[OpenID] openid.user_setup_url no longer in V2

[Martin Atkins]

Andrew Arnott wrote:
> Does anyone who helped with the V2 spec know why user_setup_url was 
> removed from negative immediate auth response messages?  I like the 
> overall changes, including that id_res is no longer sent in negative 
> cases, which just confused the question of whether an auth was good, but 
> user_setup_url was still helpful to some clients.
> 
> I wondered if it had to do with the identifier_select case, where OPs 
> might have a privacy leak that might expose the logged in user's 
> claimed/local IDs in the setup_needed message if the request was sent 
> with identifier_select.
> 

I believe this was just for simplicity's sake. The 1.1 flow was:

  * RP does immediate request.
  * OP responds with failure and setup URL.
  * RP sends user to setup URL.
  * OP does some setup.
  * RP repeats immediate request.
  * OP responds with positive assertion.

(or something along those lines.)

The equivalent flow in 2.0 is something like:

  * RP does immediate request.
  * Server responds with failure.
  * RP does non-immediate request.
  * OP does some setup.
  * OP responds with positive assertion.

The second non-immediate request functions as the setup step and the 
repeated immediate request rolled into one.