Dropshipping(已废弃)
In general, the developer’s application always needs to obtain a user’s private data (such as products and orders) when integrating with Aliexpress Open Platform, therefore application must obtain the user’s authorization. Thus, in Aliexpress Open Platform, the application needs to obtain an access token (formerly known as a session key) for accessing user data. This is to protect the security and privacy of user data. In this case, the application must be able to provide guidance for the user to use an AliExpress account to log in and grant authorization. This process supports user authentication and authorization in compliance with the international OAuth 2.0 standard protocol. This process can be used for websites, mobile clients, and desktop clients.
Currently, the AliExpress OAuth 2.0 service supports two methods for obtaining an access token: server-side process and client-side process, as described below.
Note: Authorization pages described in this document apply only to PC clients.
I. Server-Side Flow
To use this process, the developer’s application must have a web server. The application must be able to store its own key and status, and directly access the AliExpress authorization server based on the Hypertext Transfer Protocol Secure (HTTPS).
1. Request Entry URL
(1) To obtain an authorization code
Formal environment: https://oauth.aliexpress.com/authorize
(2) To obtain an access token
Formal environment: https://oauth.aliexpress.com/token
2. Authorization Procedure
The following example shows the steps needed for obtaining an access token in the formal environment as an example.
During an actual authorization operation, the developer must replace the test data of client_id, client_secret, and redirect_uri with the actual data of the developer’s own application. If the data in the example is directly used for testing, the actual test result may be affected. The following figure shows a flowchart of the server-side authorization process. The flowchart will be described step by step in the following.
(1) Splice an authorization URL.
Splice a URL to be accessed during user authorization. The following provides a URL example and parameter description.
https://oauth.aliexpress.com/authorize?response_type=code&client_id=23075594&redirect_uri=http://www.oauth.net/2/&state=1212&view=web&sp=ae
Parameters
| Parameter Name | Mandatory or Optional | Parameter Value | Parameter Description |
|---|---|---|---|
| client_id | Mandatory | Indicates the AppKey, which is obtained during application creation. | |
| response_type | Mandatory | code | Indicates the authorization type. The value is set to code. |
| redirect_uri | Mandatory | Domain name of the callback URL, which could be set in console.aliexpress.com->App Management->App Settings->Basic Settings. After the client/seller input Aliexpress loginId and password, the application will be redirected to this URL. The domain name or top-level domain of the callback URL needs to be consistent with that set in console.aliexpress.com | |
| sp | Mandatory | ae | Indicates that an AliExpress account is used to obtain authorization. |
| state | Optional | User-defined, such as 1212 | The input value must be consistent with the return value. The usage of state includes but not limit the mitigation of CSRF attacks (refer to https://auth0.com/docs/protocols/oauth2/oauth-state) |
| view | Optional | web | Only support “web”. |
(2) Guide the user through login and authorization.
Provide guidance for the user to visit the preceding authorization URL in a browser. A login page will be displayed, as shown in the following figure.
(3) Obtain an authorization code.
After login, the TOP will return an authorization code to the callback URL. The application can obtain this code and exchange it for an access token.
(4) Obtain an access token.
Method 1:
Use the Linux curl command to obtain an access token, as shown in the following example.
curl -i -d "code=OxlukWofLrB1Db1M6aJGF8x2332458&grant_type=authorization_code&client_id=23075594& client_secret=69a1469a1469a1469a14a9bf269a14&sp=ae&redirect_uri=http://www.oauth.net/2/" https://oauth.aliexpress.com/token
Method 2:
As for programming, encapsulating parameters and invoking an http post to the authentication server. The sample code could be shown at the bottom of the document based on the sdk.
Request Parameters for Obtaining an Access Token
| Parameter Name | Mandatory or Optional | Parameter Value | Parameter Description |
|---|---|---|---|
| client_id | Mandatory | Indicates the AppKey, which is obtained during application creation. | |
| client_secret | Mandatory | Indicates the AppSecret, which is obtained during application creation. | |
| grant_type | Mandatory | authorization_code | Indicates the authorization type. The value is set to authorization_code. |
| code | Mandatory | Indicates the obtained authorization code. | |
| redirect_uri | Mandatory | Indicates the callback URL provided when an application initiates a request. The value can be set to the domain name of the callback URL provided during application registration. After user authorization, the application will jump to this URL. The domain name or top-level domain of the callback URL needs to be consistent with that provided during application registration. | |
| sp | Mandatory | ae | Indicates that an AliExpress account is used to obtain authorization. |
| state | Optional | User-defined, such as 1212 | Indicates the maintained application status. The input value must be consistent with the return value. |
| view | Optional | web | Indicates the browser page style. The value web corresponds to the browser page style (with an AliExpress logo) on a PC client. |
The following provides an example of return values for obtaining an access token.
{
"access_token":"50002400a03Nk681b6df3eeiAQWRwcBdjTDKSixsf7CBuBtUTgkkOG4Eu4hVq74VYFu",
"refresh_token":"50003400803dwaf17e60d19r7KkS2pSEcYGWFqvduPD7giygKvyjkDSHzpOl3bCpmkg",
"w1_valid":1516364687523,
"refresh_token_valid_time":1516278287523,
"w2_valid":1516280087523,
"user_id":"123456789",
"expire_time":1516364687523,
"r2_valid":1516364687523,
"locale":"zh_CN",
"r1_valid":1516364687523,
"sp":"ae",
"user_nick":"test"
}
Return Parameters for Obtaining an Access Token
| Key | Type | Example | Description |
|---|---|---|---|
| access_token | string | 50002400a03Nk681b6df3eeiAQWRwcBdjTDKSixsf7CBuBtUTgkkOG4Eu4hVq74VYFu | Indicates the access token. |
| expire_time | number | 1516364687523 | A unix timestamp which indicates the expiration time of the access token (in milliseconds). |
| refresh_token | string | 50003400803dwaf17e60d19r7KkS2pSEcYGWFqvduPD7giygKvyjkDSHzpOl3bCpmkg | Useless, please ignore |
| user_nick | string | test | Indicates the AliExpress account’s login ID. |
| user_id | string | 123456789 | Indicates the AliExpress account ID. |
Note
- For expire_time, please refer to https://developers.aliexpress.com/en/doc.htm?docId=117991&docType=1 for more details.
- Currently the refresh token doesn’t take effect because it will expire immediately , so please don’t use it to refresh access token. If the access token expires, follow above procedure to obtain access token again.
II. Client-Side Process
This client-side application authorization process applies if the developer’s application does not have an independent web server but is able to access the AliExpress authorization server with the assistance of a browser or JavaScript.
1. Request Entry URL
Formal environment: https://oauth.aliexpress.com/authorize
2. Authorization Procedure
The following example shows the steps needed for obtaining an access token in the formal environment as an example.
During an actual authorization operation, the developer must replace values of parameters (such as client_id) with the actual data of the developer’s own application, otherwise, authorization may fail.
The following figure shows a flowchart of the client-side authorization process. The flowchart will be described step by step in the following.
(1) Splice an authorization URL.
Parameters
| Parameter Name | Mandatory or Optional | Parameter Value | Parameter Description |
|---|---|---|---|
| client_id | Mandatory | Indicates the AppKey, which is obtained during application creation. | |
| response_type | Mandatory | token | Indicates the authorization type. The value is set to token. |
| sp | Mandatory | ae | Indicates that an AliExpress account is used to obtain authorization. |
| state | Optional | User-defined, such as 1212 | Indicates the maintained application status. The input value must be consistent with the return value. |
| view | Optional | web | Currently only supports “web” |
(2) Guide the user through login and authorization.
Provide guidance for the user to visit the authorization URL and grant authorization, as shown in the following figure. (This step is the same as that in the server-side process.)
(3) Obtain an access token.
On the displayed authorization page, after the user clicks Authorize, the TOP will directly return an access token to the AliExpress default page (This is different from the implementation in the server-side process, where the TOP returns an authorization code and the application exchanges the code for an access token.). Then, the application can use JavaScript if(window.location.hash!=""){alert(window.location.hash)} to obtain fields after # on the callback page, and obtain the access token.
The following provides an example of return parameters.
Note:
Except for top_sign, other return parameters are the same as those in the server-side process, and therefore are not described here.
The top_sign parameter indicates a signature generated by the system. The consistency of this parameter value needs to be verified in the client-side process.
(4) Verify the authorization signature.
Verify whether the return value of top_sign is consistent with the actual value of top_sign. In the return parameters of the last step, sort all keys and values (except top_sign) after # based on the alphabetical order of the initial character of each key, splice them in the format of key1 + value + key2 + value …, and add the value of AppSecret before and after the spliced character string (assume that AppSecret = 69a1469a1469a1469a14a9bf269a14). Then, encode the obtained character string based on UTF-8 encoding, encrypt the encoded character string based on the MD5 algorithm, and capitalize all letters. The formula is as follows:
md5(utf-8:AppSecret + k1 + v1 + k2 + v2 + … + kn + vn + AppSecret)
In the preceding example of return parameters, sort and splice all keys and values (except top_sign) after # and add the value of AppSecret before and after the spliced character string. Then, the following character string is obtained:
69a1469a1469a1469a14a9bf269a14access_token6101227f5e8c230696ac93a77b3de7daacb154c6ad98106263664221token_typeBearer
expires_in86400refresh_token6100627e3f9202c0960a6ab5bfd704939c91635892c70dd263664221re_expires_in86400r1_expires_in86400
r2expires_in86400taobao_user_id263664221taobao_user_nick%E5%95%86%E5%AE%B6%E6%B5%8B%E8%AF%95%E5%B8%90%E5%8F%B717w1_expires_in86400&w2_expires_in86400&state121269a1469a1469a1469a14a9bf269a14
Encode the obtained character string based on UTF-8 encoding, encrypt the encoded character string based on the MD5 algorithm (For details, see API invocation sample code.), and capitalize all letters. Then, the obtained result is 3429C556FCD3F3FC52547DD31021592F, which is consistent with the actual value of top_sign.
Logout
Currently, the logout process applies only to web access, with the purpose of clearing aliexpress.com cookies and canceling user authorization.
I. Request Entry URL
Formal environment: https://login.aliexpress.com
II. Logout Procedure
After login, a user can click Sign Out to log out of AliExpress.
Sample Code
I. Obtaining an Access Token
The following sample code is implemented based on the SDK provided by the TOP. For details about how to download and use this SDK, click here.
1. Java Sample Code
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import com.taobao.api.internal.util.WebUtils; //Reference the TOP SDK.
public class open_oauth {
public static void main(String[] args) {
String url="https://oauth.aliexpress.com/token";
Map<String,String> props=new HashMap<String,String>();
props.put("grant_type","authorization_code");
/*During testing, replace values of test parameters with the actual data of the developer's own application.*/
props.put("code","test");
props.put("client_id","test");
props.put("client_secret","test");
props.put("redirect_uri","http://www.test.com");
props.put("view","web");
props.put("sp","ae");
String s="";
try{s=WebUtils.doPost(url, props, 30000, 30000);
System.out.println(s);
}catch(IOException e){
e.printStackTrace();}
} }
2. PHP Sample Code
<?php
/*During testing, replace values of test parameters with the actual data of the developer's own application.*/
$url = 'https://oauth.aliexpress.com/token';
$postfields= array('grant_type'=>'authorization_code',
'client_id'=>'test',
'client_secret'=>'test',
'code'=>'test',
'sp'=>'ae',
'redirect_uri'=>'http://www.test.com');
$post_data = '';
foreach($postfields as $key=>$value){
$post_data .="$key=".urlencode($value)."&";}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
//Specify the POST data.
curl_setopt($ch, CURLOPT_POST, true);
//Add variables.
curl_setopt($ch, CURLOPT_POSTFIELDS, substr($post_data,0,-1));
$output = curl_exec($ch);
$httpStatusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo $httpStatusCode;
curl_close($ch);
var_dump($output);
?>
3. .NET Sample Code
namespace Oauth2._0
{
class Program
{
static void Main(string[] args)
{
WebUtils webUtils = new WebUtils();
IDictionary<string, string> pout = new Dictionary<string, string>();
pout.Add("grant_type", "authorization_code");
pout.Add("client_id", "test");
pout.Add("client_secret", "test");
pout.Add("sp", "ae");
pout.Add("code", "test");
pout.Add("redirect_uri", "http://www.test.com");
string output = webUtils.DoPost("https://oauth.aliexpress.com/token", pout);
Console.Write(output);
Console.ReadLine();
}
}
}
