From: Ben Darnell <ben@bendarnell.com>
Date: Sun, 14 Aug 2011 19:03:07 +0000 (-0700)
Subject: In case the callback_uri and the uri that called authenticate_redirect
X-Git-Tag: v2.1.0~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1882670c5f9dd9be5840e1fac91e3ef98ba1deeb;p=thirdparty%2Ftornado.git

In case the callback_uri and the uri that called authenticate_redirect
are different, use the callback as the openid realm.
---

diff --git a/tornado/auth.py b/tornado/auth.py
index cafe015f2..720d5f32a 100644
--- a/tornado/auth.py
+++ b/tornado/auth.py
@@ -107,7 +107,7 @@ class OpenIdMixin(object):
             "openid.identity":
                 "http://specs.openid.net/auth/2.0/identifier_select",
             "openid.return_to": url,
-            "openid.realm": self.request.protocol + "://" + self.request.host + "/",
+            "openid.realm": urlparse.urljoin(url, '/'),
             "openid.mode": "checkid_setup",
         }
         if ax_attrs:
diff --git a/website/sphinx/releases/next.rst b/website/sphinx/releases/next.rst
index 379950af8..5df4f3bab 100644
--- a/website/sphinx/releases/next.rst
+++ b/website/sphinx/releases/next.rst
@@ -101,3 +101,5 @@ Bug fixes
   instead of creeping later due to accumulated errors.
 * The template ``{% module %}`` directive now works even if applications
   use a template variable named ``modules``.
+* `~tornado.auth.OpenIDMixin` now uses the correct realm when the
+  callback URI is on a different domain.