Back to Home

Integration with ESIA based on oauth2-client (PHP)

ESIA · ESIA · oauth2 · openconnect · gost · php · php5 · php7 · public services · fintech

Integration with ESIA based on oauth2-client (PHP)


    Introducing yet another PHP integration package with ESIA - ekapusta/oauth2-esia. Implemented as an adapter to the popular league/oauth2-client.


    Organizational moments


    Integration with ESIA affects government agencies, financial and insurance companies, credit organizations (banks, microfinance), organizations with public wi-fi and others to whom the government will give the green light in the future. The main organizational items are described on Habré at the request of " ESIA ", the current versions of documents are available at . website , and support can be obtained in a relatively reasonable time through [email protected] .


    Why is this package?


    Build statusCoverage statusSoftware License


    • Obtaining the basic and embedded data of a citizen is done in one request, using available in ESIA embeds. Those. to get contacts / addresses, you will not need to do N more separate requests.
    • Two options for signing a request: through the CLI and through the built-in PHP functions. That allows you to work on RSA and GOST'u. The CLI subscriber does not need a temporary directory.
    • The signature of the access token is verified by the ESIA public keys.
    • It is based on a test covered one league/oauth2-client, to which it is an adapter without reinventing bicycles and is itself 100% covered in tests.
    • There are integration elements in the tests - an authentication bot that goes to a real test stand. Thanks to headless chrome.
    • The generation of the state and the analysis of the JWT token uses packages specially written for this: ramsey/uuidand lcobucci/jwt.
    • Compatible with PHP ^ 5.6 || ^ 7.0.

    Show the code!


    Configurable


    use Ekapusta\OAuth2Esia\Provider\EsiaProvider;
    use Ekapusta\OAuth2Esia\Security\Signer\OpensslPkcs7;
    $provider = new EsiaProvider([
        'clientId'      => 'XXXXXX', // "Мненомика" в терминах ЕСИА
        'redirectUri'   => 'https://your-system.domain/auth/finish/',
        'defaultScopes' => ['openid', 'fullname', '...'], // Скоупы описаны в методичке
    // Для работы с тестовой версией портала
    //  'remoteUrl' => 'https://esia-portal1.test.gosuslugi.ru',
    //  'remoteCertificatePath' => EsiaProvider::RESOURCES.'esia.test.cer',
    ], [
        'signer' => new OpensslPkcs7('/path/to/public/certificate.cer', '/path/to/private.key')
    ]);

    Which signer to use?


    • If you use RSA keys, that's enough OpensslPkcs7.
    • If you use GOST keys and compiled PHP with GOST ciphers, then that's enough OpensslPkcs7.
    • If you use GOST keys and have an openssl compatible tool, use OpensslCli. It has the parameter "toolpath".
    • If you use GOST keys and a docker fan, you can use OpensslCliwith a parameter 'toolpath' => 'docker run --rm -i -v $(pwd):$(pwd) -w $(pwd) rnix/openssl-gost openssl'.

    Redirect visitor to ESIA


    At the same time saving the state for later verification.


    // Где-то страничке https://your-system.domain/auth/start/
    $authUrl = $provider->getAuthorizationUrl();
    $_SESSION['oauth2.esia.state'] = $provider->getState();
    header('Location: '.$authUrl);
    exit;

    Get user data


    Checking the state and changing the code to an authentication token.


    // Где-то страничке https://your-system.domain/auth/finish/?state=...&code=...
    if ($_SESSION['oauth2.esia.state'] !== $_GET['state']) {
        exit('The guard unravels the crossword.');
    }
    $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
    $esiaPersonData = $provider->getResourceOwner($accessToken);
    var_export($esiaPersonData->toArray());

    How to update a token?


    Standard, as described in the documentation for oauth2-client


    We thank you for your attention


    The package is overseen by the fintech company in which I work. Not tested on animals.


    UPD1


    The bonus is the symfony bundle ekapusta/oauth2-esia-bundle:


    • php: ^5.6 || ^7.0
    • the symfony: ^2.8 || ^3 || ^4.

    Read Next