openid2rp / openid2rp /

Author Commit Message Labels Comments Date
Martin von Löwis
Parse port number out of URL.
Martin von Löwis
Redo verification procedure, in openid2rp.verify.
Martin von Löwis
Drop usage of cookies.
Martin von Löwis
Fix exception for defaultdict.
Martin von Löwis
Streamline session handling.
Update demo app to reuse associations.
Prevent a malicious user who controls an OP-local identifier from impersonating claimed identifiers that the OP is authorized to make assertions about, but that the user doesn't control.
Add 1.1 compatibility: RP MUST keep track of what claimed identifier was used to discover the OP-local identifier, for example by keeping it in session state.
Cache discovered OP endpoint URL to avoid repeating discovery when verifying assertions. When verifying assertions, OP endpoint URL is used to get an association if one is stored, and to perform direct verification otherwise.
Extend demo app to demonstrate direct verification. Use discovered OP endpoint URL to perform direct verification.
Key associations on OP endpoint URL *and* assoc_handle, to prevent a malicious user from causing us to establish an association with an OP that it controls, then forging assertions from an OP that it doesn't control.
Martin von Löwis
Use IPv6/v4 wildcard if requested.
Martin von Löwis
Properly process cancel responses.
Martin von Löwis
Implement XRI resolution.
Peter Tröger
Changed module to a package