On 8/03/2014 5:44 AM, Chris Karlof wrote: > Is the enforcement of "allowed_issuers" being tested in the token server > anywhere?
I confirmed it with manual testing against prod - stage with accept assertions issued by mockmyid.com, prod refuses them with the appropriate 401 error. > On 9/03/2014 11:58 AM, Francois Marier wrote: >> Longer term it would be nice for "allowed_issuers" to be supported in >>> the verifier. There are lots of opportunities for mistakes here. We're >>> asking reliers to use a more general purpose verifier for a specific >>> use case, and relying on them to do the right security checks. Recipe >>> for problems. >> >> I believe that's the purpose of the "trustedIssuers" config option: >> >> https://github.com/mozilla/browserid-local-verify#verification-specific It's not quite the same semantic. The "trusted issuers" are the ones that we trust to act as secondary identity providers, i.e. to assert identity for any email address regardless of domain. We need the additional restriction of "allowed issuers" to prevent us accept primary-backed assertions from arbitrary domains. Ryan _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
