Social-Registration with WeChat
This article talks about the customizations and configuration necessary to enable social-registration with WeChat, and further a quick demo of the end-user experience. This is not part of the product yet, and I built it using a clone of the openidm trunk. From a WeChat API instance standpoint, you do need an appid and secret. The only scope needed for this demo is snsapi_login and unlike what the documentation might lead you to believe, snsapi_userinfo is not needed. Moreover, that particular scope needs a higher authorization level.
WeChat uses an OAuth2 like 3-legged flow for authorizing a user. In that it is similar to OAuth2 helps in creating interfaces to the social authorization filters inside OpenIDM but the dissimilarities necessitate creation of a new authnfilter module and some rewriting of the OAuthHttpClient inside the identity-provider module in OpenIDM. Further, some changes are necessary at the javascript layer. Since WeChat takes URL-encoded values and decodes them, and then encodes them twice using XML encoding. OpenIDM state information is lost in the process and therefore changes are necessary in the oauthReturn.html callback URL to support parsing back to the correct state received from WeChat, in order to continue the OAuth2 flow.
Administrative Experience
Add the WeChat configuration to identityProviders.json using the configuration example for Google in the same file.
Next, turn on the WeChat provider in the Social ID Providers menu:
Enable user registration, and any custom Terms and Conditions needed for social registration:
At this point you will have the basic plumbing in place to support users registering their accounts via WeChat. However, since WeChat will not provide a username in the format you prefer, I strongly recommend modifying the Social Registration Properties transform scripts to accommodate or pre-fill any attributes you want. For example, I remove all spaces from the full name returned by WeChat to create a username:
One could also write a transform script to verify the email address for example.
End User Experience
The following is the flow for social-registration with WeChat.
The user is then presented with the previously configured (by the admin) Terms & Conditions screen:
After accepting the T&Cs, the user is taken to the Registration page:
Upon clicking the “Register with WeChat” link, the QR Code is presented by WeChat as follows:
I am able to scan it and login from the iPhone WeChat app, and the screen confirms correct login:
After this screen, I accept the login attempt from the iPhone and I am taken immediately to the following page that shows the user data made available by WeChat:
WeChat did not provide me the email address based on my profile settings, so I proceeded to enter it myself and hit Save. Next, I am asked for a KBA response as configured:
Following which, the confirmation appears stating I registered successfully:
This completes the social-registration portion. The next step is to be able to login from WeChat into OpenAM and achieve seamless sign on to OpenIDM as well. I’ll save that for next time!
Comments are closed.
Good explanations, do you have the step for OPenAM Authentication ? Once the user is registered to OpenIDM as per above explaination and suppose its sync to OpenDJ. What are the setting on OPenAM, so that use able to login using OPenAM via Wechat.