Integrating Enterprise WeChat QR Login with Spring Security OAuth2
This guide walks through configuring Enterprise WeChat QR code authentication in a Spring Security OAuth2 application, covering environment setup, application registration, custom OAuth2 request handling, token exchange, user‑info retrieval, and final authentication handling while highlighting common pitfalls and required code snippets.
Environment Preparation
Developing WeChat‑related applications requires an internal network tunnel. Use a mapping domain such as http://invybj.natappfree.cc -> 127.0.0.1:8082 so that the local port 8082 is reachable externally.
Create Application
In the Enterprise WeChat admin console, create a new application and record the AgentId, Secret, and corpid for later use.
Configure Domain
Enable the application and set the authorized redirect domain to the tunnel domain (do not use localhost).
Spring Security Compatibility for Enterprise WeChat QR Login
Below is a working Spring Security OAuth2 configuration (YAML):
spring
security:
oauth2:
client:
registration:
work-wechat-scan:
client-id: wwaxxxxxx
client-secret: nvzGI4Alp3zxxxxxxxKbnfTEets5W8
authorization-grant-type: authorization_code
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
provider:
work-wechat-scan:
authorization-uri: https://open.work.weixin.qq.com/wwopen/sso/qrConnect
token-uri: https://qyapi.weixin.qq.com/cgi-bin/gettoken
user-info-uri: https://qyapi.weixin.qq.com/cgi-bin/user/getuserinfoReplace client-id with your Enterprise WeChat corpid and client-secret with the secret of the created application.
The access_token endpoint must be cached and reused.
Build QR Code URL
Implement a Consumer<OAuth2AuthorizationRequest.Builder> that replaces the standard client_id with appid, adds agentid, and keeps only the required OAuth2 parameters, producing a URL like:
https://open.work.weixin.qq.com/wwopen/sso/qrConnect?appid=CORPID&agentid=AGENTID&redirect_uri=REDIRECT_URI&state=STATEConfigure this consumer in DefaultOAuth2AuthorizationRequestResolver.
Adapt Token Exchange
Create a custom
Converter<OAuth2AuthorizationCodeGrantRequest, RequestEntity<?>>for the token request and register it with DefaultAuthorizationCodeTokenResponseClient. Cache the obtained access_token for later use.
Retrieve User Information
After obtaining the code and access_token, implement a custom OAuth2UserService that calls the Enterprise WeChat user‑info API. The response JSON has unconventional field names, so map it with a POJO like:
@Data
public class WorkWechatOAuth2User implements OAuth2User {
private Set<GrantedAuthority> authorities;
private Integer errcode;
private String errmsg;
@JsonAlias("OpenId")
private String openId;
@JsonAlias("UserId")
private String userId;
}Finalize Authentication
Implement an AuthenticationSuccessHandler to translate the Spring Security Authentication object into your platform’s session (cookie or JWT) and configure it via:
httpSecurity.oauth2Login()
.successHandler(AuthenticationSuccessHandler successHandler);Testing the Integration
Access the application through the tunnel domain, e.g., http://invybj.natappfree.cc/login. The login URL will be
http://invybj.natappfree.cc/oauth2/authorization/work-wechat-scan, which redirects to the Enterprise WeChat QR code page. Scan with the corresponding Enterprise WeChat app; after successful scanning, Spring Security will produce an Authentication object containing the user’s information.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.