Verify message authenticity
Verify message authenticity
When developers use the event push service for the first time, they need to establish the first connection with the microblog server through a verification first; The microblog server sends a GET request to the URL filled in by the developer. The verification parameters are shown in the following table:
| Verification parameter field |
Field Type |
Field Description |
| signature |
string |
Weibo encryption signature, signature combines the developer's appsecret parameter with the timestamp parameter and nonce parameter in the request |
| timestamp |
string |
time stamp |
| nonce |
string |
random number |
| echostr |
string |
Random string |
The encryption rule of the signature parameter is: after dictionary sorting the appsecret parameter, timestamp parameter and nonce parameter, concatenate the three parameter strings into one string for sha1 encryption; After receiving the request, the developer first verifies the authenticity of the GET request through the encrypted signature parameter. If the GET request is confirmed to come from the microblog server, the first connection can be successfully established by returning the echo parameter content as is, otherwise the connection fails.
After the first connection is established, the three parameters of signature, timestamp and nonce will also be brought with each subsequent Weibo event push. Developers can still judge the authenticity of this message by verifying the signature. The verification method is consistent with the first connection.
Document update time: April 20, 2014
