Integration with ESIA based on oauth2-client (PHP)

Introducing yet another PHP integration package with ESIA - ekapusta/oauth2-esia. Implemented as an adapter to the popular league/oauth2-client.
Organizational moments
Integration with ESIA affects government agencies, financial and insurance companies, credit organizations (banks, microfinance), organizations with public wi-fi and others to whom the government will give the green light in the future. The main organizational items are described on Habré at the request of " ESIA ", the current versions of documents are available at . website , and support can be obtained in a relatively reasonable time through [email protected] .
Why is this package?
- Obtaining the basic and embedded data of a citizen is done in one request, using available in ESIA
embeds. Those. to get contacts / addresses, you will not need to do N more separate requests. - Two options for signing a request: through the CLI and through the built-in PHP functions. That allows you to work on RSA and GOST'u. The CLI subscriber does not need a temporary directory.
- The signature of the access token is verified by the ESIA public keys.
- It is based on a test covered one
league/oauth2-client, to which it is an adapter without reinventing bicycles and is itself 100% covered in tests. - There are integration elements in the tests - an authentication bot that goes to a real test stand. Thanks to headless chrome.
- The generation of the state and the analysis of the JWT token uses packages specially written for this:
ramsey/uuidandlcobucci/jwt. - Compatible with PHP
^ 5.6 || ^ 7.0.
Show the code!
Configurable
use Ekapusta\OAuth2Esia\Provider\EsiaProvider;
use Ekapusta\OAuth2Esia\Security\Signer\OpensslPkcs7;
$provider = new EsiaProvider([
'clientId' => 'XXXXXX', // "Мненомика" в терминах ЕСИА
'redirectUri' => 'https://your-system.domain/auth/finish/',
'defaultScopes' => ['openid', 'fullname', '...'], // Скоупы описаны в методичке
// Для работы с тестовой версией портала
// 'remoteUrl' => 'https://esia-portal1.test.gosuslugi.ru',
// 'remoteCertificatePath' => EsiaProvider::RESOURCES.'esia.test.cer',
], [
'signer' => new OpensslPkcs7('/path/to/public/certificate.cer', '/path/to/private.key')
]);Which signer to use?
- If you use RSA keys, that's enough
OpensslPkcs7. - If you use GOST keys and compiled PHP with GOST ciphers, then that's enough
OpensslPkcs7. - If you use GOST keys and have an openssl compatible tool, use
OpensslCli. It has the parameter "toolpath". - If you use GOST keys and a docker fan, you can use
OpensslCliwith a parameter'toolpath' => 'docker run --rm -i -v $(pwd):$(pwd) -w $(pwd) rnix/openssl-gost openssl'.
Redirect visitor to ESIA
At the same time saving the state for later verification.
// Где-то страничке https://your-system.domain/auth/start/
$authUrl = $provider->getAuthorizationUrl();
$_SESSION['oauth2.esia.state'] = $provider->getState();
header('Location: '.$authUrl);
exit;Get user data
Checking the state and changing the code to an authentication token.
// Где-то страничке https://your-system.domain/auth/finish/?state=...&code=...
if ($_SESSION['oauth2.esia.state'] !== $_GET['state']) {
exit('The guard unravels the crossword.');
}
$token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
$esiaPersonData = $provider->getResourceOwner($accessToken);
var_export($esiaPersonData->toArray());How to update a token?
Standard, as described in the documentation for oauth2-client
We thank you for your attention
The package is overseen by the fintech company in which I work. Not tested on animals.
UPD1
The bonus is the symfony bundle ekapusta/oauth2-esia-bundle:
- php:
^5.6 || ^7.0 - the symfony:
^2.8 || ^3 || ^4.