OK, so I started noticing that auto-registration was no longer working with google and yahoo and it seemed that neither an email nor username was returned. I know google and yahoo both use ax instead of sreg, but in the past I can swear it was working with the openidselector_ax.module enabled.

Some investigation showed that the openidselector_ax.module still does its job of creating sreg entries from the ax entries but the problem is that as of Drupal version 6.23 (Feb 2012) the core openid module is now checking whether the sreg.email and sreg.nickname values are in the openid.signed list.

Problem is that the sreg.email and sreg.nickname entries created by openidselector_ax.module are not in the openid.signed list, so they are not taken into account.

To fix the problem, I have added the following code to the end of function openid_selector_ax_openid_response_alter() in openidselector_ax.module

  // Core openid module only auto-register if sreg.nickname and sreg.email
  // are present in openid.signed list
  // If sreg.email is not present and another openid value.mail is
  // present then let's add both email and nickname to the list
  $signed_keys = explode(',', $response['openid.signed']);
  if (!in_array('sreg.email', $signed_keys) &&
       (in_array('ax.value.email', $signed_keys)
       || in_array('ext1.value.mail_oa', $signed_keys)
       || in_array('ext1.value.mail_ons', $signed_keys)
       || in_array('ext1.value.mail_son', $signed_keys)
       )) {
    $response['openid.signed'] .= ',sreg.email,sreg.nickname';
  }

I don't really understand what openid.signed is supposed to do, so I am only adding the sreg values as signed keys if the email is present as a signed key in another form.

In any case this seems to fix it for now... I don't have what I need right now to roll a proper patch and I would like somebody that understands what that openid.signed business is to review my code... I don't want to open a security hole...