When user is returned form IdP (mode = id_res), a list of signed attributes and
a signature is included. There is no guarantee that all attributes (ax
attributes or sreg attributes) will be signed. This allows an attacker to
assert attributes that are unsigned, and if the relying party uses them, they
can be falsified.
For relying parties who need to have confidence in those items, there should be
a way to tell which attributes are signed, or to only request attributes that
are signed. Perhaps a flag to getAttributes($signedOnly = false);
I can work up a patch if you agree.
Original issue reported on code.google.com by john.les...@gmail.com on 9 Apr 2013 at 2:57
Original issue reported on code.google.com by
john.les...@gmail.comon 9 Apr 2013 at 2:57