Commits

Anonymous committed 4625a6f

Ignoring missing nonce

Comments (0)

Files changed (1)

openid2rp/django/auth.py

 			signed=openid2rp.authenticate(session, query)
 		except Exception, e:
 			raise AuthenticationError(str(e))
-		# check for replay attack
-		nonce = request.GET['openid.response_nonce']
-		timestamp = openid2rp.parse_nonce(nonce)		
-		if timestamp < datetime.datetime.utcnow() - maxTimeShift - maxLoginDelay: 
-			raise TookTooLongError()
-		elif knownNonce(nonce):
-			raise ReplayAttackError()
-		storeNonce(nonce)
+		# check for replay attack, only available with OpenID 2 providers
+		if 'openid.response_nonce' in request.GET:
+			nonce = request.GET['openid.response_nonce']
+			timestamp = openid2rp.parse_nonce(nonce)		
+			if timestamp < datetime.datetime.utcnow() - maxTimeShift - maxLoginDelay: 
+				raise TookTooLongError()
+			elif knownNonce(nonce):
+				raise ReplayAttackError()
+			storeNonce(nonce)
 
 		# provider-based auth returns claim id, OpenID not (if I got that right) - in this case we take the one stored in the session found by assocHandle
 		if 'openid.claimed_id' in request.GET: