https://bugzilla.wikimedia.org/show_bug.cgi?id=22108





--- Comment #1 from Craig Box <craig....@gmail.com>  2010-01-15 16:53:23 UTC ---
Andrew Arnott from DotNetOpenAuth has explained the situation to me here.

In summary, the RP library should stop the "ID issued in any name" case, by
signature verification, so the only thing we need to do is check that the
assertion is acceptable with the code above.  

However, we shouldn't be checking the display identifier, which can be set to
whatever you want - we should be checking the identity_url.  See
http://openidenabled.com/files/php-openid/docs/2.1.3/OpenID/Auth_OpenID_ConsumerResponse.html.
 

Patch forthcoming...


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to