Do not mark timing issues as replay attack
The current version 1.12 detects replay attacks that are not given when the web server time is out of sync:
# Check the nonce. OpenID 1.1 doesn't have them if 'openid.response_nonce' in response: nonce = response['openid.response_nonce'] timestamp = parse_nonce(nonce) if _total_seconds(datetime.datetime.utcnow() - timestamp) > 300: # allow for at most 300s transmission time and time shift # HERE HERE HERE raise NotAuthenticated(NotAuthenticated.REPLAY_ATTACK) if nonce_seen(nonce): raise NotAuthenticated(NotAuthenticated.REPLAY_ATTACK) elif ns: raise NotAuthenticated(NotAuthenticated.MISSING_NONCE) return signed, claimed_id
I would propose to make timeout a separate error type, which would allow the application to react more specifically, instead of scaring the end user.