Integration with ESIA based on oauth2-client (PHP)
We present yet another PHP integration package with ESIA - ekapusta/oauth2-esia . Implemented as an adapter to the popular league/oauth2-client .
Organizational Issues
Integration with the ESIA involves government agencies, financial and insurance companies, credit institutions (banks, microfinance), organizations with public wi-fi and others whom the government will do well in the future. The main organizing documents are described on Habré at the request of " ESIA ", the current versions of the documents are available at the office. site , and support can be obtained in a relatively reasonable time frame through esia@minsvyaz.ru .
Why this package?
- Receipt of the citizen’s core and embedded data is done in one request using the
embedsavailable in the ESIA. Those. to receive contacts / addresses you will not need to make more N separate requests. - Two options for signing the request: through the CLI and through the built-in PHP-functions. That allows you to work on RSA and GOST'u. CLI signer does not need a temporary directory.
- The signature of the access token is verified by the ESIA public keys.
- It is based on the
league/oauth2-clientcovered with tests, to which it is an adapter, without inventing bicycles and is itself covered with tests for 100%. - There are integration elements in the tests - an authentication bot that goes to a real test facility. Thanks headless-chrome.
- State generation and parsing of the JWT token uses packages specifically written for this:
ramsey/uuidandlcobucci/jwt. - Compatible with PHP
^ 5.6 || ^ 7.0^ 5.6 || ^ 7.0.
Show the code!
Configuring
use Ekapusta\OAuth2Esia\Provider\EsiaProvider; use Ekapusta\OAuth2Esia\Security\Signer\OpensslPkcs7; $provider = new EsiaProvider([ 'clientId' => 'XXXXXX', // "" 'redirectUri' => 'https://your-system.domain/auth/finish/', 'defaultScopes' => ['openid', 'fullname', '...'], // // // 'remoteUrl' => 'https://esia-portal1.test.gosuslugi.ru', // 'remoteCertificatePath' => EsiaProvider::RESOURCES.'esia.test.cer', ], [ 'signer' => new OpensslPkcs7('/path/to/public/certificate.cer', '/path/to/private.key') ]); Which subscriber to use?
- If you are using RSA keys,
OpensslPkcs7sufficient. - If you use GOST keys and compiled PHP with GOST ciphers, then
OpensslPkcs7enough. - If you use GOST keys and have an openssl compatible tool, use
OpensslCli. It has a “toolpath” parameter. - If you use GOST keys and a docker fan, you can use
OpensslCliwith the parameter'toolpath' => 'docker run --rm -i -v $(pwd):$(pwd) -w $(pwd) rnix/openssl-gost openssl'.
Redirect client at ESIA
At the same time saving the state for subsequent verification.
// - https://your-system.domain/auth/start/ $authUrl = $provider->getAuthorizationUrl(); $_SESSION['oauth2.esia.state'] = $provider->getState(); header('Location: '.$authUrl); exit; Get user data
Checking the state and changing the code to an authentication token.
// - https://your-system.domain/auth/finish/?state=...&code=... if ($_SESSION['oauth2.esia.state'] !== $_GET['state']) { exit('The guard unravels the crossword.'); } $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]); $esiaPersonData = $provider->getResourceOwner($accessToken); var_export($esiaPersonData->toArray()); How to update the token?
Standard as described in the oauth2-client documentation
We thank you for your attention
Package zaopersorsen finteh-company in which I work. Not tested on animals.
UPD1
The symfony-bundle ekapusta/oauth2-esia-bundle :
- php:
^5.6 || ^7.0^5.6 || ^7.0 - symfony:
^2.8 || ^3 || ^4^2.8 || ^3 || ^4^2.8 || ^3 || ^4.
')
Source: https://habr.com/ru/post/358834/
All Articles