Janrain OpenId vs lightopenid PHP库 [英] Janrain OpenId vs lightopenid PHP libraries

问题描述

Janrain的PHP OpenID 库的PHP实现和 LightOpenID .

一个比另一个安全吗?

根据 Google的最佳做法页面:

正确的OpenID实现必须:

A correct OpenID implementation has to:

1. 涵盖对加密签名的检查

1. cover checking of cryptographic signatures

随机数检查

Yadis发现

我猜想Janrain的库确实可以满足Google推荐的所有这些要求，但是LightOpenID是否满足1& 2.

I'm guessing the Janrain's library does fulfill all these requirements as Google recommends the library, but is the LightOpenID fulfilling 1 & 2.

推荐答案

LightOpenID使用该协议的无状态版本，使其比Janrain的库简单得多.

LightOpenID uses the stateless version of the protocol, making it a lot simpler than the Janrain's library.

无状态版本将验证(与加密，随机数等有关的任何事情)委托给提供者，因此LightOpenID不会自行检查.但是，它确实遵循了规范，因此，这不是安全问题.

The stateless version delegates validation (anything related to cryptography, nonces, etc.) to the provider, so LightOpenID doesn't check that by itself. It does, however, follow the spec in that matter, so it isn't a security issue.

这篇关于Janrain OpenId vs lightopenid PHP库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！