[Code] OpenID versions supported by the library?
Yang Zhao
yang at yangman.ca
Thu Mar 29 21:33:12 UTC 2012
On 29 March 2012 11:54, Attila-Mihaly Balazs <dify.ltd at gmail.com> wrote:
> From the code it seems to me that the python-openid library supports
> both OpenID v1 and v2. Is there a way to force the consumer to only
> use v2?
IIRC, once you have a reply message, you can call isOpenID1() to check
the protocol version used. At this point, you can choose to reject it.
> I'm asking this since I seem to recall that v1 of the spec was
> insecure (it allowed to be MITMd)...
There was a flaw in the v1.0 spec that was fixed in v1.1. IIRC the
library does not support 1.0.
--
Yang Zhao
http://yangman.ca
More information about the Code
mailing list