgKDFf/9BUCe6+l1UB55YDOdlCAir8CGlTfa0zLYdX0UaYAa43zY2jLhCTDG+d6EjhCBWsNY74yTdiM95kTNsREgAt4PkOkpsbyZVXdLIShxLFAqI49GIv82J3YtzBcVDDdDeqFcUhfasII="
}

Synchronous response parameters

ParameterTypeDescription

Required

Sample

code

String

Gateway return code, which indicates whether the request is accepted by Alipay gateway.

Y

10000

msg

String

Description of the gateway return code.

Y

Success

access_token

String

Token used to obtain the user's information.

Y

publicpBa869cad0990e4e17a57ecf7c5469a4b2
user_idStringThe unique Alipay user ID.

Y

2088411964574197
alipay_user_idObsoleteObsoleteObsoleteObsolete
expires_inNumberThe validity time of the token. Unit: second.

Y

300
re_expires_inNumberRefresh the validity time of the token. Unit is second. 

Y

300
refresh_tokenStringBy this token you can refresh the access_token token.

Y

publicpB0ff17e364f0743c79b0b0d7f55e20bfc

sign

String

The signature value.

Y

Refer to the sample response

In this condition we only focus on user_id