[OpenID] setup_needed and user_setup_url

[Martin Atkins]

In OpenID 1.1, there was an extra argument on the "setup needed" 
response called user_setup_url, which gave a URL to send the user to to 
do "setup" of some description.

This was removed in OpenID 2.0, under the assumption that the RP could 
simply repeat the previous request as checkid_setup rather than 
checkid_immediate and get the same effect with fewer round-trips.

It turns out that the Net::OpenID::Consumer Perl library doesn't work 
when user_setup_url isn't present.

However, it's interesting to note that this wasn't apparent until 
Net::OpenID::Server (the companion OP library) was "fixed" to not send 
user_setup_url to OpenID 2.0 RPs.

This suggests to me that in fact all existing OpenID 2.0 OPs are sending 
user_setup_url in the 2.0 case, or else I'd expect to have heard reports 
of folks not being able to log in to sites using Net::OpenID::Consumer 
(which includes LiveJournal, TypePad and several Movable Type-based 
sites). I've heard no such reports and today was the first time I've 
encountered it, after I updated TypePad's OP libraries.

So I guess what I'm driving at is should user_setup_url actually be sent 
in the 2.0 case in practice, in spite of what the spec says?

It turns out that this is a difficult fix in Net::OpenID::Consumer since 
the API would have to change in an incompatible way in order to support 
doing setup via a checkid_setup request. If everyone's sending 
user_setup_url anyway, I'd rather just fix the spec to describe what 
everyone's doing (and change Net::OpenID::Server back) than cause 
unnecessary pain for users of the library.

Thoughts?