[Code] OpenID versions supported by the library?
Andrew Arnott
andrewarnott at gmail.com
Thu Mar 29 21:07:49 UTC 2012
I don't think that's entirely accurate. Both versions are vulnerable to
MITM due to DNS poisoning. You mitigate that by using HTTPS. V2 mitigates
open redirectors via the realm discovery.
Hope this helps.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Thu, Mar 29, 2012 at 11:54 AM, Attila-Mihaly Balazs
<dify.ltd at gmail.com>wrote:
> Hello all!
>
> I'm a Python beginner, so don't shoot ;)
>
> From the code it seems to me that the python-openid library supports
> both OpenID v1 and v2. Is there a way to force the consumer to only
> use v2? I'm asking this since I seem to recall that v1 of the spec was
> insecure (it allowed to be MITMd) and would like force my users to log
> in using only v2 providers.
>
> Best regards,
> Attila Balazs
> _______________________________________________
> Code mailing list
> Code at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-code
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20120329/be1869eb/attachment.html>
More information about the Code
mailing list