You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When user is returned form IdP (mode = id_res), a list of signed attributes and
a signature is included. There is no guarantee that all attributes (ax
attributes or sreg attributes) will be signed. This allows an attacker to
assert attributes that are unsigned, and if the relying party uses them, they
can be falsified.
For relying parties who need to have confidence in those items, there should be
a way to tell which attributes are signed, or to only request attributes that
are signed. Perhaps a flag to getAttributes($signedOnly = false);
I can work up a patch if you agree.
Original issue reported on code.google.com by [email protected] on 9 Apr 2013 at 2:57
The text was updated successfully, but these errors were encountered:
Original issue reported on code.google.com by
[email protected]on 9 Apr 2013 at 2:57The text was updated successfully, but these errors were encountered: