// Получаем данные из ЕСИА
public async Task <ActionResult> EsiaPage()
{
var esiaToken = Session["esiaToken"];
if (esiaToken != null)
{
// Создаем ЕСИА клиента с маркером доступа для получения данных
var esiaClient = new EsiaClient(Esia.GetOptions(), (EsiaToken)esiaToken);
// ВАЖНО! Указанная в параметрах ЕСИА (Esia.GetOptions()) область доступа может не предоставить необходимые данные. В данном примере используется полный доступ
// Получим данные о пользователе
var personInfo = await esiaClient.GetPersonInfoAsync();
// Пользователь не подтвержден - выводим ошибку
if (!personInfo.Trusted)
{
return(View("Error"));
}
// Получаем контакты
var contacts = await esiaClient.GetPersonContactsAsync();
// Получаем документы пользователя
var docs = await esiaClient.GetPersonDocsAsync();
// Получаем адреса пользователя
var addrs = await esiaClient.GetPersonAddrsAsync();
// Получаем транспортные средства
var vehicles = await esiaClient.GetPersonVehiclesAsync();
// Получаем детей
var kids = await esiaClient.GetPersonKidsAsync();
foreach (var child in kids)
{
// Получаем документы ребенка
var childDoc = await esiaClient.GetPersonChildDocsAsync(child.Id);
}
// Отобразим данные на форме
ViewBag.Person = personInfo;
ViewBag.Contacts = contacts;
ViewBag.Docs = docs;
ViewBag.Addrs = addrs;
ViewBag.Vehicles = vehicles;
ViewBag.Kids = kids;
}
else
{
return(View("Error"));
}
return(View());
}
public async Task <IActionResult> OnGetCallbackAsync(string returnUrl = null, string remoteError = null)
{
returnUrl = returnUrl ?? Url.Content("~/");
if (remoteError != null)
{
ErrorMessage = $"Error from external provider: {remoteError}";
return(RedirectToPage("./Login", new { ReturnUrl = returnUrl }));
}
var info = await _signInManager.GetExternalLoginInfoAsync();
if (info == null)
{
ErrorMessage = "Error loading external login information.";
return(RedirectToPage("./Login", new { ReturnUrl = returnUrl }));
}
// Need EsiaAuthenticationOptions.SaveTokens set to true
var client = new EsiaClient(new EsiaRestOptions(), info.AuthenticationTokens.First(c => c.Name == "access_token").Value);
var personInfo = await client.GetPersonInfoAsync();
// Sign in the user with this external login provider if the user already has a login.
var result = await _signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey, isPersistent : false, bypassTwoFactor : true);
if (result.Succeeded)
{
_logger.LogInformation("{Name} logged in with {LoginProvider} provider.", info.Principal.Identity.Name, info.LoginProvider);
return(LocalRedirect(returnUrl));
}
if (result.IsLockedOut)
{
return(RedirectToPage("./Lockout"));
}
else
{
// If the user does not have an account, then ask the user to create an account.
ReturnUrl = returnUrl;
ProviderDisplayName = info.ProviderDisplayName;
if (info.Principal.HasClaim(c => c.Type == ClaimTypes.Email))
{
Input = new InputModel
{
Email = info.Principal.FindFirstValue(ClaimTypes.Email)
};
}
return(Page());
}
}
protected override async Task <AuthenticationTicket> CreateTicketAsync(ClaimsIdentity identity, AuthenticationProperties properties,
OAuthTokenResponse tokens)
{
var esiaClient = new EsiaClient(Options.RestOptions, tokens.AccessToken, Backchannel);
// Get owner personal information and contacts. If requested scope does not allow some information, corresponding properties will be null
var personInfo = await esiaClient.GetPersonInfoAsync();
var contactsInfo = await esiaClient.GetPersonContactsAsync();
identity.AddClaims(new[]
{
new Claim(ClaimTypes.NameIdentifier, esiaClient.Token.SbjId, ClaimValueTypes.String, Scheme.Name),
new Claim("urn:esia:sbj_id", esiaClient.Token.SbjId, ClaimValueTypes.String, Scheme.Name),
new Claim(ClaimTypes.AuthenticationMethod, "ESIA", ClaimValueTypes.String, Scheme.Name)
});
if (personInfo != null)
{
// Set some claims from personal info
if (!String.IsNullOrEmpty(personInfo.Name))
{
identity.AddClaim(new Claim(ClaimTypes.Name, personInfo.Name, ClaimValueTypes.String, Scheme.Name));
}
identity.AddClaim(new Claim("urn:esia:trusted", personInfo.Trusted.ToString(), ClaimValueTypes.Boolean, Scheme.Name));
}
if (contactsInfo != null)
{
// Set email claim from contacts
var email = contactsInfo.FirstOrDefault(c => c.ContactType == ContactType.Email);
if (email != null)
{
identity.AddClaim(new Claim(ClaimTypes.Email, email.Value, ClaimValueTypes.String, Scheme.Name));
}
}
var context = new OAuthCreatingTicketContext(new ClaimsPrincipal(identity), properties, Context, Scheme, Options, Backchannel,
tokens, new JsonElement());
await Events.CreatingTicket(context);
return(new AuthenticationTicket(context.Principal, context.Properties, Scheme.Name));
}
public EsiaAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app, EsiaAuthenticationOptions options) : base(next, options)
{
if (String.IsNullOrWhiteSpace(Options.EsiaOptions.ClientId))
{
throw new ArgumentException(String.Format(CultureInfo.CurrentCulture, Resources.ErrorParamMustBeProvided, "ClientId"));
}
if (String.IsNullOrWhiteSpace(Options.EsiaOptions.Scope))
{
throw new ArgumentException(String.Format(CultureInfo.CurrentCulture, Resources.ErrorParamMustBeProvided, "Scope"));
}
if (String.IsNullOrWhiteSpace(Options.EsiaOptions.RequestType))
{
throw new ArgumentException(String.Format(CultureInfo.CurrentCulture, Resources.ErrorParamMustBeProvided, "RequestType"));
}
if (Options.EsiaOptions.SignProvider == null)
{
throw new ArgumentException(String.Format(CultureInfo.CurrentCulture, Resources.ErrorParamMustBeProvided, "SignProvider"));
}
_logger = app.CreateLogger <EsiaAuthenticationMiddleware>();
if (Options.DataFormat == null)
{
IDataProtector dataProtecter = app.CreateDataProtector(typeof(EsiaAuthenticationMiddleware).FullName, Options.AuthenticationType, "v1");
Options.DataFormat = new PropertiesDataFormat(dataProtecter);
}
if (Options.Provider == null)
{
Options.Provider = new EsiaAuthenticationProvider();
}
if (String.IsNullOrEmpty(Options.SignInAsAuthenticationType))
{
Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();
}
_esiaClient = new EsiaClient(Options.EsiaOptions);
}
/// <summary>
/// Core authentication logic
/// </summary>
/// <returns>AuthenticationTicket</returns>
protected override async Task <AuthenticationTicket> AuthenticateCoreAsync()
{
AuthenticationProperties properties = null;
try
{
IReadableStringCollection query = Request.Query;
properties = UnpackDataParameter(query);
if (properties == null)
{
_logger.WriteWarning("Invalid return data");
return(null);
}
// Anti-CSRF
if (!ValidateCorrelationId(properties, _logger))
{
return(new AuthenticationTicket(null, properties));
}
var queryValues = await ParseRequestAsync(query);
string value = queryValues["error"];
// ESIA error response
if (value != null)
{
var description = queryValues["error_description"];
_logger.WriteWarning($"ESIA Error '{value}'. {description}");
return(new AuthenticationTicket(null, properties));
}
value = queryValues["state"];
// Checking response state with request state (fron options)
if (value == null || value != Options.EsiaOptions.State.ToString("D"))
{
_logger.WriteWarning("State parameter is missing or invalid");
return(new AuthenticationTicket(null, properties));
}
// Authentication code
string authCode = queryValues["code"];
if (String.IsNullOrWhiteSpace(authCode))
{
_logger.WriteWarning("Code parameter is missing or invalid");
return(new AuthenticationTicket(null, properties));
}
// Get access token response from authentication code
var tokenResponse = await _esiaClient.GetOAuthTokenAsync(authCode, BuildCallbackUri(""));
// Check token signature if Options.VerifyTokenSignature is true
if (Options.VerifyTokenSignature && !_esiaClient.VerifyToken(tokenResponse.AccessToken))
{
_logger.WriteWarning("Token signature is invalid");
return(new AuthenticationTicket(null, properties));
}
// Create EsiaToken class instance from token response and set it to esia client
_esiaClient.Token = EsiaClient.CreateToken(tokenResponse);
// Get owner personal information and contacts. If requested scope does not allow some information, corresponding properties will be null
var personInfo = await _esiaClient.GetPersonInfoAsync(SendStyles.None);
var contactsInfo = await _esiaClient.GetPersonContactsAsync(SendStyles.None);
var context = new EsiaAuthenticatedContext(Context, _esiaClient.Token, personInfo, contactsInfo);
context.Identity = new ClaimsIdentity(
new[]
{
new Claim(ClaimTypes.NameIdentifier, context.Id, ClaimValueTypes.String, Options.AuthenticationType),
new Claim("urn:esia:sbj_id", context.Id, ClaimValueTypes.String, Options.AuthenticationType),
new Claim(ClaimTypes.AuthenticationMethod, "ESIA", ClaimValueTypes.String, Options.AuthenticationType)
},
Options.AuthenticationType,
ClaimsIdentity.DefaultNameClaimType,
ClaimsIdentity.DefaultRoleClaimType);
if (personInfo != null)
{ // Set some claims from personal info
context.Identity.AddClaim(new Claim(ClaimTypes.Name, personInfo.Name, ClaimValueTypes.String, Options.AuthenticationType));
context.Identity.AddClaim(new Claim("urn:esia:trusted", personInfo.Trusted.ToString(), ClaimValueTypes.Boolean, Options.AuthenticationType));
}
if (contactsInfo != null)
{ // Set email claim from contacts
var email = contactsInfo.FirstOrDefault(c => c.ContactType == ContactType.Email);
if (email != null)
{
context.Identity.AddClaim(new Claim(ClaimTypes.Email, email.Value, ClaimValueTypes.String, Options.AuthenticationType));
}
}
// Call provider autenticated callback
await Options.Provider.Authenticated(context);
context.Properties = properties;
return(new AuthenticationTicket(context.Identity, context.Properties));
}
catch (Exception ex)
{
_logger.WriteError("Authentication failed", ex);
return(new AuthenticationTicket(null, properties));
}
}
public EsiaAuthenticationHandler(EsiaClient esiaClient, ILogger logger)
{
_esiaClient = esiaClient;
_logger = logger;
}
