Index: modules/openid/openid.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/openid/openid.module,v
retrieving revision 1.77
diff -u -9 -p -r1.77 openid.module
--- modules/openid/openid.module	22 Mar 2010 18:55:45 -0000	1.77
+++ modules/openid/openid.module	22 Mar 2010 19:28:46 -0000
@@ -282,33 +282,36 @@ function openid_complete($response = arr
           // OpenID Authentication, section 7.3.2.3 and Appendix A.5:
           // The CanonicalID specified in the XRDS document must be used as the
           // account key. We rely on the XRI proxy resolver to verify that the
           // provider is authorized to respond on behalf of the specified
           // identifer (required per Extensible Resource Identifier (XRI)
           // (XRI) Resolution Version 2.0, section 14.3):
           if (!empty($service['claimed_id'])) {
             $response['openid.claimed_id'] = $service['claimed_id'];
           }
-          // OpenID Authentication, section 11.2:
-          // If the returned Claimed Identifier is different from the one sent
-          // to the OpenID Provider, we need to do discovery on the returned
-          // identifier to make sure that the provider is authorized to respond
-          // on behalf of this.
-          elseif ($service['version'] == 2 && $response['openid.claimed_id'] != openid_normalize($claimed_id)) {
-            $services = openid_discovery($response['openid.claimed_id']);
-            $uris = array();
-            foreach ($services as $discovered_service) {
-              if (in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) || in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) {
-                $uris[] = $discovered_service['uri'];
+          elseif ($service['version'] == 2) {
+            $response['openid.claimed_id'] = openid_normalize($response['openid.claimed_id']);
+            // OpenID Authentication, section 11.2:
+            // If the returned Claimed Identifier is different from the one sent
+            // to the OpenID Provider, we need to do discovery on the returned
+            // identififer to make sure that the provider is authorized to
+            // respond on behalf of this.
+            if ($response['openid.claimed_id'] != $claimed_id) {
+              $services = openid_discovery($response['openid.claimed_id']);
+              $uris = array();
+              foreach ($services as $discovered_service) {
+                if (in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) || in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) {
+                  $uris[] = $discovered_service['uri'];
+                }
+              }
+              if (!in_array($service['uri'], $uris)) {
+                return $response;
               }
-            }
-            if (!in_array($service['uri'], $uris)) {
-              return $response;
             }
           }
           else {
             $response['openid.claimed_id'] = $claimed_id;
           }
           $response['status'] = 'success';
         }
       }
     }
Index: modules/openid/openid.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/openid/openid.test,v
retrieving revision 1.16
diff -u -9 -p -r1.16 openid.test
--- modules/openid/openid.test	22 Mar 2010 18:48:20 -0000	1.16
+++ modules/openid/openid.test	22 Mar 2010 19:28:46 -0000
@@ -37,25 +37,34 @@ class OpenIDFunctionalTest extends Drupa
     // endpoint).
 
 
     // Yadis discovery (see Yadis Specification 1.0, section 6.2.5):
     // If the User-supplied Identifier is a URL, it may be a direct or indirect
     // reference to an XRDS document (a Yadis Resource Descriptor) that contains
     // the URL of the OpenID Provider Endpoint.
 
     // Identifier is the URL of an XRDS document.
-    $this->addIdentity(url('openid-test/yadis/xrds', array('absolute' => TRUE)), 2);
+    // The URL scheme is stripped in order to test that the supplied identifier
+    // is normalized in openid_begin().
+    $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE));
+    $this->addIdentity(preg_replace('@^https?://@', '', $identity), 2, $identity);
 
     // Identifier is the URL of an XRDS document containing an OP Identifier
     // Element. The Relying Party sends the special value
     // "http://specs.openid.net/auth/2.0/identifier_select" as Claimed
     // Identifier. The OpenID Provider responds with the actual identifier.
-    $this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, url('openid-test/yadis/xrds/dummy-user', array('absolute' => TRUE)));
+    $identity = url('openid-test/yadis/xrds/dummy-user', array('absolute' => TRUE));
+    // Tell openid_test.module to respond with this identifier. The URL scheme
+    // is stripped in order to test that the returned identifier is normalized in
+    // openid_complete().
+    variable_set('openid_test_response', array('openid.claimed_id' => preg_replace('@^https?://@', '', $identity)));
+    $this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, $identity);
+    variable_set('openid_test_response', array());
 
     // Identifier is the URL of an HTML page that is sent with an HTTP header
     // that contains the URL of an XRDS document.
     $this->addIdentity(url('openid-test/yadis/x-xrds-location', array('absolute' => TRUE)), 2);
 
     // Identifier is the URL of an HTML page containing a <meta http-equiv=...>
     // element that contains the URL of an XRDS document.
     $this->addIdentity(url('openid-test/yadis/http-equiv', array('absolute' => TRUE)), 2);
 
Index: modules/openid/tests/openid_test.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/openid/tests/openid_test.module,v
retrieving revision 1.11
diff -u -9 -p -r1.11 openid_test.module
--- modules/openid/tests/openid_test.module	22 Mar 2010 18:48:20 -0000	1.11
+++ modules/openid/tests/openid_test.module	22 Mar 2010 19:28:47 -0000
@@ -245,39 +245,26 @@ function _openid_test_endpoint_associate
  * a URL containing a signed message in the query string confirming the user's
  * identity.
  */
 function _openid_test_endpoint_authenticate() {
   module_load_include('inc', 'openid');
 
   // Generate unique identifier for this authentication.
   $nonce = _openid_nonce();
 
-  if (!isset($_REQUEST['openid_claimed_id'])) {
-    // openid.claimed_id is not used in OpenID 1.x.
-    $claimed_id = '';
-  }
-  elseif ($_REQUEST['openid_claimed_id'] == 'http://specs.openid.net/auth/2.0/identifier_select') {
-    // The Relying Party did not specify a Claimed Identifier, so the OpenID
-    // Provider decides on one.
-    $claimed_id = url('openid-test/yadis/xrds/dummy-user', array('absolute' => TRUE));
-  }
-  else {
-    $claimed_id = $_REQUEST['openid_claimed_id'];
-  }
-
   // Generate response containing the user's identity. The openid.sreg.xxx
   // entries contain profile data stored by the OpenID Provider (see OpenID
   // Simple Registration Extension 1.0).
   $response = variable_get('openid_test_response', array()) + array(
     'openid.ns' => OPENID_NS_2_0,
     'openid.mode' => 'id_res',
     'openid.op_endpoint' => url('openid-test/endpoint', array('absolute' => TRUE)),
-    'openid.claimed_id' => $claimed_id,
+    'openid.claimed_id' => !empty($_REQUEST['openid_claimed_id']) ? $_REQUEST['openid_claimed_id'] : '',
     'openid.identity' => $_REQUEST['openid_identity'],
     'openid.return_to' => $_REQUEST['openid_return_to'],
     'openid.response_nonce' => $nonce,
     'openid.assoc_handle' => 'openid-test',
     'openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle',
   );
 
   // Sign the message using the MAC key that was exchanged during association.
   $association = new stdClass;