openid_complete should normalize $response['openid.claimed_id'] before discovery

Needs to be rerolled because of other OpenID patches going in.

#2: openid-normalize-1.patch queued for re-testing.

Looks solid, and I like the extra tests. Committed to CVS HEAD. Another critical bug bites the dust.

This is a straight backport for D6.

Follow-up bug-fix: #803294: OpenID discovery and login tests fail on HTTPS site

Reroll.

Patch still applies. The testbot has an issue with D6 patches at the moment (#961172).

#12: openid-normalize-D6-2.patch queued for re-testing.

This "critical fix" introduced probably more critical bug in D7 #1076366-12: OpenID discovery spec violation - fragments are removed from claimed id . Fortunately it has not been commited to D6 yet.

+++ modules/openid/openid.module	23 Nov 2010 23:17:20 -0000
@@ -234,24 +234,30 @@ function openid_complete($response = arr
+            $response['openid.claimed_id'] = _openid_normalize($response['openid.claimed_id']);

This is wrong, now you are stripping the fragment which is important for identifier recycling. Claimed ID "SHOULD" be stored with this fragment by the Relying party as specs are saying.

Powered by Dreditor.

By reading the spec it is not very clear that you have to normalize the identifier before doing discovery.

@Heine, is this bug report based on a concrete problem with some OpenID provider?

@Heine: yop, it is slightly uncertain and doubtful and we are not alone in those doubts. Some Openid libraries (JanRain) only strips fragment part and some Openid libraries (Zend Framework) normalize the claimed id as you have requested in the issue description. Most of the libraries only strips the fragment AFAIK.

Me and c960657 were discussing the fragment part stripping/url normalization here: #1076366-15: OpenID discovery spec violation - fragments are removed from claimed id

Is this issue fixed in the latest D6? is there any interest in pursuing this issue?

This "critical fix" introduced probably more critical bug in D7 #1076366-12: OpenID discovery spec violation - fragments are removed from claimed id . Fortunately it has not been commited to D6 yet.

I'm now focusing to fix the bug introduced by this issue to the D7, after that I can try to fix this... The current patch here is wrong and contains another criticitical error.