Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
petrpopov2017-07-19 22:07:56
Java
petrpopov, 2017-07-19 22:07:56

How correctly (and at what moment of authorization) to set the parameterized scope in the ESIA?

Good afternoon.
We are fighting with portal authorization through the ESIA using OAuth2 / OpenID Connect. Access to the system has been obtained, keys have been generated, permissions to use a specific scope list have been obtained. In general, all the bureaucracy is observed.
The list of scopes allowed for us is as follows: (sbj_inf, openid, fullname, email, mobile, contacts, usr_org - basic for getting information about the user, his contacts and the list of organizations in which he is a member and additional for getting more detailed information about his organizations - org_shortname , org_fullname, org_type, org_ogrn, org_inn, org_leg, org_kpp, org_oktmo, org_ctts, org_addrs, org_brhs, org_brhs_ctts, org_brhs_addrs).
When using the "basic" scope, we successfully get the authorization code (by url on the test loopesia-portal1.test.gosuslugi.ru/aas/oauth2/ac), exchange it for an access token ( https://esia-portal1.test.gosuslugi.ru/aas/oauth2/te). Everything works well here, using the Access Token received from us, requests are made to obtain information about the user, his contacts, etc.
Further more difficult. The usr_org scoping gives access to the list of user organizations, which contain brief information - organization name, internal id and OGRN ( https://esia-portal1.test.gosuslugi.ru/rs/prns/{oi... We need more detailed information about the organizations the user is a member of.There are additional scopes for this, for example, org_fullname, org_type, etc. In the documentation (available at the address, access is open -minsvyaz.ru/uploaded/presentations/esiametodichesk... pages 145-147 describe the list of these scopes and provide information that they should be parameterized.
Quote:
An example of scope:
scope=" http://esia.gosuslugi.ru/org_emps?org_oid=1000000357"
Two points are unclear here at once.
1. Before authorization, it is impossible to find out the lists of user organizations and, as a result, find out their IDs. And the scope list is compiled before authorization (when an authorization code is received) and must match the scope list that is sent in the request to obtain an access token. Accordingly, before obtaining an access token, it is impossible to find out the id of organizations, they can be found out only after receiving an access token from an access token and sending requests signed by it to the system.
2. The format for substituting scope into the list for authorization is not clear. We have already gone through all the options out of desperation - both org_fullname and org_fullname?org_id=id (with the real id of the organization from the test circuit) and esia.gosuslugi.ru/org_fullname and https://esia-portal1.test.gosuslugi.ru/org_fullnamewith and without parameters.
For any request with scope containing org_fullname, the system responds with an error in the address bar of the browser like this:
error=invalid_scope&state=d084a665-6122-4c99-89dc-072c911a3dfa&error_description=ESIA-007006%3A+The+requested+scope+is+invalid%2C+unknown% 2C+or+malformed.
There are only a couple of lines in the documentation about this error - incorrect scope or incorrectly composed.
If someone has come across something similar while working with ESIA, please tell me, we will be grateful.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
N
NikitaUs, 2017-07-31
@NikitaUs

Yes, the divine documentation of the ESIA drives everyone crazy =) I myself recently started with the ESIA and spent a lot of time figuring out how to work with IT correctly.
Since a request to get organization data involves passing a specific orgOid, only requesting two tokens in sequence will help here. But the scope for requesting these organizations is formed in the following format:

http://esia.gosuslugi.ru/org_shortname?org_oid=1000346115 http://esia.gosuslugi.ru/org_fullname?org_oid=1000346115 http://esia.gosuslugi.ru/org_type?org_oid=1000346115 http://esia.gosuslugi.ru/org_ogrn?org_oid=1000346115 http://esia.gosuslugi.ru/org_inn?org_oid=1000346115 http://esia.gosuslugi.ru/org_kpp?org_oid=1000346115 http://esia.gosuslugi.ru/org_agencyterrange?org_oid=1000346115 http://esia.gosuslugi.ru/org_agencytype?org_oid=1000346115 http://esia.gosuslugi.ru/org_oktmo?org_oid=1000346115 http://esia.gosuslugi.ru/org_ctts?org_oid=1000346115 http://esia.gosuslugi.ru/org_addrs?org_oid=1000346115 http://esia.gosuslugi.ru/org_emps?org_oid=1000346115

Report
S
Sinator, 2019-09-16
@Sinator

1) Authorize the user (get back the code for the requested scopes)
2) Change the code to access_token
3) Request data for the user using access_token (get the list of organizations you need)
4) Create another request through the API similar to the second point and get ANOTHER access_token, but already for organizations (note that grant_type is already client_credentials, and code and state are used from the answer to the first step)

$arParams = [
    'client_id'     => '*CLIENT_CODE*',
    'code'          => $_GET['code'],
    'grant_type'    => 'client_credentials',
    'state'         => $_GET['state'],
    'scope'         => join(' ', [
        "http://esia.gosuslugi.ru/org_inn?org_oid=*111111111*",
        "http://esia.gosuslugi.ru/org_ogrn?org_oid=*111111111*",
        "http://esia.gosuslugi.ru/org_ctts?org_oid=*111111111*",
        "http://esia.gosuslugi.ru/org_fullname?org_oid=*111111111*",
        "http://esia.gosuslugi.ru/org_type?org_oid=*111111111*",
        "http://esia.gosuslugi.ru/org_inn?org_oid=*222222222*",
        "http://esia.gosuslugi.ru/org_ogrn?org_oid=*222222222*",
        "http://esia.gosuslugi.ru/org_ctts?org_oid=*222222222*",
        "http://esia.gosuslugi.ru/org_fullname?org_oid=*222222222*",
        "http://esia.gosuslugi.ru/org_type?org_oid=*222222222*",
        "http://esia.gosuslugi.ru/org_inn?org_oid=*333333333*",
        "http://esia.gosuslugi.ru/org_ogrn?org_oid=*333333333*",
        "http://esia.gosuslugi.ru/org_ctts?org_oid=*333333333*",
        "http://esia.gosuslugi.ru/org_fullname?org_oid=*333333333*",
        "http://esia.gosuslugi.ru/org_type?org_oid=*333333333*",
    ]),
    'timestamp'     => date('Y.m.d H:i:s O'),
    'token_type'    => 'Bearer',
    'client_secret' => '*CLIENT_SECRET*',
];

5) With the received new token, we make a request for information on the organization (for each of our own):
Their documentation is of course "bottom" =)

Report
P
proger_papka, 2018-05-21
@proger_papka

I actually got the same error too. Well, not exactly, but similar. I need to get the user's avatar. To do this, you need to get a new marker at scope= esia.gosuslugi.ru/usr_avt?oid=1000356243for example. In general, now the documentation says that any requests for a specific scope must be made based on the rights delegation system. When you just send a post right away and specify this scope there, grant_type=CLIENT_CREDENTIALS, response_type=TOKEN and everything else by analogy. But for some reason, the json token does not come in response, but the html comes like the portal is temporarily not available (http status = 400). Nobody faced such a problem? How in general to make this system of delegation of the rights? In fact, this is the same as obtaining an authorization token (for general data), only the scope is indicated through a space and the grant_type is different there.
Here you also say that you send a request 2 times to receive a token, but you can fully show the SAP request, I mean the whole with all the headers, parameters, etc. Ato Rili is some kind of nonsense.

Report
N
nerobot-jk, 2020-09-23
@nerobot-jk

Hey! I needed to authorize through the ESIA, I got stuck at the moment of receiving the code, namely on encrypting the parameter

<client_secret> – request signature in PKCS#7 format detached signature in UTF8 encoding from the values ​​of the following HTTP request parameters: scope, timestamp, client_id, state (without
separators). must be base64 encoded url safe.
The certificate used to verify the signature must be previously
registered in the ESIA and linked to the account of the client system in the ESIA. ESIA
supports certificates in X.509 format. The ESIA supports the
GOST R 34.10-2012 electronic signature generation algorithm and the
GOST R 34.11-2012 cryptographic hashing algorithm.

Can you poke your nose at the info or share a piece of code on this part?
Thanks in advance!
PS: I seem to have figured it out. :)

Similar questions
V
Vladimir Gorbunov2015-04-20 12:35:48
How to embed a calculator in wordpress on a specific page? 4Reply
G
Guran2015-01-22 04:58:32
How to create a cross-domain session? 4Reply
N
Nefollen2019-06-14 14:33:29
Binary XML file line #2: Error inflating class android.support.design.widget.CoordinatorLayout.ConstraintLayout? 1Reply
N
Neonoviiwolf2017-01-20 19:50:54
How to understand entry in JAVA code? 2Reply
N
Nube2017-01-22 09:34:41
Socket programming on android or alternatives? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question