implement check_immediate for openid requests

This has been prototyped successfully for another project. We need to define how it's controlled (eg: whitelisted sites only, user-controlled) but tentatively assigning to the 2.7.0 release.

Original notes from marketo prototype for reference:

Find a way to make SSO less intrusive. For optional login, we'd like to be able to check if the user is logged in and auto-fill the form with their SSO data if they are, but not stay on SSO to request login if they aren't. The best way I can think of doing this, with an eye on future improvements, is to implement check_immediate in SSO. This should be simple enough to prototype using the standard python-openid libs as we won't need any restrictions for use of the feature, but we will need to carefully review how we implement it before we commit it to trunk/production.

For the initial release, we should enable check_immediate only for trusted sites which have the auto-login feature enabled. We may be able to use the code from the prototype with very few changes and some tests - we should check the state of that.

This is inplace and producing login info.
Passes on ec2

Will need a testcase.

Steps to test:

1. Login to <Rollout URL>
2. Goto the <Rollout URL>/consumer
3. Click on the Immediate tab
4. Select all the info tabs
5. Click on continue

On Tue, 2010-07-27 at 10:28 +0000, Dave Morley wrote:
> Steps to test:
>
> 1. Login to <Rollout URL>
> 2. Goto the <Rollout URL>/consumer
> 3. Click on the Immediate tab
> 4. Select all the info tabs
> 5. Click on continue

That should send you right back to the consumer, with a success page.

That checks half the functionality, here's how to check the other half:

1. Log *out* of <Rollout URL>
2. Go to <Rollout URL>/consumer
3. Click the Immediate options
4. Select desired info options
5. Click on continue.

You should be immediately returned to the consumer (*not* asked to log
in, and *not* stopping on any SSO page waiting for user action), with a
failure page.

Here's how it's supposed to work. Will create a testcase for it and test again today.

<achuni> - For untrusted RPs (if you don't have an OpenIDRPConfig for /consumer) you'll get the "We don't talk to your RP, sorry" screen, with just a Cancel button on it
<achuni> - For trusted RPs but that don't have auto_authorize enabled, it will always return False (ie, the user is not logged in, regardless of if the user actually is logged in)
<achuni> - For trusted RPs with auto_authorize, it should behave as described in the bug

This is a test for EC2 and Staging only it appears. To that end it passes and I've set it to fix released.