I have some concerns with the library that I'd like some feedback on.
The main issue with that library is that it requires the application developer
to enforce the
protocol security in the application rather than codifying it in the library
like other OpenID
libraries. Developers that are not well versed in OpenID and security are very
likely to omit
import checks.
For example, their sample application code shows how to write the checks for
verifying nonces.
This is an important step, but also misleading as there are other checks that
relying parties must
perform that are neither in the library nor in the sample. Applications that
allow the user to
specify an arbitrary OP (URL instead of alias) would be open to significant
vulnerabilities if they
don't correctly implement the additional checks.
Additionally, the library does not save associations in shared storage and may
fail in load
balanced/clustered environments that don't use sticky servlet sessions.
Original issue reported on code.google.com by sqr...@gmail.com on 9 Feb 2010 at 7:54
Original issue reported on code.google.com by
sqr...@gmail.com
on 9 Feb 2010 at 7:54