Issue #10 new

Do not mark timing issues as replay attack

Peter Tröger
created an issue

The current version 1.12 detects replay attacks that are not given when the web server time is out of sync:

    # Check the nonce. OpenID 1.1 doesn't have them
    if 'openid.response_nonce' in response:
        nonce = response['openid.response_nonce'][0]
        timestamp = parse_nonce(nonce)
        if _total_seconds(datetime.datetime.utcnow() - timestamp) > 300:
            # allow for at most 300s transmission time and time shift
            # HERE HERE HERE
            raise NotAuthenticated(NotAuthenticated.REPLAY_ATTACK)
        if nonce_seen(nonce):
            raise NotAuthenticated(NotAuthenticated.REPLAY_ATTACK)
    elif ns:
        raise NotAuthenticated(NotAuthenticated.MISSING_NONCE)
    return signed, claimed_id

I would propose to make timeout a separate error type, which would allow the application to react more specifically, instead of scaring the end user.

Comments (2)

  1. Log in to comment