only request account_verified if there are valid schemes registered for the endpoint

django_openid_auth/tests/test_views.py

@@ -1164,7 +1164,8 @@ class RelyingPartyTests(TestCase):
         self.assertEqual(['email', 'language'], sreg_request.required)
         self.assertEqual(['fullname', 'nickname'], sreg_request.optional)
 
-    def check_login_attribute_exchange(self, validation_type, is_verified):
+    def check_login_attribute_exchange(self, validation_type, is_verified,
+                                       request_account_verified=True):
         settings.OPENID_UPDATE_DETAILS_FROM_SREG = True
         user = User.objects.create_user('testuser', 'someone@example.com')
         useropenid = UserOpenID(
@@ -1208,8 +1209,10 @@ class RelyingPartyTests(TestCase):
         self.assertTrue(fetch_request.has_key(
                 'http://schema.openid.net/namePerson/friendly'))
         # Account verification:
-        self.assertTrue(fetch_request.has_key(
-                'http://ns.login.ubuntu.com/2013/validation/account'))
+        self.assertEqual(
+            fetch_request.has_key(
+                'http://ns.login.ubuntu.com/2013/validation/account'),
+            request_account_verified)
 
         # Build up a response including AX data.
         openid_response = openid_request.answer(True)
@@ -1261,6 +1264,10 @@ class RelyingPartyTests(TestCase):
         }
         self.check_login_attribute_exchange(None, is_verified=False)
 
+    def test_login_attribute_exchange_without_account_verified(self):
+        self.check_login_attribute_exchange(None, is_verified=False,
+                                            request_account_verified=False)
+
     def test_login_attribute_exchange_unrecognised_validation(self):
         settings.OPENID_VALID_VERIFICATION_SCHEMES = {
             self.provider.endpoint_url: ('token_via_email',),

django_openid_auth/views.py

@@ -169,7 +169,6 @@ def login_begin(request, template_name='openid/login.html',
                     redirect_field_name: redirect_to
                     }, context_instance=RequestContext(request))
 
-    error = None
     consumer = make_consumer(request)
     try:
         openid_request = consumer.begin(openid_url)
@@ -180,7 +179,8 @@ def login_begin(request, template_name='openid/login.html',
 
     # Request some user details.  If the provider advertises support
     # for attribute exchange, use that.
-    if openid_request.endpoint.supportsType(ax.AXMessage.ns_uri):
+    endpoint = openid_request.endpoint
+    if endpoint.supportsType(ax.AXMessage.ns_uri):
         fetch_request = ax.FetchRequest()
         # We mark all the attributes as required, since Google ignores
         # optional attributes.  We request both the full name and
@@ -198,10 +198,21 @@ def login_begin(request, template_name='openid/login.html',
                 ('http://schema.openid.net/contact/email', 'old_email'),
                 ('http://schema.openid.net/namePerson', 'old_fullname'),
                 ('http://schema.openid.net/namePerson/friendly',
-                 'old_nickname'),
-                ('http://ns.login.ubuntu.com/2013/validation/account',
-                 'account_verified')]:
+                 'old_nickname')]:
             fetch_request.add(ax.AttrInfo(attr, alias=alias, required=True))
+
+        # conditionally require account_verified attribute
+        verification_scheme_map = getattr(
+            settings, 'OPENID_VALID_VERIFICATION_SCHEMES', {})
+        valid_schemes = verification_scheme_map.get(
+            endpoint.server_url, verification_scheme_map.get(None, ()))
+        if valid_schemes:
+            # there are valid schemes configured for this endpoint, so
+            # request account_verified status
+            fetch_request.add(ax.AttrInfo(
+                'http://ns.login.ubuntu.com/2013/validation/account',
+                alias='account_verified', required=True))
+
         openid_request.addExtension(fetch_request)
     else:
         sreg_required_fields = []