Install
openclaw skills install china-auth-integrationChina Auth Integration
Implement Chinese authentication systems including WeChat Login, Alipay Login, phone SMS verification, and real-name verification (实名认证). Teach AI agents how to integrate OAuth2 flows for Chinese platforms, implement phone verification with Chinese SMS providers, handle real-name verification requirements, and build unified auth interfaces. Covers: WeChat OAuth2 login (web/mini program/app), phone SMS verification (Alibaba Cloud SMS/Tencent Cloud SMS), real-name verification (ID card + face recognition), unified multi-method auth interface, and session management with Chinese compliance. Triggers on: 微信登录, wechat login, 支付宝登录, alipay login, 手机验证码, SMS verification china, 实名认证, real-name verification, 中国身份验证, china authentication, 微信OAuth, wechat oauth2, 短信验证码, SMS code verification, 统一登录, unified login, 中国用户认证, china user auth
China Auth Integration - 中国认证集成专家
You are an expert at implementing authentication systems for Chinese applications. You handle WeChat Login, Alipay Login, phone SMS verification, and real-name verification — the four pillars of Chinese user authentication.
Core Philosophy
In China, email/password login is secondary. Users expect WeChat scan-to-login or phone SMS verification. If you don't support these, you lose 80% of potential users.
Auth Method Priority
| Method | User Preference | Implementation Complexity | Trust Level |
|---|---|---|---|
| WeChat Login | ⭐⭐⭐⭐⭐ | Medium | High (verified identity) |
| Phone SMS | ⭐⭐⭐⭐ | Low | Medium (SIM-based) |
| Alipay Login | ⭐⭐⭐ | Medium | High (real-name verified) |
| Email/Password | ⭐⭐ | Low | Low (anonymous) |
Workflow 1: WeChat OAuth2 Login
Web Application (PC)
Step 1: Redirect to WeChat
GET https://open.weixin.qq.com/connect/qrconnect?
appid=APPID&
redirect_uri=REDIRECT_URI&
response_type=code&
scope=snsapi_login&
state=STATE
Step 2: User scans QR code with WeChat
Step 3: WeChat redirects back with code
REDIRECT_URI?code=CODE&state=STATE
Step 4: Exchange code for access_token
GET https://api.weixin.qq.com/sns/oauth2/access_token?
appid=APPID&
secret=SECRET&
code=CODE&
grant_type=authorization_code
Step 5: Get user info
GET https://api.weixin.qq.com/sns/userinfo?
access_token=ACCESS_TOKEN&
openid=OPENID&
lang=zh_CN
Mini Program Login
// Frontend (Mini Program)
wx.login({
success: (res) => {
// res.code → send to your backend
wx.request({
url: 'https://your-api.com/auth/wechat/miniprogram',
method: 'POST',
data: { code: res.code }
})
}
})
// Backend (Node.js)
const axios = require('axios')
async function wechatMiniProgramLogin(code) {
// Step 1: Exchange code for session_key + openid
const { data } = await axios.get(
'https://api.weixin.qq.com/sns/jscode2session',
{
params: {
appid: process.env.WX_APPID,
secret: process.env.WX_SECRET,
js_code: code,
grant_type: 'authorization_code'
}
}
)
// data: { openid, session_key, unionid? }
// Step 2: Find or create user by openid
let user = await User.findOne({ wechatOpenid: data.openid })
if (!user) {
user = await User.create({ wechatOpenid: data.openid })
}
// Step 3: Generate JWT
const token = jwt.sign({ userId: user._id }, JWT_SECRET, { expiresIn: '7d' })
return { token, user }
}
Mobile App Login
// iOS/Android → WeChat SDK → get code → backend exchange
// Same flow as web, but uses SDK instead of QR code
// User taps "微信登录" → WeChat app opens → auto-redirect back with code
Workflow 2: Phone SMS Verification
Provider Comparison
| Provider | Price/条 | Reliability | Speed | Best For |
|---|---|---|---|---|
| 阿里云SMS | ¥0.045 | ⭐⭐⭐⭐⭐ | <3s | Production |
| 腾讯云SMS | ¥0.045 | ⭐⭐⭐⭐⭐ | <3s | Production |
| 华为云SMS | ¥0.04 | ⭐⭐⭐⭐ | <5s | Alternative |
| 容联云 | ¥0.04 | ⭐⭐⭐ | <5s | Budget |
Implementation (Alibaba Cloud SMS)
const Core = require('@alicloud/pop-core')
const client = new Core({
accessKeyId: process.env.ALI_ACCESS_KEY,
accessKeySecret: process.env.ALI_ACCESS_SECRET,
endpoint: 'https://dysmsapi.aliyuncs.com',
apiVersion: '2017-05-25'
})
async function sendSMS(phone, code) {
const result = await client.request('SendSms', {
PhoneNumbers: phone, // +8613800138000
SignName: '你的应用名', // Must be approved
TemplateCode: 'SMS_123456', // Must be approved
TemplateParam: JSON.stringify({ code })
}, { method: 'POST' })
return result.Code === 'OK'
}
// Rate limiting: 1 SMS per minute per phone, 5 per hour
const smsLimiter = {
window: 60, // seconds
maxPerWindow: 1,
maxPerHour: 5,
maxPerDay: 10
}
Verification Flow
// 1. Generate 6-digit code
function generateCode() {
return Math.floor(100000 + Math.random() * 900000).toString()
}
// 2. Store in Redis with TTL
await redis.setex(`sms:${phone}`, 300, code) // 5 min TTL
// 3. Verify
async function verifyCode(phone, inputCode) {
const storedCode = await redis.get(`sms:${phone}`)
if (!storedCode) return { valid: false, reason: 'expired' }
if (storedCode !== inputCode) return { valid: false, reason: 'wrong' }
await redis.del(`sms:${phone}`) // One-time use
return { valid: true }
}
Workflow 3: Real-Name Verification (实名认证)
Two-Factor Verification
Level 1: ID card number + name (基础实名)
→ Check against public security database
→ Cost: ¥0.8-2.0 per check
→ Providers: 阿里云/腾讯云/百度云
Level 2: ID card + face recognition (增强实名)
→ ID check + liveness detection + face comparison
→ Cost: ¥1.5-5.0 per check
→ Required for: financial, healthcare, education apps
Implementation
// Level 1: ID Card Verification (阿里云)
async function verifyIdCard(name, idNumber) {
const client = new Core({ /* ... */ })
const result = await client.request('VerifyIdCard', {
Name: name, // 张三
IdCardNumber: idNumber // 110101199001011234
})
return result.Result === '1' // 1=match, 0=no match
}
// Level 2: Face Recognition (腾讯云)
async function verifyFace(idCardImage, selfieImage) {
const result = await tencentCloudClient.request('CompareFace', {
ImageA: idCardImage, // Base64 ID card photo
ImageB: selfieImage, // Base64 selfie
QualityControl: 1 // Enable quality check
})
return result.Similarity > 80 // >80 = same person
}
When Real-Name is Required
| Scenario | Level Required | Regulation |
|---|---|---|
| Social features (comment/post) | Level 1 | 网络安全法 |
| Financial services | Level 2 | 金融监管 |
| Healthcare | Level 2 | 医疗法规 |
| Education | Level 1 | 教育部规定 |
| E-commerce (seller) | Level 1 | 电商法 |
| Live streaming (host) | Level 2 | 网信办规定 |
| Gaming (anti-addiction) | Level 1 | 版署规定 |
Workflow 4: Unified Multi-Method Auth Interface
// Unified auth endpoint
router.post('/auth/:method', async (req, res) => {
const { method } = req.params
switch (method) {
case 'wechat':
// WeChat OAuth2 flow
return handleWechatLogin(req, res)
case 'phone':
// SMS verification
return handlePhoneLogin(req, res)
case 'alipay':
// Alipay OAuth2 flow
return handleAlipayLogin(req, res)
default:
return res.status(400).json({ error: 'Unsupported method' })
}
})
// Account linking: same user can have multiple auth methods
// User schema:
{
phone: '+8613800138000',
wechatOpenid: 'oXXXX',
wechatUnionid: 'uXXXX', // Cross-app identity
alipayUserId: '2088XXXX',
realNameVerified: false,
realNameLevel: 0 // 0=none, 1=ID, 2=ID+face
}
Safety Rules
- Never store SMS codes in database — use Redis with TTL only
- Rate limit SMS — 1/min, 5/hour, 10/day per phone number
- Encrypt ID numbers — never store in plaintext
- Session security — use httpOnly + secure + sameSite cookies
- WeChat session_key — never expose to frontend, use for data decryption only
- Phone format — always include country code (+86) for international compatibility
- Compliance — PIPL requires separate consent for collecting ID/phone data
- Audit log — log all auth events for security review
Quick Reference
| Auth Method | Prerequisites | Key API | User Data Returned |
|---|---|---|---|
| WeChat Web | MP account + 网页授权 | open.weixin.qq.com/connect/qrconnect | openid, nickname, avatar |
| WeChat Mini | Mini Program | jscode2session | openid, unionid |
| Phone SMS | SMS provider account | SendSms API | phone number only |
| Alipay | 支付宝开放平台 | alipay.system.oauth.token | user_id, avatar |
| Real-name L1 | Cloud provider | VerifyIdCard | match/no-match |
| Real-name L2 | Cloud provider | CompareFace | similarity score |