How to Configure WeChat OAuth Authentication for Captive Portals
This technical guide explains how to configure WeChat OAuth authentication for captive portals. It details the required platform registrations, OAuth 2.0 flow, scope selection, and network enforcement mechanisms necessary to capture first-party data from Chinese visitors securely.
Listen to this guide
View podcast transcript
- Executive Summary
- Technical Architecture
- Platform Registration Requirements
- WeChat Official Accounts Platform
- WeChat Open Platform
- Scope Selection and Data Collection
- snsapi_base
- snsapi_userinfo
- Network Enforcement Integration
- RADIUS Change of Authorization (CoA)
- MAC Address Bypass
- Compliance and Security Considerations
- GDPR and PIPL Alignment
- CSRF Protection
- Redirect URI Validation

Executive Summary
When Chinese visitors connect to your WiFi, presenting a splash page with only email or Facebook login options creates an immediate barrier to entry. With 13.8 billion monthly active users, configuring WeChat as an identity provider removes this friction. This guide demonstrates how to implement WeChat OAuth 2.0 authentication for Captive Portals, detailing the necessary platform registrations, OAuth flows, and the network enforcement mechanisms required to translate a successful login into network access. We will cover technical implementation for enterprise-grade hardware, alongside compliance requirements under GDPR and PIPL.
Technical Architecture
The Captive Portal intercepts HTTP traffic from unauthenticated devices and redirects them to a splash page hosted on a portal server. When you integrate WeChat OAuth, you insert a third-party identity provider into this flow.

Here is the exact step-by-step interaction:
- The visitor connects to the SSID.
- The wireless Access Point (AP) or wireless controller detects the lack of an authenticated session and redirects HTTP traffic to the Captive Portal URL.
- The visitor selects WeChat Login.
- The portal server redirects the browser to WeChat’s authorisation endpoint (
open.weixin.qq.com), passing theAppID,redirect_uri,response_type=code, andscope. - WeChat handles authentication. If the visitor is inside the WeChat in-app browser using the
snsapi_basescope, this happens silently. - WeChat redirects back to the portal’s
redirect_uriwith a temporary authorisation code. - The portal server exchanges this code for an access token by calling
api.weixin.qq.com/sns/oauth2/access_token. - WeChat returns the
access_token,refresh_token, and the user'sopenid.
Platform Registration Requirements
Implementing WeChat login requires registration on the correct developer platform. WeChat operates two separate platforms, and selecting the wrong one will cause integration failure.
WeChat Official Accounts Platform
For Captive Portals served inside the WeChat in-app browser, you require a Service Account registered on the WeChat Official Accounts Platform (mp.weixin.qq.com). Subscription Accounts lack the required OAuth webpage authorisation permissions. Service Accounts support both snsapi_base and snsapi_userinfo scopes.
WeChat Open Platform
For Captive Portals accessed from standard mobile browsers outside of WeChat (e.g., Chrome on Android or Safari on iOS), you need a Website Application registered on the Open Platform (open.weixin.qq.com). This uses the snsapi_login scope and presents a QR code for the user to scan with their WeChat app.
Most enterprise deployments require both registrations to cover all access pathways.
Scope Selection and Data Collection
The scope parameter determines what data WeChat returns to your portal server. This decision impacts both user friction and data privacy compliance.

snsapi_base
This scope returns only the OpenID, the unique identifier for the user within your Official Account. It requires no user authorisation prompt, making authentication silent. This is optimal for returning visitors where you already have a profile, or for venues prioritising zero friction over new data collection.
snsapi_userinfo
This scope returns the OpenID along with the user's WeChat nickname, profile picture, gender, language settings, and city. It requires an explicit authorisation page, introducing friction. Use this for first-time visitor registration where establishing a profile is necessary, paired with a GDPR-compliant consent layer.
Network Enforcement Integration
Acquiring an OAuth token proves identity, but it does not open the network. You must translate successful authentication into network access using standard protocols.
RADIUS Change of Authorization (CoA)
Defined in IEEE 802.1X and RFC 3576, RADIUS CoA allows the portal server to send a request to the network controller upon successful OAuth. The controller then moves the device from an unauthenticated VLAN to a guest VLAN. This is the standard for enterprise-grade hardware, including Cisco Meraki, HPE Aruba, Ruckus, and Juniper Mist.
MAC Address Bypass
Alternatively, the portal server registers the device’s MAC address as an authorised client, and the controller permits access. While simpler to implement, this is less secure as MAC addresses can be spoofed.
Purple's cloud overlay technology automates this handoff, sending the appropriate signals to the underlying hardware (including Ubiquiti UniFi, Cambium, Extreme, and Fortinet) once WeChat OAuth is complete.
Compliance and Security Considerations
GDPR and PIPL Alignment
If you serve European visitors, GDPR applies to data collected via WeChat OAuth. If you serve Chinese visitors, China’s Personal Information Protection Law (PIPL) applies. Both frameworks require processing to have a lawful basis, explicit purpose limitation, and data minimisation. Compared to the snsapi_userinfo scope, the snsapi_base scope is easier to align with data minimisation principles.
CSRF Protection
The state parameter in OAuth requests prevents Cross-Site Request Forgery. You must generate a cryptographically random state value, store it in the user session, and validate it when WeChat redirects back.
Redirect URI Validation
WeChat validates the redirect_uri against the authorised domain registered on the platform. If your portal server uses a different subdomain, path, or uses HTTP instead of HTTPS, the OAuth flow will fail with error 40029.
For more information on securing your network, see our Enterprise WiFi Security: A Complete Guide for 2026 .
Key Definitions
snsapi_base
A WeChat OAuth scope that returns only the user's OpenID without displaying a consent prompt.
Used when IT teams need to authenticate returning visitors silently without causing login friction.
snsapi_userinfo
A WeChat OAuth scope that returns the OpenID along with demographic data (nickname, gender, city) and requires explicit user consent.
Used during first-time registration when marketing teams need to build a visitor profile.
OpenID
A unique identifier for a specific user within a specific WeChat Official Account.
Used as the primary key in the portal database to track visitor behaviour and return visits.
RADIUS CoA
Change of Authorisation. A mechanism defined in RFC 3576 that allows a server to modify the authorisation state of an active session.
Used by the portal server to tell the wireless controller to grant network access after successful WeChat authentication.
PIPL
Personal Information Protection Law. China's comprehensive data privacy regulation.
Must be considered alongside GDPR when designing the consent flow for Chinese visitors using WeChat login.
AppID and AppSecret
The credentials provided by WeChat to identify and authenticate your application.
The AppSecret must remain securely on the portal server and never be exposed in client-side code.
State Parameter
A cryptographically random string passed in the OAuth request and validated upon return.
Essential for preventing Cross-Site Request Forgery (CSRF) attacks on the captive portal.
MAC Address Bypass
A method of granting network access by authorising the device's hardware address rather than requiring 802.1X authentication.
An alternative to RADIUS CoA for simpler network setups, though less secure.
Worked Examples
A luxury retail brand in London wants to offer WeChat login for Chinese shoppers. They want to collect demographic data to understand their customer base, but they are concerned about GDPR compliance and high drop-off rates at the portal.
The retailer should register a Service Account on the WeChat Official Accounts Platform. They must configure the portal to use the snsapi_userinfo scope for first-time connections to gather demographic data (nickname, gender, city). To ensure GDPR compliance, the portal page must display a clear, conscious-choice opt-in before the WeChat redirect, explaining exactly what data is collected and why. For returning shoppers, the portal should detect the MAC address and use snsapi_base for silent re-authentication, minimising friction.
A stadium deploys a new WiFi network using HPE Aruba controllers. They have configured WeChat OAuth, and the portal successfully receives the access token, but the visitor's device remains on the captive portal page and cannot access the internet.
The integration lacks a network enforcement mechanism. The portal server has verified the user's identity with WeChat, but it has not instructed the HPE Aruba controller to grant access. The portal server must be configured to send a RADIUS Change of Authorisation (CoA) message to the controller, instructing it to transition the user's MAC address from the pre-authentication role to the authenticated guest role.
Practice Questions
Q1. You are deploying a captive portal across a retail chain. Testing shows that users opening the portal in Safari on iOS receive an error when selecting WeChat login, but users opening the portal from within a WeChat message link authenticate successfully. What is the likely cause?
Hint: Consider the difference between the WeChat in-app browser and standard mobile browsers.
View model answer
The implementation is likely relying solely on a Service Account registered on the Official Accounts Platform, which only supports OAuth within the WeChat in-app browser. To support Safari on iOS, you must also register a Website Application on the WeChat Open Platform and implement user agent detection to route Safari users to the QR code flow.
Q2. Your portal server logs show frequent 40029 'invalid code' errors returning from the WeChat API during the access token exchange. What configuration should you check first?
Hint: Think about how WeChat validates the source of the authentication request.
View model answer
You should verify the redirect_uri configuration. WeChat strictly validates the redirect URI against the authorised domain registered in the developer console. If the portal is using a different subdomain, or if it drops HTTPS, WeChat will reject the code exchange.
Q3. A venue operator wants to collect visitor data but insists on zero friction during the login process. They request that you configure WeChat login to collect the visitor's nickname and city without showing a consent prompt. How do you respond?
Hint: Review the capabilities of the different OAuth scopes.
View model answer
You must inform the operator that this is technically impossible. Collecting demographic data like nickname and city requires the snsapi_userinfo scope, which mandatorily triggers a WeChat consent prompt. To achieve zero friction, you must use snsapi_base, which operates silently but only returns the OpenID.
Continue reading in this series
Captive portal for Ruijie: set it up with Purple guest WiFi
How Purple's cloud guest WiFi sits on top of Ruijie RG Series access points using web authentication and RADIUS, configured from the command line, and where to find the exact setup steps.
Captive portal for Ruijie: set it up with Purple guest WiFi
How Purple's cloud guest WiFi sits on top of Ruijie RG Series access points using web authentication and RADIUS, configured from the command line, and where to find the exact setup steps.
Designing B2B Captive Portals: Collecting Registered Name and Company Data
This guide provides IT managers and venue operators with a vendor-neutral technical framework for designing B2B captive portals. It details how to structure registration fields to capture registered name and company data, ensuring high completion rates while maintaining GDPR compliance and building account-level intelligence.