oic is vulnerable to cipher downgrade attacks. The vulnerability exists as the IdToken
signature algorithm is not checked automatically, and that the JWA none
algorithm is always allowed, and that the IdToken returned from oic.consumer.Consumer.parse_authz
is not verified, and the iat
claim is not checked for sanity.