Janrain OpenId vs lightopenid PHP libraries
https://stackoverflow.com/questions/10281007
-
02-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
What are the differences between the PHP implementation of Janrain's PHP OpenID library and the LightOpenID.
Is one more secure than the other?
According to Google's best practices page:
A correct OpenID implementation has to:
cover checking of cryptographic signatures
checking of nonces
Yadis discovery
I'm guessing the Janrain's library does fulfill all these requirements as Google recommends the library, but is the LightOpenID fulfilling 1 & 2.
Solution
LightOpenID uses the stateless version of the protocol, making it a lot simpler than the Janrain's library.
The stateless version delegates validation (anything related to cryptography, nonces, etc.) to the provider, so LightOpenID doesn't check that by itself. It does, however, follow the spec in that matter, so it isn't a security issue.
