跳至主要内容
简体中文

Integrating WeChat Authentication with Guest WiFi Captive Portals

本指南介绍了如何将微信 OAuth 2.0 认证集成到企业级访客 WiFi Captive Portal 中。它涵盖了双平台注册要求、用于第一方数据获取的 scope 选择、通过 RADIUS Change of Authorization 进行的网络强制执行,以及对 GDPR 和中国 PIPL 的合规性。酒店、零售和活动行业的场所运营商将获得具体的实施步骤、真实案例研究以及安全加固指南,以大规模部署微信登录访客 WiFi。

📖 8 分钟阅读📝 1,966 🔧 2 应用实例4 练习题📚 9 关键定义

收听本指南

查看播客转录
HOW TO CONFIGURE WECHAT OAUTH AUTHENTICATION FOR CAPTIVE PORTALS A Purple Technical Briefing - Approximately 10 Minutes --- INTRODUCTION AND CONTEXT (approximately 1 minute) Welcome. If you are responsible for guest WiFi at a hotel, retail chain, stadium, or conference centre that serves Chinese visitors, this briefing is for you. WeChat has 1.38 billion monthly active users, according to Tencent's 2024 data. The overwhelming majority are in China, but the platform has a meaningful international footprint too - four million users in the United States, 12 million in Malaysia, and growing numbers across Southeast Asia, Europe, and the Middle East. When a Chinese guest connects to your WiFi and sees a login page with only email, Facebook, or a voucher code, they face immediate friction. They may not have a local email address set up on that device. They almost certainly have WeChat. So the question is not whether you should offer WeChat login - it is how you configure it correctly, securely, and in a way that generates first-party data you can actually use. That is what we are going to cover today. We will walk through the OAuth 2.0 flow, the two platform registrations you need, the scope decision that determines what data you collect, the network-side enforcement mechanism, and the compliance considerations that matter in 2026. --- TECHNICAL DEEP-DIVE (approximately 5 minutes) Let us start with the architecture. A captive portal intercepts HTTP traffic from an unauthenticated device and redirects it to a login page. That login page is hosted on a portal server - either on-premises or in the cloud. When you add WeChat OAuth, you are inserting a third-party identity provider into that flow. Here is the sequence. The guest connects to your SSID. The access point or wireless controller detects that the device has no authenticated session and redirects all HTTP traffic to your captive portal URL. The portal page loads and presents login options - including WeChat. The guest taps WeChat login. Your portal server redirects the browser to WeChat's authorisation endpoint, passing your App ID, the redirect URI, the response type of code, and the scope. WeChat handles the authentication entirely on its own servers. If the guest is already logged into WeChat in their browser, they see a consent screen. If they are using the WeChat in-app browser, the experience can be silent with the snsapi base scope - no consent prompt at all. WeChat then redirects back to your portal's redirect URI with a temporary authorisation code. Your portal server exchanges that code for an access token, passing your App ID, App Secret, the code, and grant type of authorisation code. WeChat returns an access token, a refresh token, the user's Open ID, and the scope granted. If you requested snsapi userinfo scope, you can then make a second API call to retrieve the user's nickname, avatar, gender, and city. Now, the two platform registrations. This is where most implementations go wrong. WeChat has two separate developer platforms. The WeChat Open Platform handles website applications and mobile apps. The WeChat Official Accounts Platform handles public accounts - what most venues actually need. For a captive portal serving guests inside the WeChat in-app browser, you need a Service Account on the Official Accounts Platform. A Subscription Account will not work - it does not have OAuth web page authorisation permissions. A Service Account does, and it supports both snsapi base and snsapi userinfo scopes. For a captive portal accessed from a standard mobile browser outside WeChat - Chrome on Android, Safari on iOS - you need a Website Application registered on the Open Platform. This uses snsapi login scope and presents a QR code that the user scans with their WeChat app. In practice, most venue deployments use both. A guest on a hotel's WiFi might open the portal in Chrome, see a QR code, scan it with WeChat, and authenticate. Or they might follow a link in WeChat itself, land in the in-app browser, and authenticate silently with snsapi base. Let us talk about scope selection, because this is a genuine decision point. snsapi base returns only the Open ID - a unique identifier for that user within your Official Account. It requires no user consent prompt. The authentication is invisible to the user. This is ideal for returning guests you have already profiled, or for venues where you want zero friction. snsapi userinfo returns the Open ID plus the user's WeChat nickname, profile picture, gender, language setting, and city. It requires an explicit consent screen. Most users accept, but there is friction. The right choice depends on your use case. For a first-time guest registration where you want to build a profile, use snsapi userinfo and pair it with a GDPR-compliant consent layer on your portal page. For a returning guest who has already consented and whose profile you already hold, use snsapi base for silent re-authentication. Now, the network enforcement side. Getting an OAuth token proves identity, but it does not automatically open the network. You need a mechanism to translate a successful authentication into network access. The two standard approaches are RADIUS Change of Authorisation, defined in RFC 3576, and MAC address bypass. With RADIUS CoA, your portal server sends a CoA request to the network controller after successful OAuth, and the controller moves the device from the unauthenticated VLAN to the guest VLAN. This works with Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, and most enterprise-grade controllers. With MAC bypass, the portal server registers the device's MAC address as an authorised client, and the controller allows it. MAC bypass is simpler to implement but less secure, because MAC addresses can be spoofed. Purple's Guest WiFi platform handles both mechanisms. After WeChat OAuth completes, Purple's cloud overlay sends the appropriate signal to the underlying hardware - whether that is Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, or Fortinet. The venue operator does not need to manage that translation manually. --- IMPLEMENTATION RECOMMENDATIONS AND PITFALLS (approximately 2 minutes) Let me give you the five things that cause WeChat OAuth captive portal implementations to fail. First: the redirect URI mismatch. WeChat validates the redirect URI against the authorised domain you registered on the platform. If your portal server uses a different subdomain, a different path, or HTTP instead of HTTPS, the OAuth flow fails with error 40029 - invalid code. Register every domain variant you use, including staging environments. Second: the App Secret on the client side. Your App Secret must never appear in client-side JavaScript. It belongs on your server. If it is exposed, anyone can impersonate your application and call WeChat's APIs on your behalf. Third: missing CSRF protection. The state parameter in the OAuth request exists specifically to prevent cross-site request forgery. Generate a cryptographically random state value, store it in the user's session, and validate it when WeChat redirects back. Skip this and you have a real vulnerability. Fourth: the in-app browser detection gap. WeChat's in-app browser sets a specific user agent string containing MicroMessenger. If your portal does not detect this and serve the correct OAuth flow, users get a broken experience or an error. Fifth: GDPR and PIPL alignment. If you serve European visitors, GDPR applies. If you serve Chinese visitors, China's Personal Information Protection Law - PIPL - applies. Both require a lawful basis for processing, clear purpose limitation, and data minimisation. snsapi base is easier to justify under data minimisation principles than snsapi userinfo. Whatever you collect, document your legal basis and your retention period. --- RAPID-FIRE Q AND A (approximately 1 minute) Can I use WeChat login on a portal that also offers email and SMS login? Yes. Most enterprise portal platforms, including Purple, support multiple authentication methods on the same portal page. Does WeChat OAuth work on iOS? Yes. WeChat login in Safari on iOS works via the QR code flow or redirect flow. The WeChat app itself handles the authentication. What happens if WeChat's API is unavailable? Implement a fallback. If the WeChat API call times out or returns an error, redirect the user to an alternative login method. Can I use the Open ID as a persistent customer identifier? Within your Official Account, yes. For cross-account identity resolution across multiple properties, use the UnionID instead. --- SUMMARY AND NEXT STEPS (approximately 1 minute) To summarise. WeChat OAuth authentication for captive portals is a two-platform registration exercise, a scope decision, a network enforcement integration, and a compliance review. Get those four things right and you have a login method that serves over a billion potential visitors with zero password friction. The practical next steps: determine whether your visitors encounter the portal inside the WeChat in-app browser or in a standard mobile browser. Decide on scope - snsapi base for returning guests, snsapi userinfo for first-time registration with consent. Confirm your network hardware supports RADIUS CoA. Review your privacy notice against GDPR and PIPL. Test the redirect URI, the state parameter validation, and the in-app browser detection before you go live. If you want to see how Purple handles WeChat OAuth as part of a broader Guest WiFi and analytics platform - across 80,000 venues and 440 million logins in 2024 - visit purple.ai or speak to your account team. Thanks for listening. --- END OF SCRIPT

header_image.png

执行摘要

当中国访客连接到您的企业网络,并遇到一个仅提供电子邮件、Facebook 或凭证码的 Captive Portal 时,您会立即给他们带来使用阻碍。根据腾讯 2024 年的数据,微信拥有 13.8 亿月活跃用户。集成微信登录访客 WiFi 功能不仅是酒店业的一种便利服务,更是无缝获取该用户群体第一方数据的技术要求。

本指南详细介绍了将微信 OAuth 2.0 认证集成到 Captive Portal 中的技术架构。它解释了支持标准移动浏览器和微信内置浏览器所需的双平台注册,评估了用于数据收集的 snsapi_basesnsapi_userinfo scope 之间的权衡,并概述了如何使用 RADIUS Change of Authorization (CoA) 或 MAC 认证绕过来强制执行网络访问。它还涵盖了在 Cisco Meraki、HPE Aruba、Ruckus、Juniper Mist、Ubiquiti UniFi、Cambium、Extreme 和 Fortinet 基础设施中大规模部署所需的安全性配置和合规性指令(GDPR 和中国 PIPL)。

技术深潜:微信 OAuth 2.0 架构

Captive Portal 会拦截来自未认证设备的 HTTP 流量,并将其重定向到托管在 Portal 服务器上的登录页面。添加微信认证会使用 OAuth 2.0 协议(与 Google、Microsoft Entra ID 和 Okta 用于联合身份的标准相同)将第三方身份提供商引入此流程中。

oauth_flow_diagram.png

认证顺序如下。访客连接到 SSID。接入点或无线控制器检测到未认证的会话,并将 HTTP 流量重定向到 Captive Portal URL。访客在 Portal 页面上选择微信登录。Portal 服务器将浏览器重定向到微信位于 open.weixin.qq.com 的授权端点,并传递 AppID、重定向 URI、响应类型 code 以及请求的 scope。微信在其自己的服务器上处理认证。如果访客使用带有 snsapi_base scope 的微信内置浏览器,则认证是静默进行的——不会出现同意提示。如果使用 snsapi_userinfo,微信会显示一个同意屏幕。然后,微信会携带临时授权码重定向回 Portal 的重定向 URI。Portal 服务器通过调用 api.weixin.qq.com/sns/oauth2/access_token 并传递 AppIDAppSecret、该 code 以及 authorization_code 的授权类型,来将此 code 兑换为 access token。微信返回 access token、refresh token、用户的 OpenID 以及授予的 scope。如果授予了 snsapi_userinfo,服务器将发起第二次 API 调用以检索用户的昵称、头像、性别和城市。

双平台注册要求

大多数实施在注册阶段失败。微信运营着两个独立的开发者平台,企业部署通常两者都需要。

平台 URL 所需账号类型 支持的 Scope 浏览器上下文
公众平台 mp.weixin.qq.com 服务号 snsapi_base, snsapi_userinfo 微信内置浏览器
开放平台 open.weixin.qq.com 网站应用 snsapi_login 标准移动浏览器

对于在微信内置浏览器中访问 Portal 的访客,您需要在公众平台上拥有一个服务号。订阅号将无法工作——它缺少 OAuth 网页授权权限。对于从 Android 上的 Chrome 或 iOS 上的 Safari 访问 Portal 的访客,您需要在开放平台上拥有一个网站应用,该应用使用 snsapi_login scope 并向用户展示一个用于扫描的二维码。

在实践中,大多数场所部署都会同时使用这两者。酒店的访客可能会在 Chrome 中打开 Portal,看到一个二维码,用微信扫描它,然后进行认证。或者,他们可能会点击微信内部的链接,进入内置浏览器,并使用 snsapi_base 进行静默认证。

Scope 选择:数据获取 vs. 使用阻碍

scope_comparison.png

您请求的 scope 决定了您收集的数据以及访客体验到的阻碍。这是一个具有合规性影响的真正决策点。

snsapi_base 仅返回 OpenID——该用户在您公众号内的唯一标识符。它不需要用户同意提示。认证对访客来说是无感的。适用于您已拥有其个人资料的返店访客,或者当您优先考虑无缝访问时。在 GDPR 和 PIPL 数据最小化原则下,snsapi_base 更容易获得合规性支持。

snsapi_userinfo 返回 OpenID 以及用户的昵称、头像、性别和城市。它需要一个明确的同意屏幕。适用于您需要建立个人资料的首次到访访客注册,并配合 Portal 页面上符合合规要求的同意层。

适用于多场所部署的 UnionID

OpenID 对于用户和特定公众号的组合是唯一的。一个拥有 20 家分店且每家分店都有自己公众号的酒店集团,对于同一个访客会看到 20 个不同的 OpenID。UnionID 解决了这个问题。它是一个单一标识符,代表绑定到同一个开放平台账号的所有公众号和应用中的用户。将您的公众号绑定到您的开放平台账号,UnionID 就会在 OAuth 响应中返回。这是 cr 的基础oss-property 宾客识别。

实施指南

网络强制执行机制

获取 OAuth 令牌可以证明身份,但并不能打开网络。您必须向控制器发送信号以允许流量通过。

RADIUS 授权变更 (CoA)(在 RFC 3576 中定义)是推荐的企业级方法。在 OAuth 成功后,portal 服务器向网络控制器发送 CoA 请求。控制器将设备从预认证 VLAN 移动到访客 VLAN。这适用于 Cisco Meraki、HPE Aruba、Ruckus、Juniper Mist、Ubiquiti UniFi、Cambium、Extreme 和 Fortinet。

MAC 认证绕过 (MAB) 将设备的 MAC 地址作为已授权客户端注册到 RADIUS 数据库中。控制器根据该 MAC 地址允许访问。MAB 的实现较为简单,但不可靠:现代 iOS 和 Android 设备默认会随机化 MAC 地址,从而在重新连接时破坏会话关联。

Purple 的 Guest WiFi 平台可自动完成此转换。微信 OAuth 完成后,Purple 的云覆盖网络会向底层硬件发送相应的 CoA 或 MAB 信号,从而免去了手动配置 VLAN 的麻烦。

安全配置

有三项配置是不可妥协的。

  1. 保护 AppSecret。 AppSecret 绝不能出现在客户端 JavaScript 中。它必须保留在您的服务器上。如果泄露,攻击者可以冒充您的应用程序并代表您调用微信 API。
  2. 实现 CSRF 防护。 生成一个加密随机的 state 值,将其存储在用户的会话中,并在微信重定向返回时进行验证。这可以防止 RFC 6749 中定义的跨站请求伪造攻击。
  3. 注册所有重定向 URI 变体。 微信会根据您注册的域名验证重定向 URI。请注册您使用的每个子域名和路径变体(包括暂存环境),以防止出现错误 40029(无效代码)。

应用内浏览器检测

微信的应用内浏览器会设置包含 MicroMessenger 的用户代理 (User Agent) 字符串。您的 portal 必须检测到此字符串并进行相应路由:应用内浏览器走公众号流程,标准浏览器走开放平台二维码流程。未能检测到此字符串会导致体验中断或认证错误。

hotel_wechat_wifi.png

最佳实践与合规性

GDPR 合规性

如果您为欧洲访客提供服务或在欧洲运营,GDPR 适用于您通过微信 OAuth 收集的数据。您必须建立合法的处理依据——通常是同意或合法利益。在认证之前,您必须在 Captive Portal 上提供清晰的隐私声明。您必须满足主体访问请求和删除请求。有关详细的合规框架,请参阅 合规手册:GDPR 与 Guest WiFi 数据隐私

PIPL 合规性

当您处理中国公民的个人数据时,中国的《个人信息保护法》(PIPL) 适用。与 GDPR 类似,PIPL 要求明确的目的限制、数据最小化以及书面的合法依据。snsapi_base 在数据最小化原则下比 snsapi_userinfo 更容易证明其合理性。无论您收集什么,请在上线前记录您的法律依据和保留期限。

网络隔离

使用 VLAN 隔离将访客 WiFi 流量与您的企业网络隔离开来。通过微信认证的访客应进入专用的访客 VLAN,且仅具有互联网访问权限——无法访问内部系统。这符合 PCI DSS 关于持卡人数据环境隔离的要求以及通用的企业安全实践。有关隔离架构的更多信息,请参阅 带宽管理:2026 年实用指南

备用认证

如果微信的 API 不可用,您的 portal 必须重定向到备用登录方法。不要让访客面对空白屏幕。回退到电子邮件或短信可确保连续性。这对于 交通运输医疗保健 环境中的场所尤为重要,在这些环境中,网络连接是一项服务义务。

真实案例研究

酒店业:奢华酒店集团

伦敦一家拥有 400 间客房的奢华酒店接待了很大比例的中国大陆游客。他们现有的 Captive Portal 需要电子邮件地址和短信验证。中国手机号码经常无法接收来自欧洲运营商的短信,而且许多客人的设备上没有配置本地电子邮件。结果导致 portal 的流失率高达 60%。

该酒店在微信公众平台注册了服务号,并在开放平台注册了网站应用。Portal 检测到 MicroMessenger 用户代理,并为应用内浏览器用户触发 snsapi_base——在不到三秒的时间内将他们连接上网,且无需弹出同意屏幕。通过 Chrome 或 Safari 访问的访客会看到一个二维码。在后续入住时,系统会识别出相同的 OpenID,并对访客进行静默重新认证。酒店的 CRM 会记录再次光临,从而实现有针对性的抵达前沟通。有关在酒店环境中部署 WiFi 的更多信息,请参阅 酒店业

零售业:购物中心分析

一家大型购物中心希望获取中国消费者的客群属性数据,以辅助商铺组合和营销决策。他们需要出发城市、性别和到访频率。仅靠 snsapi_base 是不够的——他们需要 snsapi_userinfo。Portal 会请求完整的 userinfo 作用域。访客会看到微信授权屏幕并点击“允许”。该购物中心的分析平台与 Purple 的 WiFi Analytics 集成,可接收经过验证的客群属性数据流。在周六下午,40% 的 WiFi 用户来自特定区域。这些数据直接y 提供了关于应该联系哪些品牌开展快闪活动的信息。欲了解更多关于零售 WiFi 部署的信息,请参阅 零售

故障排除与风险缓解

在微信 OAuth Captive Portal 部署中,最常见的五种失败模式如下。

重定向 URI 不匹配(错误 40029)。 微信会根据注册的域名验证重定向 URI。任何子域名、路径或协议的不匹配都会导致代码交换失败。请注册每一个变体,包括暂存环境。

AppSecret 泄露。 将 AppSecret 嵌入到客户端代码中是最严重的安全错误。请将所有令牌交换逻辑移至服务器端。

缺失 CSRF 保护。 忽略 state 参数验证会使门户容易受到跨站请求伪造攻击。请为每个会话生成一个加密随机值,并在回调时进行验证。

应用内浏览器检测失败。 未能在 user agent 中检测到 MicroMessenger 意味着应用内浏览器用户将被提供错误的 OAuth 流程,从而导致错误。

MAC 地址随机化破坏 MAB 会话。 现代移动操作系统会随机化 MAC 地址。使用基于 MAB 准入控制的访客在重新连接时将丢失其会话。请升级到 RADIUS CoA 以实现可靠的会话管理。有关安全 WiFi 配置的指导,请参阅 什么是安全 WiFi:2026 企业必备指南

投资回报率(ROI)与业务影响

部署微信登录访客 WiFi 功能具有三个可衡量的影响。

提高认证率。 消除短信验证失败点和邮箱输入要求,可以提高中国访客成功连接的比例。对于不支持微信的门户,60% 的流失率是一个现实的基准。

第一方数据质量。 经微信认证的个人资料包含已验证的 OpenID,并且通过 snsapi_userinfo,可以直接获取来自该社交平台的人口统计属性。这些数据会导入分析平台,以驱动精准营销,而无需依赖第三方 Cookie。

减少支持开销。 无缝登录减少了国际访客因排查连接问题而拨打前台和 IT 支持电话的次数。

Purple 的业务覆盖 80,000 多个场所,并在 2024 年处理了 4.4 亿次登录(Purple 内部数据)。该平台已通过 ISO 27001 认证,符合 GDPR 和 CCPA 标准,并保持 99.999% 的在线率。对于 零售酒店住宿 领域的场所,微信认证将网络从成本中心转变为可靠的第一方数据获取渠道。

关键定义

Captive portal

A web page that intercepts HTTP traffic from an unauthenticated device and requires the user to interact with it before network access is granted.

The primary interface where the WeChat login option is presented to the guest. The portal server hosts this page and orchestrates the OAuth flow.

OAuth 2.0

An industry-standard authorisation protocol (RFC 6749) that allows a third-party application to obtain limited access to an HTTP service on behalf of a user.

The underlying protocol WeChat uses to pass authentication tokens to the portal server without exposing user credentials. The same protocol used by Microsoft Entra ID, Okta, and Google Workspace.

OpenID

A unique alphanumeric identifier assigned to a specific WeChat user for a specific Official Account.

Used as the primary key to identify returning guests in the WiFi analytics database. Changes per Official Account - use UnionID for cross-property recognition.

UnionID

A single WeChat identifier representing a user across all Official Accounts and apps linked to the same Open Platform account.

Essential for hotel groups, retail chains, and stadium operators with multiple venues who need to recognise the same guest across their entire estate.

RADIUS CoA (Change of Authorization)

An extension to the RADIUS protocol (RFC 3576) that allows a RADIUS server to dynamically change the authorisation attributes of an active session.

The secure method used to move a guest device from an isolated pre-authentication VLAN to the active internet VLAN after successful WeChat login. Supported by Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet.

snsapi_base

A WeChat OAuth scope that returns only the user's OpenID and requires no consent prompt from the user.

The recommended scope for returning guest re-authentication. Easier to justify under GDPR and PIPL data minimisation principles.

snsapi_userinfo

A WeChat OAuth scope that returns the user's OpenID, nickname, avatar, gender, and city, and requires an explicit consent screen.

Used for first-time guest registration where demographic data is required for analytics. Requires documented lawful basis under GDPR and PIPL.

PIPL (Personal Information Protection Law)

China's comprehensive data privacy legislation, effective November 2021, regulating the processing of personal information of natural persons located in China.

Applies when venues process data from Chinese citizens via WeChat OAuth. Requires clear consent, purpose limitation, data minimisation, and a deletion mechanism.

AppSecret

A confidential cryptographic key issued by WeChat during application registration, used to authenticate API calls from the portal server.

Must be stored exclusively on the server side. Exposure in client-side JavaScript allows attackers to impersonate the application and call WeChat APIs maliciously.

应用实例

A 400-room luxury hotel in London has a 60% portal drop-off rate among guests from mainland China. The current portal requires email and SMS verification. The IT Director needs to implement WeChat authentication while maintaining GDPR compliance and network security.

Step 1: Register a Service Account on the WeChat Official Accounts Platform (mp.weixin.qq.com) and a Website Application on the WeChat Open Platform (open.weixin.qq.com). Step 2: Configure the portal to detect the MicroMessenger user agent string. If detected, trigger the snsapi_base OAuth flow for silent authentication. If not detected, present the QR code flow. Step 3: Add a GDPR-compliant privacy notice and consent checkbox to the portal page before the WeChat login button becomes active. The notice must state: data collected (OpenID only), purpose (guest WiFi access and return visit recognition), and retention period. Step 4: After successful OAuth token exchange, the portal server issues a RADIUS CoA request to the Cisco Meraki controller, moving the guest device from the pre-auth VLAN to the segmented guest VLAN. Step 5: Store the OpenID against the device MAC address in the guest database. On subsequent visits, the returning OpenID triggers silent re-authentication.

考官评语: This approach correctly addresses both the technical and compliance requirements. Using snsapi_base aligns with GDPR data minimisation principles, reducing legal risk while eliminating the SMS verification failure point. RADIUS CoA ensures secure, automated network segmentation. The consent checkbox satisfies the GDPR requirement for a documented lawful basis. The key decision is snsapi_base over snsapi_userinfo - the hotel does not need demographic data for this use case, so collecting it would introduce unnecessary compliance obligations.

A retail mall wants to capture gender and city data from Chinese shoppers via guest WiFi to feed into their analytics platform. They currently use MAC Authentication Bypass for their existing portal running on HPE Aruba hardware.

Step 1: Register a Service Account on the WeChat Official Accounts Platform. Step 2: Configure the portal to use snsapi_userinfo scope to retrieve gender and city. Step 3: Add a clear consent screen explaining the value exchange: free WiFi in return for profile data access. The consent must be explicit and granular under both GDPR and PIPL. Step 4: After authentication, the portal server registers the device's MAC address in the RADIUS database. The HPE Aruba controller permits access via MAB. Step 5: Document the lawful basis (consent), purpose (venue analytics and marketing), and retention period (24 months) in a data processing register. Provide a data deletion mechanism.

考官评语: The snsapi_userinfo scope correctly retrieves the required demographic data. However, relying on MAB introduces a significant operational risk: iOS 14+ and Android 10+ randomise MAC addresses by default, meaning guests will lose their authenticated session on reconnect and be forced to re-authenticate. The mall should plan to migrate to RADIUS CoA on HPE Aruba to resolve this. The PIPL compliance documentation is not optional - it is a legal requirement for processing data from Chinese citizens, regardless of where the venue is located.

练习题

Q1. You are deploying a captive portal at a stadium. You want returning season ticket holders who have previously authenticated to connect automatically without seeing a login screen on subsequent visits. Which WeChat OAuth scope should you implement for the re-authentication flow, and why?

提示:Consider which scope allows for silent authentication without prompting the user for consent on each visit.

查看标准答案

Use snsapi_base. This scope returns only the user's OpenID and requires no consent prompt, enabling silent re-authentication. On the first visit, you store the OpenID against the fan's profile. On subsequent visits, the portal detects the returning OpenID via snsapi_base, confirms the match, and issues a RADIUS CoA to grant access - all without the fan seeing a login screen. This also aligns with GDPR data minimisation principles, as you are not collecting additional data beyond what is needed for the authentication function.

Q2. During testing, your portal successfully redirects to WeChat, the user grants consent, and WeChat redirects back to your portal. However, the portal server logs show OAuth error 40029 (invalid code). What is the most likely configuration error, and how do you resolve it?

提示:WeChat strictly validates the destination it sends the authorisation code to against a registered list.

查看标准答案

The most likely cause is a redirect URI mismatch. WeChat validates the redirect URI in the OAuth request against the authorised domain registered on the platform. If the portal server uses a different subdomain, a different path, or HTTP instead of HTTPS, the code exchange fails with error 40029. Resolution: log into the WeChat developer platform, navigate to your Service Account or Website Application settings, and add every redirect URI variant you use - including staging subdomains, different paths, and HTTPS versions. Ensure the redirect_uri parameter in your OAuth request exactly matches one of the registered URIs, including URL encoding.

Q3. An IT manager proposes embedding the WeChat AppSecret in the captive portal's front-end JavaScript to speed up the token exchange process directly from the client browser. Why must you reject this proposal, and what is the correct architecture?

提示:Consider the security implications of exposing cryptographic keys in publicly accessible code.

查看标准答案

Reject this proposal. The AppSecret is a confidential cryptographic key. Embedding it in client-side JavaScript exposes it to anyone who views the page source or intercepts network traffic. An attacker can extract the AppSecret and impersonate the application, calling WeChat APIs on the venue's behalf, accessing user data, and potentially compromising the entire Official Account. The correct architecture: the client-side portal page receives the authorisation code from WeChat and forwards it to the portal server via a server-side API call. The portal server holds the AppSecret in a secure environment variable and performs the token exchange with WeChat's API. The AppSecret never leaves the server.

Q4. A hotel group with 15 properties across Europe wants to build a unified guest profile that recognises when the same Chinese guest stays at different properties. Each property has its own WeChat Official Account. What WeChat identifier should they use, and what configuration is required?

提示:The OpenID is account-specific. There is a different identifier designed for cross-account recognition.

查看标准答案

Use the UnionID. The OpenID changes per Official Account, so the same guest will have 15 different OpenIDs across 15 accounts. The UnionID is a stable identifier representing a user across all Official Accounts and apps linked to the same Open Platform account. Configuration required: link all 15 Official Accounts to a single WeChat Open Platform account. Once linked, the UnionID is returned in the OAuth response when the user has authorised at least one of the linked accounts. Use the UnionID as the primary key in the guest CRM to build cross-property profiles and recognise returning guests regardless of which property they visit.

继续阅读本系列

如何在 Starlink 上设置 Captive Portal:远程与海洋场所指南

本指南详细介绍了如何绕过原生 Starlink 硬件,并使用企业级路由设备集成云端托管的 Captive Portal。您将学习如何克服 CGNAT 限制、强制执行 VLAN 隔离、管理卫星带宽限制并确保合规性。

阅读指南 →

酒店访客 WiFi 管理:整合 PMS、门户与品牌标准

本技术指南详细介绍了如何构建企业级酒店 WiFi 网络,重点关注 VLAN 隔离、用于自动化会话管理的 PMS 集成,以及符合 GDPR 合规要求的数据采集 Captive Portal 优化。

阅读指南 →

Captive Portal Best Practices: Designing for High Conversion and Compliance

本技术指南为 IT 经理、网络架构师和场所运营总监提供了部署 Captive Portal 的完整蓝图,旨在平衡网络安全与高用户转化率。内容涵盖了从 VLAN 划分、RADIUS 认证到符合 GDPR 的同意设计以及认证方式选择的完整架构。结合 Purple 在 2024 年覆盖 80,000 多个场所、4.4 亿次登录的运营经验,每项建议均基于真实的部署数据。

阅读指南 →