ZF-3138: Nonces should be unique by Identity Provider.

Description

The isUniqueNonce function doesn't provide a way to pass in the IdP endpoint URL.

According to the spec, nonces shouldn't be unique overall, just by provider. In a high traffic environment it's possible that legitimate nonce collisions could occur, though it will only happen occasionally.

The spec says (11.3):

'To prevent replay attacks, the agent checking the signature keeps track of the nonce values included in positive assertions and never accepts the same value more than once for the same OP Endpoint URL.'

The Zend_OpenId_Consumer_Storage interface needs to be altered to allow for unique nonces by endpoint provider, and the verify function in the consumer should start passing in the endpoint provider.

Comments

We don't have a fix for this one, because I was afraid to alter the interface without checking in.

Marking as fixed for next minor release pending merge of changes to release-1.5 branch.

Updating for the 1.6.0 release.