腾讯微博应用授权隐式登陆实现

应用授权的请求地址格式，使用Fiddler2捕捉一次完整的授权操作就可以大致了解腾讯微博的登陆原理（重点在h_login_11.js）

https://open.t.qq.com:443/cgi-bin/oauth2/authorize?client_id=[appKey]&redirect_uri=[callbackUrl]&response_type=code

对于https的请求服务器证书回调验证我们都返回true

ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);

1、获取临时验证码

请求链接格式如下：

https://ssl.ptlogin2.qq.com/check?uin={0}&appid=46000101&r={1}

uid：用户账号

r：0~1之间的随机数（允许忽略）

var userUid = "[userUid]";
var random = new Random();
var vcUrl = String.Format("https://ssl.ptlogin2.qq.com/check?uin={0}&appid=46000101&r={1}", userUid, random.NextDouble());
var cookieContainer = new CookieContainer();
var webRequest = WebRequest.CreateHttp(vcUrl);
webRequest.CookieContainer = cookieContainer;

var webResponse = webRequest.GetResponse();
var responseStream = webResponse.GetResponseStream();
var responseReader = new StreamReader(responseStream, Encoding.UTF8, true);
var response = responseReader.ReadToEnd();

返回数据如下：

ptui_checkVC('0','!MMC','\x00\x00\x00\x00\x00\x00\x00\x00');

第二个参数就是验证码，第三个参数是用户账号调用$str.uin2hex（h_login_11.js）的结果，它会被用来后续参与用户密码的加密参数。

2、用户密码加密

查看h_login_11.js源代码，用户密码会被$.Encryption.getEncryption函数加密

if (B[E].name=="p") {
var K = B.p.value;
var G = B.verifycode.value.toUpperCase();
var F = $.Encryption.getEncryption(K, pt.login.saltUin, G);
I += F
}

三个参数分别是用户密码、加密账号、验证码，加密算法步骤如下：

1）md5([用户密码])

2）hexchar2bin([上一步返回字符串])

3）md5([上一步返回字符串] + [加密账号])

4）md5([上一步返回字符串] + [验证码大写])

之前考虑到该算法的复杂程度，使用.NET javascript 引擎Jint执行$.Encryption.getEncryption，但返回的结果始终不对。在仔细阅读了$.Encryption内部源代码后参考编写了一个C#.NET版本（需要注意字符编码为ISO-8859-1）。

/// <summary>
/// 腾讯加密辅助类
/// </summary>
internal static class QQEncryptionHelper
{
/// <summary>
/// MD5字符编码
/// </summary>
private static readonly Encoding MD5Encoding = Encoding.GetEncoding("ISO-8859-1");

/// <summary>
/// 获取加密字符
/// </summary>
/// <param name="password">密码</param>
/// <param name="uin">用户账号，请使用明文</param>
/// <param name="vcode">验证码</param>
/// <returns>加密字符</returns>
public static String GetEncryption(String password, String uin, String vcode)
{
var str = HexChar2Bin(ToMD5(password));
var str2 = ToMD5(str + Uin2Hex(uin));
var str3 = ToMD5(str2 + vcode.ToUpper());

return str3;
}

/// <summary>
/// 十六进制字符串转换为二进制字符串
/// </summary>
/// <param name="value">十六进制字符串</param>
/// <returns>二进制字符串</returns>
private static String HexChar2Bin(String value)
{
var buffer = new StringBuilder(value.Length >> 1);

for (var i = 0; i < value.Length; i += 2)
buffer.Append((Char)Convert.ToByte(value.Substring(i, 2), 16));

return buffer.ToString();
}

/// <summary>
/// 用户账号转换为十六进制字符串
/// </summary>
/// <param name="value">用户账号</param>
/// <returns>十六进制字符串</returns>
private static String Uin2Hex(String value)
{
var str = Convert.ToString(Convert.ToInt64(value), 16).PadLeft(16, '0');

return HexChar2Bin(str);
}

/// <summary>
/// 转换为MD5加密字符串
/// </summary>
/// <param name="value">字符串</param>
/// <returns>MD5加密字符串</returns>
private static String ToMD5(String value)
{
var data = QQEncryptionHelper.MD5Encoding.GetBytes(value);

using (var md5 = new MD5CryptoServiceProvider())
return String.Concat(md5.ComputeHash(data).Select(p => p.ToString("X").PadLeft(2, '0')));
}
}

调用示例：

var userUid = "[userUid]";
var password = "[password]";
var verifyCode = "[verifyCode]";

password = QQEncryptionHelper.GetEncryption(password, userUid, verifyCode);

3、HTTP GET完成登陆

腾讯并没有像新浪、网易使用HTTP POST的方式，而是HTTP GET。请求登陆链接格式：

https://ssl.ptlogin2.qq.com:443/login?ptlang=2052&u=[userUid]&p=[password]&verifycode=[verifyCode]&low_login_enable=1&low_login_hour=720&aid=46000101&u1=[authorizationUrl]&ptredirect=1&h=1&from_ui=1&dumy=&fp=loginerroralert&action=1-2-11125&g=1&t=1&dummy=

u：用户名

p：用户密码（需要使用固定加密算法）

verifyCode：验证码（第一步请求获取）

u1：应用授权链接

var userUid = "[userUid]";
var password = "[password]";
var verifyCode = "[verifyCode]";

password = QQEncryptionHelper.GetEncryption(password, userUid, verifycode);

var authorizeUrl = new UriBuilder("https://open.t.qq.com:443/cgi-bin/oauth2/authorize")
{
Query = new UriQueryBuilder()
.Append("client_id", appKey)
.Append("redirect_uri", callbackUrl)
.Append("response_type", "code")
.ToString()
}.ToString();
var loginUrl = new UriBuilder("https://ssl.ptlogin2.qq.com/login")
{
Query = new UriQueryBuilder()
.Append("ptlang", "2052")
.Append("u", userUid)
.Append("p", password)
.Append("verifycode", verifycode)
.Append("low_login_enable", "1")
.Append("low_login_hour", "720")
.Append("aid", "46000101")
.Append("u1", authorizeUrl)
.Append("ptredirect", "1")
.Append("h", "1")
.Append("from_ui", "1")
.Append("dumy")
.Append("fp", "loginerroralert")
.Append("action", "1-2-11125")
.Append("g", "1")
.Append("t", "1")
.Append("dummy")
.ToString()
}.ToString();

var webRequest = WebRequest.CreateHttp(loginUrl);
var webRequest.CookieContainer = cookieContainer;
var webResponse = webRequest.GetResponse();
var responseStream = webResponse.GetResponseStream();
var responseReader = new StreamReader(responseStream, Encoding.UTF8, true);
var response = responseReader.ReadToEnd();

返回数据如下：

ptuiCB('0','0','https://open.t.qq.com:443/cgi-bin/oauth2/authorize?client_id=[appKey]&redirect_uri=[callbackUrl]','1','登录成功！', '[userNickName]');

4、获取AuthorizationCode

再次请求授权链接会发现响应还是返回登陆内容，其实我们已经完成了登陆，只需要将返回内容中隐藏域u1的值获取并再次请求就可以获得授权代码。其中最重要的一个查询参数就是sessionKey。

<input type="hidden" name="u1" value="https://open.t.qq.com/cgi-bin/oauth2/authorize?client_id=[appKey]&response_type=code&redirect_uri=http%3A%2F%2Fwww.qq.com&checkStatus=yes&appfrom=&g_tk=&sessionKey=5dcad9615be24c288cfe03eeca4e9e0d&checkType=showAuth&state=" id="u1">

5、获取access_token

请求地址格式：

https://open.t.qq.com:443/cgi-bin/oauth2/access_token?client_id=[appKey]&client_secret=[appSecret]&redirect_uri=[callbackUrl]&grant_type=authorization_code&code=[authorizationCode]

返回数据如下：

access_token=[accessToken]&expires_in=8035200&refresh_token=[refreshToken]&openid=[openId]&name=[userName]&nick=[nickName]&state=

示例代码中UriQueryBuilder类型是自己编写的，附上源代码：

/// <summary>
/// 链接查询建造器
/// </summary>
internal sealed class UriQueryBuilder
{
/// <summary>
/// 查询参数格式
/// </summary>
/// <value>{0}={1}</value>
public const String QUERY_FORMAT = "{0}={1}";

/// <summary>
/// 查询参数分隔符
/// </summary>
/// <value>&</value>
public const String QUERY_SEPARATOR = "&";

private Dictionary<String, String> _buffer = new Dictionary<String, String>();

/// <summary>
/// 添加
/// </summary>
/// <param name="name">参数名称</param>
/// <param name="value">参数值</param>
public UriQueryBuilder Append(String name, String value = "")
{
if (String.IsNullOrWhiteSpace(name))
throw new ArgumentException("name不能为空.");

_buffer[name] = Uri.EscapeDataString(value);

return this;
}

/// <summary>
/// 清空
/// </summary>
public void Clear()
{
_buffer.Clear();
}

/// <summary>
/// 转换字符串
/// </summary>
/// <returns>拼接查询参数</returns>
public override String ToString()
{
var values = _buffer.Select(p => String.Format(QUERY_FORMAT, p.Key, p.Value));

return String.Join(QUERY_SEPARATOR, values);
}
}