pitbulk
commented
4 years ago I updated the doc and settings. The default value if the setting parameter is not provided still gonna be sha1 for backward compatibility.
Closed timabbott closed 4 years ago
pitbulk
commented
4 years ago I updated the doc and settings. The default value if the setting parameter is not provided still gonna be sha1 for backward compatibility.
timabbott
commented
4 years ago OK -- I'd encourage you to change that default and just document the change in the release notes. I don't think backward-compatibility is a good reason to default to a known insecure algorithm (which basically means all downstream projects, like python-social-auth which uses the default SECURITY settings, will be insecure).
If you're not able to change the default here, I guess I'll open an issue with python-social-auth for them to fix it.
It looks like the default/recommended signatureAlgorithm in the documentation uses SHA-1, which is no longer considered secure. Can this be changed to SHA-256?