https://bugzilla.wikimedia.org/show_bug.cgi?id=22108
--- Comment #1 from Craig Box <[email protected]> 2010-01-15 16:53:23 UTC --- Andrew Arnott from DotNetOpenAuth has explained the situation to me here. In summary, the RP library should stop the "ID issued in any name" case, by signature verification, so the only thing we need to do is check that the assertion is acceptable with the code above. However, we shouldn't be checking the display identifier, which can be set to whatever you want - we should be checking the identity_url. See http://openidenabled.com/files/php-openid/docs/2.1.3/OpenID/Auth_OpenID_ConsumerResponse.html. Patch forthcoming... -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
