This queue is for tickets about the Net-OpenID-Consumer CPAN distribution.

Report information
The Basics
Id:
41307
Status:
resolved
Priority:
Low/Low

People
Owner:
MART [...] cpan.org
Requestors:
MART [...] cpan.org
Cc:
AdminCc:

BugTracker
Severity:
Important
Broken in:
  • 1.01
  • 1.02
Fixed in:
(no value)



Subject: 2.0 spec requires certain resoponse fields to be signed, but Consumer doesn't enforce this.
The 2.0 spec requires the following fields to be signed: "op_endpoint", "return_to" "response_nonce" and "assoc_handle" MUST be present and signed. "claimed_id" and "identity" must be signed only if they are present in the message. Currently Consumer doesn't verify this and will accept a message where none of the above are signed.
Fixed in 1.03.


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.