If your application is connected with the Taobao open platform, user's private information (e.g., item, order, favorite, etc.) shall be acquired to ensure security and privacy of user data. Your application shall be authorized by the user. In these cases, your application needs to guide the user to complete the flow of “using Taobao account to log in and authorize”.
Taobao ID (Taobao account) products of Taobao are subject to international common OAuth2.0 standard protocol which is taken as user ID verification and authorization protocol and supports website, mobile phone client and desktop client. For more information about technical documentation of OAuth2.0, refer to official website (http://oauth.net/2/). At present, Taobao OAuth2.0 service supports the following four modes of acquiring Access Token (authorization token):
· Server-side flow: This flow requires ISV application to have Web Server application so as to keep secret key and state of the application, and directly access to authorized server of Taobao by https
See More:Tmall.hk
· Client-side flow: It is applicable to the application which has no independent server but can access to the authorized server by browser or JS script.
See More:Tmall.hk
Taobao ID (Taobao account) products can not be used for Taobao membership services (e.g., order inquiry, logistics tracking) provided by non-official channel of Alibaba Group to Taobao buyers. Once violation is found, the open platform will take Taobao ID authority of the appkey back immediately.
redirect_uri refers to the process that the transferred callback address parameter turns to redirect_uri after the application is authorized by the user when request is initiated by the application.
callback refers to the completed callback address link during registration of application or domain name address verified during network access.
Relevant rules are as follows:
(1) For Server-side flow, redirect_uri is a mandatory parameter, and redirect_uri shall be consistent with the top level domain name of callback.
(2) For Client-side flow, redirect_uri is an optional parameter. If redirect_uri is transferred, the corresponding intermediate parameter will return to redirect_uri, and redirect_ur shall be consistent with the top level domain name of callback. If redirect_uri is not transferred, verification is unnecessary, and corresponding intermediate parameter will be returned to Taobao default authorization return page.
(3) In the case of unexpected error, return to default error page.
Optional values of view parameters include web, tmall and wap,
Web corresponds to the page form of browser on common PC port (Taobao logo).
Tmall corresponds to the page form of Tmall browser.
Wap corresponds to the page form of browser on wireless port.
Access Token is session key issued after being authorized by the user, and the application needs access token when accessing user data.
Error message |
Error cause |
request method must be get |
GET method must be used for the request |
request method must be post |
POST method must be used for the request |
client_id is empty |
client_id (i.e., appkey) cannot be empty |
response_type is empty |
response_type cannot be empty |
redirect_uri is empty |
redirect_uri cannot be empty |
grant type is empty |
grant type cannot be empty |
authorize code is empty |
authorize code cannot be empty |
unsupported response type,the response type must code or token |
Value of response type must be code or token |
redirect_uri is invalidate |
If verification of redirect_uri fails, please check to see if callback address registered at the developer center and redirect_uri are consistent |
the grant type unsupported |
Value of grant type is invalid |
authorize reject |
The user rejects to authorize |
authorize code expire |
Please authorize again as authorize code expires |
authorize code xxxx invalidate,please authorize again. |
Please authorize again as authorize code expires |
client_secret is invalidate |
Verification of app secret fails |
xss chars included in params, such as <, >, ', " |
Characters such as: <, >, ', " are included in request parameters. |
The Application already Bind with user ids:xxx |
App is already bound with user xxx. The bound user nick is set in “Authorization management” page of the developer center |
Can not find the client_id:xxxxx |
client_id (i.e., appkey) cannot be found |
Application need publish |
Only application in states “formal environment testing” and “online operation” is authorized |
Application xxx need purchase |
Use after ordering |
app call back is invalidate |
The applied callback address is illegal |
application callback can not match the redirect_uri |
redirect_uri can not match callback address configured previously |
only support http or https |
Callback URL only supports https or http protocol |
application in black list,access forbidden. |
app is included in blacklist |
application session type must be common |
Type of session key is incorrect (only supporting existing common sessionkey and order type sessionkey) |
The application don't need session |
The application does not need session key and refresh session key |
session key num is larger than xx |
Number of effective session keys is beyond the upper limit |
userid is invalidate |
userId is invalid |
login failure |
User fails to log in |
login sign failure |
Wireless login signature fails |
taobao staff can't accredit |
Taobao staff is not allowed to access |
subuser can't access |
Sub-account access is not supported in the application |
parent account forbid this sub account to access app. |
Sub-account is not authorized to access application by the parent account |
parent account forbidden |
Parent account does not authorize or authorization expires |
refresh token is empty |
refresh token is empty |
refresh token is error:xxxx |
Resolution fails in error content of refresh token |
refresh token is invalid |
refresh token is invalid |
refresh times limit exceed |
When refreshing frequency is beyond the upper limit, one session key can be refreshed for at most 60 times a day |
session expire |
The current session has expired as the user pauses for long time and has timed out in browser |
OAUTH SERVER ERROR:xxxxx |
An internal error occurs to the system, please try again. |
Iossdk params is lack |
Lack ios sdk protocol parameters |
iossdk track_id is invalid |
track id of ios sdk protocol parameter fails to be validated. Please check app secret |
iossdk params check failed |
ios sdk protocol parameter fails to be checked |
