Python 3 library for connecting to the ESIA - esia-connector
It all started when the Ministry of Communications and Mass Media allowed the public service portal to identify and authenticate users on non-governmental websites. This is implemented using the ESIA service (Unified Identification and Authentication System - esia.gosuslugi.ru ). The customer of our project was among the first 5 participants who submitted applications for integration with ESIA, which expressed for us the task of supporting this integration.
In the free access, we did not find an open free solution suitable for our technology stack, so after developing, with the blessing of the customer, we decided to share our own (BSD license).
So, we present you the esia-connector project, written in Python 3, using the openssl utility, tested in work only on Debian-based systems.
')
Package: pypi.python.org/pypi/esia-connector
Project: github.com/eigenmethod/esia-connector
What is ESIA, what opportunities it provides will not tell, only about the possibilities of the current implementation of our library.
esia-connector allows you to:
In order to connect to the ESIA using the library you need to have on hand:
To run a test case (the minimum Flask web application is available in the library repository) you need
The certificate previously uploaded to the ESIA server is placed in the file “esia-connector / examples / res / test.crt”. In the same directory, place your private key under the name “test.key”, and place the above mentioned public key under the name “esia_pub.key”.
Then run the Flask application, from the examples directory:
On the main page, we will see a well-formed link for accessing the ESIA, when clicking on it, the ESIA server will process the data in a GET request, ask the user for the username and password for the ESIA, then after a successful introduction, ask for permission to access our application to the ESIA and, in in the case of issuing a permit, redirect to the page specified in the test example, where we, with the token already received, will make a couple more requests to receive personal data of the user on whose behalf we make the request, and display this data on the same page .
The library device is trivial, does not require comments, after writing it became clear that it would be possible to design and better that the user of the library was required to perform fewer actions with its interface.
It is worth noting that the openssl utility is used for signing, therefore there is an extra operation to create a temporary file.
We are satisfied with the current implementation, but it would be better to use pyopenssl.
We have no plans for the development of the library until there are requirements in the project, and they are not in the near future.
If you use esia-connector in your projects and add / correct something along the way - PR-ones, we will be happy to include.
What could be done:
In the free access, we did not find an open free solution suitable for our technology stack, so after developing, with the blessing of the customer, we decided to share our own (BSD license).
So, we present you the esia-connector project, written in Python 3, using the openssl utility, tested in work only on Debian-based systems.
')
Package: pypi.python.org/pypi/esia-connector
Project: github.com/eigenmethod/esia-connector
What is ESIA, what opportunities it provides will not tell, only about the possibilities of the current implementation of our library.
esia-connector allows you to:
- authenticate to the ESIA, get a token in return (which can then be used to identify the user), check it;
- obtain personal data of the user: full name, identity data of documents (passport, driver's license), contact details (phone numbers, email address), TIN, SNILS, addresses (residence and registration).
Using
In order to connect to the ESIA using the library you need to have on hand:
- A certificate issued or self-signed in the format described in the methodological recommendations, downloaded to the test and combat ESIA server.Excerpt from the guidelinesIssue the key container and the key certificate of the qualified electronic signature for the connected information system (must contain the OGRN LE, being the operator of the information system). It also supports working with the key container and the unqualified electronic signature key certificate in the X.509 version 3 format. In this case, it is possible to independently generate a key container and a self-signed certificate for your system using the keytool utility from the Java Development Kit. A certificate is required to identify an IC when interacting with an ESIA. ESIA supports RSA electronic signature generation algorithms with a key length of 2048 bits and the SHA-256 cryptographic hashing algorithm, as well as the GOST R 34.10-2001 electronic signature algorithm and the GOST R 34.11-94 cryptographic hashing algorithm.
- Issued by the support service ESIA company account on the combat and test servers. This must then be specified when creating the EsiaSettings object instead of the “YOUR_SYSTEM_ID” string.
- User accounts on test and combat ESIA servers for debugging and testing.
- Public keys ESIA (test and combat) to verify the received token. In open access, these keys are not, tech support sends them by email upon request.
To run a test case (the minimum Flask web application is available in the library repository) you need
The certificate previously uploaded to the ESIA server is placed in the file “esia-connector / examples / res / test.crt”. In the same directory, place your private key under the name “test.key”, and place the above mentioned public key under the name “esia_pub.key”.
Then run the Flask application, from the examples directory:
python flask_app.py On the main page, we will see a well-formed link for accessing the ESIA, when clicking on it, the ESIA server will process the data in a GET request, ask the user for the username and password for the ESIA, then after a successful introduction, ask for permission to access our application to the ESIA and, in in the case of issuing a permit, redirect to the page specified in the test example, where we, with the token already received, will make a couple more requests to receive personal data of the user on whose behalf we make the request, and display this data on the same page .
Esia-connector usage example
import os from flask import Flask, request from esia_connector.client import EsiaSettings, EsiaAuth def get_test_file(name): return os.path.join(os.path.dirname(__file__), 'res', name) TEST_SETTINGS = EsiaSettings(esia_client_id='YOUR SYSTEM ID', redirect_uri='http://localhost:5000/info', certificate_file=get_test_file('test.crt'), private_key_file=get_test_file('test.key'), esia_token_check_key=get_test_file('esia_pub.key'), esia_service_url='https://esia-portal1.test.gosuslugi.ru', esia_scope='openid http://esia.gosuslugi.ru/usr_inf') assert TEST_SETTINGS.esia_client_id != 'YOUR SYSTEM ID', "Please specify real system id!" assert os.path.exists(TEST_SETTINGS.certificate_file), "Please place your certificate in res/test.crt !" assert os.path.exists(TEST_SETTINGS.private_key_file), "Please place your private key in res/test.key!" assert os.path.exists(TEST_SETTINGS.esia_token_check_key), "Please place ESIA public key in res/esia_pub.key !" app = Flask(__name__) esia_auth = EsiaAuth(TEST_SETTINGS) @app.route("/") def hello(): url = esia_auth.get_auth_url() return 'Start here: <a href="{0}">{0}</a>'.format(url) @app.route("/info") def process(): code = request.args.get('code') state = request.args.get('state') esia_connector = esia_auth.complete_authorization(code, state) inf = esia_connector.get_person_main_info() return "%s" % inf if __name__ == "__main__": app.run() Implementation
The library device is trivial, does not require comments, after writing it became clear that it would be possible to design and better that the user of the library was required to perform fewer actions with its interface.
It is worth noting that the openssl utility is used for signing, therefore there is an extra operation to create a temporary file.
We are satisfied with the current implementation, but it would be better to use pyopenssl.
We have no plans for the development of the library until there are requirements in the project, and they are not in the near future.
If you use esia-connector in your projects and add / correct something along the way - PR-ones, we will be happy to include.
What could be done:
- Reorganize the library interface for ease of use.
- Replace the use of openssl with pyopenssl.
- Develop functionality for obtaining other data from the ESIA.
- Support an alternative data exchange protocol implemented in the ESIA (SAML).
- Implement wrappers for popular frameworks, for example: Django, Flask, possibly as part of individual projects.
Links
- Guidelines for the use of ESIA: minsvyaz.ru/ru/documents/4243
- Regulations for information interaction: www.minsvyaz.ru/ru/documents/4244
- News about the possibility of integration with ESIA: www.kommersant.ru/doc/2832483
- Open PHP implementation: github.com/fr05t1k/esia
Source: https://habr.com/ru/post/271827/
All Articles