[security] AX Security in python-openid
Mike Sun
msun at bluespot.org
Fri Jul 27 01:54:45 UTC 2012
Hi --
I'm using python-openid for my RP and Google Marketplace wanted to make sure this implementation is not vulnerable to spoofed, non-signed attributes such as email addresses.
See: http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html
Looking at the python-openid code, it seems that the default requires that only signed attributes are allowed to passed in the response.
See: https://github.com/openid/python-openid/blob/master/openid/extensions/ax.py
Can anyone confirm that it is true that python-openid checks that the attribute is signed by the correct corresponding IDP?
Thanks,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20120726/eec55ea9/attachment.html>
More information about the security
mailing list