问题
What are the differences between the PHP implementation of Janrain's PHP OpenID library and the LightOpenID.
Is one more secure than the other?
According to Google's best practices page:
A correct OpenID implementation has to:
cover checking of cryptographic signatures
checking of nonces
Yadis discovery
I'm guessing the Janrain's library does fulfill all these requirements as Google recommends the library, but is the LightOpenID fulfilling 1 & 2.
回答1:
LightOpenID uses the stateless version of the protocol, making it a lot simpler than the Janrain's library.
The stateless version delegates validation (anything related to cryptography, nonces, etc.) to the provider, so LightOpenID doesn't check that by itself. It does, however, follow the spec in that matter, so it isn't a security issue.
来源:https://stackoverflow.com/questions/10281007/janrain-openid-vs-lightopenid-php-libraries